×
+
+
+
+
+ Core Objects: All
+
+
+
+
+
+ Defenses: All
+
+
+
+
+
+ CTI: All
+
+
+
+
+
+ Reference: All
+
+
+
+
+
+ Domains: All
+
+
+
+ Domains
+
+ All
+ None
+
+
+
+ Enterprise 0
+ Mobile 0
+ ICS 0
+
+
+
+
+ Show all Filters
+
+
+
+
+ Page type
+
+ All
+ None
+
+
+
+
+
+ Core ATT&CK Objects
+
+ All
+ None
+
+
+
+ Matrices 0
+ Tactics 0
+ Techniques 0
+ Sub-Techniques 0
+
+
+
+
+
+ Defenses
+
+ All
+ None
+
+
+
+ Mitigations 0
+ Assets 0
+ Detection Strategies
+ 0
+ Analytics 0
+ Data Components 0
+
+
+
+
+
+ CTI
+
+ All
+ None
+
+
+
+ Groups 0
+ Software 0
+ Campaigns 0
+
+
+
+
+
+ Reference
+
+ All
+ None
+
+
+
+ Resources 0
+
+
+
+
+ Domain
+
+ All
+ None
+
+
+
+ Enterprise 0
+ Mobile 0
+ ICS 0
+
+
+
ATT&CK Changes
+ ATT&CK Changes Between v18.1 and v19.0 Key
+
+New objects: ATT&CK objects which are only present in the new release.
+Major version changes: ATT&CK objects that have a major version change. (e.g. 1.0 → 2.0)
+Minor version changes: ATT&CK objects that have a minor version change. (e.g. 1.0 → 1.1)
+Other version changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 → 1.2)
+Patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 → 1.0 but something like a typo, a URL, or some metadata was fixed)
+Object revocations: ATT&CK objects which are revoked by a different object.
+Object deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced.
+Object deletions: ATT&CK objects which are no longer found in the STIX data.
+
+
+
+
+ Colors for description field Added Changed Deleted
+
+
+
+Additional formats
+These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.
+
+This JSON file contains the machine readble output used to create this page: changelog.json
+Techniques enterprise-attack New Techniques [T1683.002] Generate Content: Audio-Visual Content Current version : 1.0
Description :
Adversaries may create or manipulate audio, image, and video content to support targeting and malicious operations. Adversaries may also use synthetic voice recordings, real-time altered audio or video during live interactions, fabricated profile photos and identity documents, or video content depicting fabricated or impersonated individuals.(Citation: Nov AI Threat Tracker)
+Content may be produced manually through editing tools, generated using AI-assisted tools, or produced using third-party synthetic services.(Citation: FBI 2025 AI Generate Content)(Citation: Europol Deepfakes) AI-assisted tools have enabled adversaries to produce synthetic media at scale and generate content that is more difficult to identify as inauthentic.
+Audio-visual content produced through these methods may be used in support of other techniques, such as Phishing , Spearphishing via Service , Phishing for Information , Internal Spearphishing , Social Engineering , Financial Theft , or Establish Accounts .
[T1685.006] Disable or Modify Tools: Clear Linux or Mac System Logs Current version : 1.0
Description :
Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
+
+/var/log/messages:: General and system-related messages/var/log/secure or /var/log/auth.log: Authentication logs/var/log/utmp or /var/log/wtmp: Login records/var/log/kern.log: Kernel logs/var/log/cron.log: Crond logs/var/log/maillog: Mail server logs/var/log/httpd/: Web server access and error logs [T1685.005] Disable or Modify Tools: Clear Windows Event Logs Current version : 1.0
Description :
Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
+With administrator privileges, the event logs can be cleared with the following utility commands:
+
+wevtutil cl systemwevtutil cl applicationwevtutil cl security
+These logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell . For example, adversaries may use the PowerShell command Remove-EventLog -LogName Security to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)
+Adversaries may also attempt to clear logs by directly deleting the stored log files within C:\Windows\System32\winevt\logs\.
[T1686.001] Disable or Modify System Firewall: Cloud Firewall Current version : 1.0
Description :
Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources.
+Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary with appropriate permissions may introduce new firewall rules or policies to allow access into a victim cloud environment and/or move laterally from the cloud control plane to the data plane.
+For example, an adversary may use a script or utility that creates new ingress rules in existing security groups (or creates new security groups entirely) to allow any TCP/IP connectivity to a cloud-hosted instance. They may also remove networking limitations to support traffic associated with malicious activity (such as cryptomining).(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)(Citation: Expel AWS)
[T1685.002] Disable or Modify Tools: Disable or Modify Cloud Log Current version : 1.0
Description :
An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
+For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity. They may alternatively tamper with logging functionality, for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Cloud Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading)
[T1685.004] Disable or Modify Tools: Disable or Modify Linux Audit System Log Current version : 1.0
Description :
Adversaries may disable or modify the Linux Audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules.
+Often referred to as auditd, this is the name of the daemon used to write events to disk and is governed by the parameters set in the audit.conf configuration file. Two primary ways to configure the log generation rules are through the command line auditctl utility and the file /etc/audit/audit.rules, containing a sequence of auditctl commands loaded at boot time.(Citation: IzyKnows auditd threat detection 2022)(Citation: Red Hat Linux Disable or Mod)
+With root privileges, adversaries may be able to ensure their activity is not logged through disabling the Audit system service, editing the configuration/rule files, or by hooking the Audit system library functions. Using the command line, adversaries can disable the Audit system service through killing processes associated with auditd daemon or use systemctl to stop the Audit service. Adversaries can also hook Audit system functions to disable logging or modify the rules contained in the /etc/audit/audit.rules or audit.conf files to ignore malicious activity.(Citation: ESET Ebury Feb 2014)
[T1686] Disable or Modify System Firewall Current version : 1.0
Description :
Adversaries may disable or modify host-based or network firewalls to impair defensive mechanisms and enable further action. Once an adversary has gathered sufficient privileges, they can tamper with firewall services, policies, or rule sets to remove restrictions on inbound or outbound traffic. For example, this may include turning off firewall profiles, altering existing rules to permit previously blocked ports or protocols, or adding new rules that create covert communication paths (e.g., adding a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port.(Citation: change_rdp_port_conti)
+Adversaries may disable or modify firewalls using different behaviors, depending on the platform. For example, in ESXi, firewall rules may be modified directly via the esxcli (e.g., via esxcli network firewall set) or via the vCenter user interface.(Citation: Broadcom ESXi Firewall)(Citation: Trellix Rnasomhouse 2024)
[T1685] Disable or Modify Tools Current version : 1.0
Description :
Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.(Citation: SCADAfence_ransomware)
+In addition to directly targeting tools, adversaries may block or manipulate indicators and telemetry used for detection. This includes maliciously disabling or redirecting sensors such as Event Tracing for Windows (ETW), modifying event log configurations (e.g., redirecting Security logs), or interfering with logging pipelines and forwarding mechanisms (e.g., SIEM ingestion).(Citation: Microsoft Lamin Sept 2017)(Citation: ETW Palantir)
+More advanced techniques include leveraging legitimate drivers or debugging mechanisms to render tools non-functional, bypassing anti-tampering protections, and targeting specific defenses such as Sysmon or cloud monitoring agents. Adversaries may also disrupt broader defensive operations, including update mechanisms, logging infrastructure (e.g., syslog), or event aggregation, further degrading an organization’s ability to detect and respond to malicious activity.(Citation: Cocomazzi FIN7 Reboot)
[T1685.001] Disable or Modify Tools: Disable or Modify Windows Event Log Current version : 1.0
Description :
Adversaries may disable or modify the Windows Event Log to limit data that can be leveraged for detections and audits. Windows Event Log records user and system activity such as login attempts and process creation.(Citation: EventLog_Core_Technologies) This data is used by security tools and analysts to generate detections.
+The EventLog service maintains event logs from various system components and applications. By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\Local Policies\Audit Policy for basic audit policy settings or Security Settings\Advanced Audit Policy Configuration for advanced audit policy settings.(Citation: Microsoft Audit Policy)(Citation: Microsoft Adv Security Settings) auditpol.exe may also be used to set audit policies.(Citation: Microsoft auditpol)
+Adversaries may target system-wide logging or just that of a particular application. For example, the Windows EventLog service may be disabled using the Set-Service -Name EventLog -Status Stopped or sc config eventlog start=disabled commands (followed by manually stopping the service using Stop-Service -Name EventLog). Additionally, the service may be disabled by modifying the "Start" value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog then restarting the system for the change to take effect.(Citation: Disable_Win_Event_Logging)(Citation: disable_win_evt_logging)
+There are several ways to disable the EventLog service via registry key modification. Without Administrator privileges, adversaries may modify the "Start" value in the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Security, then reboot the system to disable the Security EventLog.(Citation: winser19_file_overwrite_bug_twitter) With Administrator privilege, adversaries may modify the same values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application to disable the entire EventLog.
+Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:"Account Logon" /success:disable /failure:disable turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC) To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.(Citation: T1562.002_redcanaryco)
[T1689] Downgrade Attack Current version : 1.0
Description :
Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation.
+Adversaries may downgrade and use various less-secure versions of features of a system, such as Command and Scripting Interpreter or even network protocols that can be abused to enable Adversary-in-the-Middle or Network Sniffing .(Citation: Praetorian TLS Downgrade Attack 2014) For example, PowerShell versions 5+ includes Script Block Logging (SBL), which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to impair defenses while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike downgrade attack)(Citation: Google Cloud downgrade attack)(Citation: att_def_ps_logging)
+Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: CrowdStrike Downgrade attack 2) On Windows systems, adversaries may downgrade the boot manager to a vulnerable version that bypasses Secure Boot, granting the ability to disable various operating system security mechanisms.(Citation: SafeBreach)
[T1684.002] Social Engineering: Email Spoofing Current version : 1.0
Description :
Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses.(Citation: Proofpoint TA427 April 2024) In addition to actual email content, email headers (such as the FROM header, which contains the email address of the sender) may also be modified. Email clients display these headers when emails appear in a victim's inbox, which may cause modified emails to appear as if they were from the spoofed entity.
+Enterprise environments can use Domain-based Message Authentication, Reporting, and Conformance (DMARC) as an email authentication protocol that references results of the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) configurations. SPF and DKIM are configured separately in DNS: SPF verifies that the sending server is authorized for the domain, while DKIM uses a digital signature to verify email integrity and domain authentication. Together, they validate email authenticity and specify how receiving servers should handle authentication failures. Without enforced identity authentication, adversaries may compromise the integrity of an authentication check with altered headers that would not have otherwise passed.(Citation: Cloudflare DMARC, DKIM, and SPF)(Citation: DMARC-overview)(Citation: Proofpoint-DMARC)
+An example of a weak or absent DMARC policy is v=DMARC1; p=none; fo=1;. The p=none. The p=none indicates no action should be taken, and therefore no filtering action will take place, even if an email fails authentication checks (i.e., SPF and/or DKIM fail). When a DMARC policy indicates no action, the email will still be delivered to the victim’s inbox.(Citation: ic3-dprk)
+Adversaries have abused weak or absent DMARC policies to circumvent authentication checks and conceal social engineering attempts. Adversaries can alter email headers to include legitimate domain names with fake usernames or impersonate legitimate users via Impersonation for Phishing . Additionally, adversaries may abuse Microsoft 365’s Direct Send functionality to spoof internal users by using internal devices like printers to send emails without authentication.(Citation: Barnea DirectSend)
[T1687] Exploitation for Defense Impairment Current version : 1.0
Description :
Adversaries may exploit vulnerabilities in security software, infrastructure, or defensive components to degrade, disable, or otherwise continue to impair their ability to prevent, detect, or respond to malicious activity.
+Adversaries may exploit a system or application vulnerability to directly interfere with defensive mechanisms. Exploitation occurs when an adversary takes advantage of a programming error in software, services, or the operating system to execute adversary-controlled code, often with the goal of weakening or disabling protections.
+Vulnerabilities may exist in security tools such as antivirus, endpoint detection and response (EDR), firewalls, or other monitoring solutions. Adversaries may use prior reconnaissance or perform discovery activities (e.g., Software Discovery ) to identify defensive tools present in an environment and target them for exploitation.
+Successful exploitation may allow adversaries to terminate security processes, disable protections, bypass enforcement mechanisms, or reduce the effectiveness of defensive controls. In some cases, vulnerabilities in cloud-based or SaaS infrastructure may also be leveraged to bypass built-in security boundaries or disrupt visibility and enforcement across environments.(Citation: Salesforce zero-day in facebook phishing attack)
[T1683] Generate Content Current version : 1.0
Description :
Adversaries may create or generate content to support targeting and operations. This content may be used to establish personas, impersonate known individuals or organizations, and support Social Engineering , fraud, or influence activities. Written materials, audio, images, video, or other media may be developed and tailored to the target and objective.(Citation: IBM AI-Generated Content)
+Content development may occur prior to or during an operation. Adversaries may develop or generate content in-house, source it through third parties, or produce it using AI-assisted tools. Adversaries may use AI to research targets, develop pretexts, and better understand the organizations and individuals they intend to target or deceive prior to generating content (i.e., Query Public AI Services ); for obtaining access to AI tools used in content generation, see Artificial Intelligence .
+Content may be leveraged in support of techniques such as Phishing , Phishing for Information , Social Engineering , Financial Theft , or Establish Accounts . Generated or developed content does not include malicious code or scripts (i.e., Develop Capabilities and Artificial Intelligence ).
[T1684.001] Social Engineering: Impersonation Current version : 1.0
Description :
Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via Phishing for Information , Phishing , or Internal Spearphishing ) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims.
+In many cases of business email compromise or email fraud campaigns, adversaries use impersonation to defraud victims -- deceiving them into sending money or divulging information that ultimately enables Financial Theft .
+Adversaries will often also use social engineering techniques such as manipulative and persuasive language in email subject lines and body text such as payment, request, or urgent to push the victim to act quickly before malicious activity is detected. These campaigns are often specifically targeted against people who, due to job roles and/or accesses, can carry out the adversary’s goal.
+Impersonation is typically preceded by reconnaissance techniques such as Gather Victim Identity Information and Gather Victim Org Information as well as acquiring infrastructure such as email domains (i.e. Domains ) to substantiate their false identity.(Citation: Crowdstrike BEC)
+There is the potential for multiple victims in campaigns involving impersonation. For example, an adversary may Compromise Accounts targeting one organization which can then be used to support impersonation against other entities.(Citation: VEC)
[T1027.018] Obfuscated Files or Information: Invisible Unicode Current version : 1.0
Description :
Adversaries may abuse invisible or non-printing Unicode characters to conceal malicious content within files, scripts, or text. By inserting characters that do not visibly render, adversaries may hide data, alter how content is interpreted, or make malicious code appear as benign text or whitespace. Adversaries may encode these malicious payloads, using binary, Base64, or custom schemes, to be reconstructed at runtime through scripting features such as JavaScript Proxy traps, eval(), or other dynamic execution methods. This technique enables adversaries to evade visual inspection and basic static analysis by hiding malicious encoded content in innocuous text.(Citation: PUAs Unicode - Eriksen)(Citation: Tycoon2FA - Unicode)(Citation: Unicode - Veracode)
+Unicode is a standardized character encoding model that assigns a unique numerical value, known as a code point, to every character across writing systems, enabling consistent text representation across platforms, applications, and languages. Code points are represented as U+ followed by a hexadecimal value and may be encoded using formats such as UTF-8 or UTF-16. Adversaries may abuse the valid code points in Unicode that are not visibly rendered but still take up bytes, such as zero-width spaces, variation selectors, or bidirectional formatting controls, to conceal malicious payloads.(Citation: Tycoon2FA - Unicode)(Citation: GlassWorm - Unicode)(Citation: Unicode and Hidden Prompts - Perets)
+Adversaries may additionally exploit Private Use Area (PUA) characters, a range of code points reserved for custom assignment. PUA characters that are not defined by a font or application are typically rendered blank.(Citation: PUAs Unicode - Eriksen)
+Unicode characters may also be leveraged in support of other techniques such as Phishing , Right-to-Left Override , or User Execution . For example, some adversaries may embed artificial intelligence (AI) prompt injections using invisible Unicode characters in emails or documents that appear benign when processed by AI systems.(Citation: LLMs and Unicode - Medium)(Citation: Invisible Prompt Injection - Trend Micro)
[T1685.003] Disable or Modify Tools: Modify or Spoof Tool UI Current version : 1.0
Description :
Adversaries may spoof or manipulate security tool user interfaces (UIs) to falsely indicate tools are functioning normally and delay detection and response.
+Adversaries may present misleading or falsified security tool interfaces (UIs) that display normal or healthy status indicators, even when underlying security tools have been disabled, degraded, or otherwise tampered with. Security tools typically provide visibility into system health, alerting, and operational status; by misrepresenting this information, adversaries can undermine defender trust in these signals and obscure the true security posture of the system.
+This behavior is often used in conjunction with efforts to disable or modify tools, where adversaries first impair the functionality of defenses (e.g., EDR, logging agents) and then replace or mimic their interfaces to conceal the loss of visibility. By maintaining the appearance of normal operations, such as showing active protection, successful updates, or absence of threats, adversaries can delay investigation and response, enabling continued malicious activity.
+For example, adversaries may display a fake Windows Security interface or system tray icon indicating a “protected” or “healthy” state after disabling Windows Defender or related services.(Citation: BlackBasta)
[T1686.002] Disable or Modify System Firewall: Network Device Firewall Current version : 1.0
Description :
Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls limiting network usage.
+Adversaries may obtain access to devices such as routers, switches, or other perimeter/network devices and change access control lists (ACLs), security zones, or policy rules to permit otherwise blocked traffic. For example, adversaries may add new network firewall rules to allow access to all internal network subnets without restrictions. Allowing access to internal network subsets may enable unrestricted inbound/outbound connectivity or open paths for command and control and lateral movement.
+Adversaries may obtain access to network device management interfaces via Valid Accounts or by exploiting vulnerabilities. In some cases, threat actors may target firewalls and other network infrastructure that are exposed to the internet by leveraging weaknesses in public-facing applications (Exploit Public-Facing Application ).(Citation: CVE-2024-55591 Detail)
+Adversaries may also modify host networking configurations that indirectly manipulate system firewalls, such as adjusting interface bandwidth or network connection request thresholds.
[T1690] Prevent Command History Logging Current version : 1.0
Description :
Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they have done.
+On Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected. The HISTFILE environment variable is also used in some ESXi systems.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)
+Adversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that " ls" will not be saved, but "ls" would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.
+On Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft about_History prevent command history)(Citation: Sophos PowerShell Command History Forensics)
+Adversaries may also leverage a Network Device CLI on network devices to disable historical command logging (e.g. no logging).
[T1682] Query Public AI Services Current version : 1.0
Description :
Adversaries may query publicly accessible artificial intelligence (AI) services, such as large language models (LLMs), to support targeting and operations. In addition to searching websites or databases directly (i.e., Search Open Websites/Domains ), adversaries may use AI services to synthesize, aggregate, and analyze publicly available information at scale. This may include identifying individuals or organizations to target, researching organizational structures and personnel, identifying technologies used by target organizations, researching business relationships to develop plausible pretexts for Social Engineering approaches, identifying contact information for use in Phishing or Phishing for Information , or gathering derogatory or sensitive information about individuals that may be used for extortion or coercion.(Citation: MSFT-AI)(Citation: GTIG AI Threat Tracker)
+Information gathered through AI services may be leveraged for other behaviors, such as establishing operational resources (i.e., Generate Content or Establish Accounts . For obtaining access to AI tools and services, see Artificial Intelligence .
[T1688] Safe Mode Boot Current version : 1.0
Description :
Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Windows Startup Settings)(Citation: Sophos Safe Mode Boot)
+Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit)
+Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. Modify Registry ). Malicious Component Object Model (COM) objects may also be registered and loaded in safe mode.(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason safe mode boot)(Citation: BleepingComputer REvil 2021)
[T1684] Social Engineering Current version : 1.0
Description :
Adversaries may use social engineering techniques to influence users to take actions that result in unauthorized access, approval of changes, disclosure of sensitive information, or execution of adversary-supplied instructions (i.e., introduction of malicious payloads or software), while minimizing technical indicators.
+Adversaries may leverage trust-building methods across multiple channels (e.g., executive, vendor, or help desk scenarios, including AI-enabled voice interactions) to prompt user-authorized actions such as password resets, MFA changes, financial approvals, or the disclosure of sensitive information. Adversaries may also leverage common business communications and workflows such as email, collaboration platforms, voice communications, recruiting processes, help desk interactions, and SaaS consent mechanisms to make malicious requests appear routine and legitimate.(Citation: Proofpoint TA427 April 2024)(Citation: SE SentinelOne 2)(Citation: SE - Hackers Target Workday)
+Additionally, adversaries have persuaded victims to take actions through references of current events, harnessing relevant themes to the work role or the organizations mission. For example, adversaries may use scare tactics (i.e., threaten repercussions for non-compliance) or otherwise incite victims’ emotions in order to generate a sense of urgency to take action.(Citation: SE Proofpoint)(Citation: SE SentinelOne)
+This technique may include common social engineering patterns such as Phishing and Spearphishing Voice , often supported by convincing and targeted narratives.(Citation: SE SentinelOne 2)(Citation: Fortinet Trends 25-26)
[T1686.003] Disable or Modify System Firewall: Windows Host Firewall Current version : 1.0
Description :
Adversaries may disable or modify the Windows host firewall to bypass controls limiting network usage. This can include disabling the Windows host firewall entirely, suppressing specific profiles (domain, private, public), or adding, deleting, and modifying firewall rules to allow or restrict traffic.(Citation: Nearest Neighbor Volexity)
+Adversaries may perform these modifications through multiple mechanisms depending on the Windows operating system and access level. For example, adversaries may use command-line utilities (e.g., netsh advfirewall or PowerShell cmdlets like Set-NetFirewallProfile, New-NetFirewallRule), Windows Registry modifications (e.g., altering firewall states and rule configurations via registry keys), or the Windows Control Panel to modify firewall settings through the Windows Security interface.
+By disabling or modifying Windows firewall services, adversaries may enable access to remote services, open ports for command and control traffic, or configure rules for further actions.
[T1683.001] Generate Content: Written Content Current version : 1.0
Description :
Adversaries may create or tailor written materials to support targeting and malicious operations. Content may include phishing lures, fraudulent financial communications, fabricated job postings, fabricated employment credentials and documentation, decoy documents, social media persona content, and supporting narratives used to sustain fabricated personas over time.(Citation: GenAI Phishing)(Citation: GTIG AI Threat Tracker) Content may be authored manually, commissioned through third parties, or produced using AI-assisted tools.
+Written materials may impersonate legitimate government correspondence, diplomatic communications, or internal organizational documents to support targeting efforts. AI-assisted tools may also be used to tailor content to specific targets, industries, or regions. For example, adversaries may leverage AI to translate content into a target's native language or mimic the communication style of trusted senders.
+Written content produced through these methods may be used in support of other techniques, such as Phishing , Spearphishing via Service , Phishing for Information , Internal Spearphishing , Social Engineering , Financial Theft , or Establish Accounts .
+Written content does not include malicious code or scripts; for development of malicious code and scripts, see Develop Capabilities .
Major Version Changes [T1548] Abuse Elevation Control Mechanism Current version : 2.0
Version changed from : 1.5 → 2.0
+
+
+ t Adversaries may circumvent mechanisms designed to control el t Adversaries may circumvent mechanisms designed to control pr evate privileges to gain higher-level permissions. Most modeivilege elevation to gain higher-level permissions. Most modrn systems contain native elevation control mechanisms that ern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users a machine. Authorization has to be granted to specific user in order to perform tasks that can be considered of higher s in order to perform tasks that can be considered of higher risk.(Citation: TechNet How UAC Works)(Citation: sudo man pa risk.(Citation: TechNet How UAC Works)(Citation: sudo man p ge 2018) An adversary can perform several methods to take ad age 2018) An adversary can perform several methods to take a vantage of built-in control mechanisms in order to escalate dvantage of built-in control mechanisms in order to escalate privileges on a system.(Citation: OSX Keydnap malware)(Citat privileges on a system.(Citation: OSX Keydnap malware)(Cita ion: Fortinet Fareit) tion: Fortinet Fareit)
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:53.277000+00:00 2026-04-21 18:05:00.504000+00:00 description Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.(Citation: TechNet How UAC Works)(Citation: sudo man page 2018) An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.(Citation: OSX Keydnap malware)(Citation: Fortinet Fareit) Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.(Citation: TechNet How UAC Works)(Citation: sudo man page 2018) An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.(Citation: OSX Keydnap malware)(Citation: Fortinet Fareit) x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.5 2.0
iterable_item_removed STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'}
[T1134] Access Token Manipulation Current version : 3.0
Version changed from : 2.1 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:29.051000+00:00 2026-04-15 19:53:44.334000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.1 3.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'BlackHat Atkinson Winchester Token Manipulation', 'description': 'Atkinson, J., Winchester, R. (2017, December 7). A Process is No One: Hunting for Token Manipulation. Retrieved December 21, 2017.', 'url': 'https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf'} external_references {'source_name': 'Microsoft Command-line Logging', 'description': 'Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.', 'url': 'https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing'} external_references {'source_name': 'Microsoft LogonUser', 'description': 'Microsoft TechNet. (n.d.). Retrieved April 25, 2017.', 'url': 'https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx'} external_references {'source_name': 'Microsoft DuplicateTokenEx', 'description': 'Microsoft TechNet. (n.d.). Retrieved April 25, 2017.', 'url': 'https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx'} external_references {'source_name': 'Microsoft ImpersonateLoggedOnUser', 'description': 'Microsoft TechNet. (n.d.). Retrieved April 25, 2017.', 'url': 'https://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx'}
[T1574.014] Hijack Execution Flow: AppDomainManager Current version : 2.0
Version changed from : 1.0 → 2.0
Details dictionary_item_added STIX Field Old value New Value x_mitre_remote_support False
dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 21:48:08.401000+00:00 2026-04-15 22:57:09.601000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 2.0 kill_chain_phases[1] {'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'execution'} kill_chain_phases[0] {'kill_chain_name': 'mitre-attack', 'phase_name': 'persistence'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'stealth'}
iterable_item_removed STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'}
[T1550.001] Use Alternate Authentication Material: Application Access Token Current version : 2.0
Version changed from : 1.8 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:35.227000+00:00 2026-04-15 22:48:23.373000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.8 2.0
iterable_item_removed STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'} external_references {'source_name': 'AWS Logging IAM Calls', 'description': 'AWS. (n.d.). Logging IAM and AWS STS API calls with AWS CloudTrail. Retrieved April 1, 2022.', 'url': 'https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html'} external_references {'source_name': 'GCP Monitoring Service Account Usage', 'description': 'Google Cloud. (2022, March 31). Monitor usage patterns for service accounts and keys . Retrieved April 1, 2022.', 'url': 'https://cloud.google.com/iam/docs/service-account-monitoring'}
[T1055.004] Process Injection: Asynchronous Procedure Call Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:00.298000+00:00 2026-04-15 22:26:41.151000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Elastic Process Injection July 2017', 'description': 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.', 'url': 'https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process'}
[T1197] BITS Jobs Current version : 2.0
Version changed from : 1.5 → 2.0
Details dictionary_item_added STIX Field Old value New Value x_mitre_remote_support False
dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:22.711000+00:00 2026-04-15 19:57:02.003000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion execution x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.5 2.0
iterable_item_added STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'stealth'}
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Elastic - Hunting for Persistence Part 1', 'description': 'French, D., Murphy, B. (2020, March 24). Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1). Retrieved December 21, 2020.', 'url': 'https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1'} external_references {'source_name': 'Microsoft Issues with BITS July 2011', 'description': 'Microsoft. (2011, July 19). Issues with BITS. Retrieved January 12, 2018.', 'url': 'https://technet.microsoft.com/library/dd939934.aspx'}
[T1027.001] Obfuscated Files or Information: Binary Padding Current version : 2.0
Version changed from : 1.3 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:50.205000+00:00 2026-04-15 22:15:33.904000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.3 2.0
[T1564.013] Hide Artifacts: Bind Mounts Current version : 2.0
Version changed from : 1.0 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 19:58:34.469000+00:00 2026-04-15 20:17:48.263000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 2.0
[T1542.003] Pre-OS Boot: Bootkit Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:28.341000+00:00 2026-04-17 18:38:49.558000+00:00 kill_chain_phases[1]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
[T1036.009] Masquerading: Break Process Trees Current version : 2.0
Version changed from : 1.0 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 21:54:02.243000+00:00 2026-04-15 20:32:49.027000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 2.0
[T1036.012] Masquerading: Browser Fingerprint Current version : 2.0
Version changed from : 1.0 → 2.0
+
+
+ t Adversaries may attempt to blend in with legitimate traffic t Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating sys by spoofing browser and system attributes like operating sys tem, system language, platform, user-agent string, resolutio tem, system language, platform, user-agent string, resolutio n, time zone, etc. The HTTP User-Agent request header is a n, time zone, etc. The HTTP User-Agent request header is a string that lets servers and network peers identify the appl string that lets servers and network peers identify the appl ication, operating system, vendor, and/or version of the req ication, operating system, vendor, and/or version of the req uesting user agent.(Citation: Mozilla User Agent) Adversari uesting user agent.(Citation: Mozilla User Agent) Adversari es may gather this information through [System Information D es may gather this information through [System Information D iscovery](https://attack.mitre.org/techniques/T1082) or by u iscovery](https://attack.mitre.org/techniques/T1082) or by u sers navigating to adversary-controlled websites, and then u sers navigating to adversary-controlled websites, and then u se that information to craft their web traffic to evade defe se that information to craft their web traffic to evade defe nses.(Citation: Gummy Browsers: Targeted Browser Spoofing ag nses.(Citation: Gummy Browsers Targeted Browser Spoofing aga ainst State-of-the-Art Fingerprinting Techniques) inst State-of-the-Art Fingerprinting Techniques)
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-19 19:41:22.343000+00:00 2026-04-15 20:37:12.322000+00:00 description Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc. The HTTP User-Agent request header is a string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.(Citation: Mozilla User Agent)
+
+Adversaries may gather this information through [System Information Discovery](https://attack.mitre.org/techniques/T1082) or by users navigating to adversary-controlled websites, and then use that information to craft their web traffic to evade defenses.(Citation: Gummy Browsers: Targeted Browser Spoofing against State-of-the-Art Fingerprinting Techniques) Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc. The HTTP User-Agent request header is a string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.(Citation: Mozilla User Agent)
+
+Adversaries may gather this information through [System Information Discovery](https://attack.mitre.org/techniques/T1082) or by users navigating to adversary-controlled websites, and then use that information to craft their web traffic to evade defenses.(Citation: Gummy Browsers Targeted Browser Spoofing against State-of-the-Art Fingerprinting Techniques) kill_chain_phases[0]['phase_name'] defense-evasion stealth external_references[2]['source_name'] Gummy Browsers: Targeted Browser Spoofing against State-of-the-Art Fingerprinting Techniques Gummy Browsers Targeted Browser Spoofing against State-of-the-Art Fingerprinting Techniques external_references[2]['description'] Zengrui Liu, Prakash Shrestha, and Nitesh Saxena. (2021, October 19). Retrieved September 22, 2025. Zengrui Liu, Prakash Shrestha, and Nitesh Saxena. (2021, October 19). Retrieved April 15, 2026. x_mitre_version 1.0 2.0
[T1612] Build Image on Host Current version : 2.0
Version changed from : 1.3 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:01.646000+00:00 2026-04-15 19:56:51.027000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.3 2.0
[T1548.002] Abuse Elevation Control Mechanism: Bypass User Account Control Current version : 3.0
Version changed from : 2.2 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:25.823000+00:00 2026-04-15 19:51:31.419000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.2 3.0
iterable_item_removed STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'} external_references {'source_name': 'enigma0x3 sdclt app paths', 'description': 'Nelson, M. (2017, March 14). Bypassing UAC using App Paths. Retrieved May 25, 2017.', 'url': 'https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/'} external_references {'source_name': 'enigma0x3 sdclt bypass', 'description': 'Nelson, M. (2017, March 17). "Fileless" UAC Bypass Using sdclt.exe. Retrieved May 25, 2017.', 'url': 'https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/'}
[T1218.003] System Binary Proxy Execution: CMSTP Current version : 3.0
Version changed from : 2.2 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:45.149000+00:00 2026-04-15 22:37:18.154000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.2 3.0
[T1574.012] Hijack Execution Flow: COR_PROFILER Current version : 2.0
Version changed from : 1.1 → 2.0
+
+
+ t Adversaries may leverage the COR_PROFILER environment variab t Adversaries may leverage the COR_PROFILER environment variab le to hijack the execution flow of programs that load the .N le to hijack the execution flow of programs that load the .N ET CLR. The COR_PROFILER is a .NET Framework feature which a ET CLR. The COR_PROFILER is a .NET Framework feature which a llows developers to specify an unmanaged (or external of .NE llows developers to specify an unmanaged (or external of .NE T) profiling DLL to be loaded into each .NET process that lo T) profiling DLL to be loaded into each .NET process that lo ads the Common Language Runtime (CLR). These profilers are d ads the Common Language Runtime (CLR). These profilers are d esigned to monitor, troubleshoot, and debug managed code exe esigned to monitor, troubleshoot, and debug managed code exe cuted by the .NET CLR.(Citation: Microsoft Profiling Mar 201 cuted by the .NET CLR.(Citation: Microsoft Profiling Mar 201 7)(Citation: Microsoft COR_PROFILER Feb 2013) The COR_PROFI 7)(Citation: Microsoft COR_PROFILER Feb 2013) The COR_PROFI LER environment variable can be set at various scopes (syste LER environment variable can be set at various scopes (syste m, user, or process) resulting in different levels of influe m, user, or process) resulting in different levels of influe nce. System and user-wide environment variable scopes are sp nce. System and user-wide environment variable scopes are sp ecified in the Registry, where a [Component Object Model](ht ecified in the Registry, where a [Component Object Model](ht tps://attack.mitre.org/techniques/T1559/001) (COM) object ca tps://attack.mitre.org/techniques/T1559/001) (COM) object ca n be registered as a profiler DLL. A process scope COR_PROFI n be registered as a profiler DLL. A process scope COR_PROFI LER can also be created in-memory without modifying the Regi LER can also be created in-memory without modifying the Regi stry. Starting with .NET Framework 4, the profiling DLL does stry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DL not need to be registered as long as the location of the DL L is specified in the COR_PROFILER_PATH environment variable L is specified in the COR_PROFILER_PATH environment variable .(Citation: Microsoft COR_PROFILER Feb 2013) Adversaries ma .(Citation: Microsoft COR_PROFILER Feb 2013) Adversaries ma y abuse COR_PROFILER to establish persistence that executes y abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every t a malicious DLL in the context of all .NET processes every t ime the CLR is invoked. The COR_PROFILER can also be used to ime the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https elevate privileges (ex: [Bypass User Account Control](https ://attack.mitre.org/techniques/T1548/002)) if the victim .NE ://attack.mitre.org/techniques/T1548/002)) if the victim .NE T process executes at a higher permission level, as well as T process executes at a higher permission level, as well as to hook and [Impair Defenses] (https ://atta ck.mitre.org/techn to hook and impair defenses provided by .NET processes. (Cita iques/T1562) provided b y .NET processes.(Citation: RedCanary tion : RedCanary Mo ckingbird Ma y 2020)(Citation: Red Canary C Mockingbird May 2020)(Citation: Red Canary COR_PROFILER MayOR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: Git )(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NE Hub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May T Profilers May 2017) 2017)
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_remote_support False
dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:40.510000+00:00 2026-04-16 18:58:17.752000+00:00 description Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
+
+The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)
+
+Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017) Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
+
+The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)
+
+Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and impair defenses provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017) x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0 kill_chain_phases[1] {'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'execution'} kill_chain_phases[0] {'kill_chain_name': 'mitre-attack', 'phase_name': 'persistence'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'stealth'}
iterable_item_removed STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'}
[T1070.003] Indicator Removal: Clear Command History Current version : 2.0
Version changed from : 1.6 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:40.313000+00:00 2026-04-15 20:27:09.604000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.6 2.0
[T1070.008] Indicator Removal: Clear Mailbox Data Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 21:56:59.810000+00:00 2026-04-15 20:27:22.074000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
[T1070.007] Indicator Removal: Clear Network Connection History and Configurations Current version : 2.0
Version changed from : 1.2 → 2.0
+
+
+ t Adversaries may clear or remove evidence of malicious networ t Adversaries may clear or remove evidence of malicious networ k connections in order to clean up traces of their operation k connections in order to clean up traces of their operation s. Configuration settings as well as various artifacts that s. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/ highlight connection history may be created on a system and/ or in application logs from behaviors that require network c or in application logs from behaviors that require network c onnections, such as [Remote Services](https://attack.mitre.o onnections, such as [Remote Services](https://attack.mitre.o rg/techniques/T1021) or [External Remote Services](https://a rg/techniques/T1021) or [External Remote Services](https://a ttack.mitre.org/techniques/T1133). Defenders may use these a ttack.mitre.org/techniques/T1133). Defenders may use these a rtifacts to monitor or otherwise analyze network connections rtifacts to monitor or otherwise analyze network connections created by adversaries. Network connection history may be created by adversaries. Network connection history may be stored in various locations. For example, RDP connection his stored in various locations. For example, RDP connection his tory may be stored in Windows Registry values under (Citatio tory may be stored in Windows Registry values under (Citatio n: Microsoft RDP Removal): * <code>HKEY_CURRENT_USER\Softwa n: Microsoft RDP Removal): * <code>HKEY_CURRENT_USER\Softwa re\Microsoft\Terminal Server Client\Default</code> * <code>H re\Microsoft\Terminal Server Client\Default</code> * <code>H KEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\S KEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\S ervers</code> Windows may also store information about rece ervers</code> Windows may also store information about rece nt RDP connections in files such as <code>C:\Users\\%usernam nt RDP connections in files such as <code>C:\Users\\%usernam e%\Documents\Default.rdp</code> and `C:\Users\%username%\App e%\Documents\Default.rdp</code> and `C:\Users\%username%\App Data\Local\Microsoft\Terminal Server Client\Cache\`.(Citatio Data\Local\Microsoft\Terminal Server Client\Cache\`.(Citatio n: Moran RDPieces) Similarly, macOS and Linux hosts may stor n: Moran RDPieces) Similarly, macOS and Linux hosts may stor e information highlighting connection history in system logs e information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/` (such as those stored in `/Library/Logs` and/or `/var/log/` ).(Citation: Apple Culprit Access)(Citation: FreeDesktop Jou ).(Citation: Apple Culprit Access)(Citation: FreeDesktop Jou rnal)(Citation: Apple Unified Log Analysis Remote Login and rnal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing) Malicious network connections may also requ Screen Sharing) Malicious network connections may also requ ire changes to third-party applications or network configura ire changes to third-party applications or network configura tion settings, such as [Disable or Modify System Firewall](h tion settings, such as [Disable or Modify System Firewall](h ttps://attack.mitre.org/techniques/T15 62/004 ) or tampering t ttps://attack.mitre.org/techniques/T1686 ) or tampering to en o enable [Proxy](https://attack.mitre.org/techniques/T1090). able [Proxy](https://attack.mitre.org/techniques/T1090). Adv Adversaries may delete or modify this data to conceal indic ersaries may delete or modify this data to conceal indicator ators and/or impede defensive analysis. s and/or impede defensive analysis.
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-16 20:37:16.734000+00:00 2026-04-16 19:27:07.242000+00:00 description Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.
+
+Network connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):
+
+* HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default
+* HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers
+
+Windows may also store information about recent RDP connections in files such as C:\Users\\%username%\Documents\Default.rdp and `C:\Users\%username%\AppData\Local\Microsoft\Terminal
+Server Client\Cache\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)
+
+Malicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis. Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.
+
+Network connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):
+
+* HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default
+* HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers
+
+Windows may also store information about recent RDP connections in files such as C:\Users\\%username%\Documents\Default.rdp and `C:\Users\%username%\AppData\Local\Microsoft\Terminal
+Server Client\Cache\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)
+
+Malicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1686) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis. kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
[T1070.009] Indicator Removal: Clear Persistence Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-16 20:37:21.515000+00:00 2026-04-15 20:28:24.292000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
[T1127.002] Trusted Developer Utilities Proxy Execution: ClickOnce Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_added STIX Field Old value New Value x_mitre_remote_support False
dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 19:59:08.154000+00:00 2026-04-15 22:45:37.624000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0 kill_chain_phases[0] {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'stealth'}
iterable_item_added STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'execution'}
[T1078.004] Valid Accounts: Cloud Accounts Current version : 2.0
Version changed from : 1.9 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:35.682000+00:00 2026-04-15 22:51:18.773000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.9 2.0
[T1553.002] Subvert Trust Controls: Code Signing Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:37.098000+00:00 2026-04-16 20:07:53.093000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
[T1553.006] Subvert Trust Controls: Code Signing Policy Modification Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:48.927000+00:00 2026-04-16 20:07:53.034000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
[T1027.010] Obfuscated Files or Information: Command Obfuscation Current version : 2.0
Version changed from : 1.0 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 22:06:13.992000+00:00 2026-04-15 22:16:39.249000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 2.0
[T1027.004] Obfuscated Files or Information: Compile After Delivery Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:22.358000+00:00 2026-04-15 22:16:52.765000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
[T1218.001] System Binary Proxy Execution: Compiled HTML File Current version : 3.0
Version changed from : 2.2 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:11.609000+00:00 2026-04-15 22:37:42.151000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth external_references[1]['url'] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8625 https://web.archive.org/web/20250419140549/https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2017-8625 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.2 3.0
[T1542.002] Pre-OS Boot: Component Firmware Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:59.147000+00:00 2026-04-17 18:38:49.538000+00:00 kill_chain_phases[1]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'ITWorld Hard Disk Health Dec 2014', 'description': "Pinola, M. (2014, December 14). 3 tools to check your hard drive's health and make sure it's not already dying on you. Retrieved November 17, 2024.", 'url': 'https://www.computerworld.com/article/1484887/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html'} external_references {'source_name': 'SanDisk SMART', 'description': 'SanDisk. (n.d.). Self-Monitoring, Analysis and Reporting Technology (S.M.A.R.T.). Retrieved October 2, 2018.'} external_references {'source_name': 'SmartMontools', 'description': 'smartmontools. (n.d.). smartmontools. Retrieved October 2, 2018.', 'url': 'https://www.smartmontools.org/'}
[T1027.015] Obfuscated Files or Information: Compression Current version : 2.0
Version changed from : 1.0 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 19:59:24.125000+00:00 2026-04-15 22:16:53.338000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 2.0
[T1556.009] Modify Authentication Process: Conditional Access Policies Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 22:09:03.621000+00:00 2026-04-16 20:07:53.111000+00:00 kill_chain_phases[1]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
[T1218.002] System Binary Proxy Execution: Control Panel Current version : 3.0
Version changed from : 2.1 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:45.979000+00:00 2026-04-15 22:37:43.971000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.1 3.0
[T1578.002] Modify Cloud Compute Infrastructure: Create Cloud Instance Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:24.804000+00:00 2026-04-16 20:07:52.862000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'AWS CloudTrail Search', 'description': 'Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances. Retrieved June 17, 2020.', 'url': 'https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/'} external_references {'source_name': 'Cloud Audit Logs', 'description': 'Google. (n.d.). Audit Logs. Retrieved June 1, 2020.', 'url': 'https://cloud.google.com/logging/docs/audit#admin-activity'} external_references {'source_name': 'Azure Activity Logs', 'description': 'Microsoft. (n.d.). View Azure activity logs. Retrieved June 17, 2020.', 'url': 'https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs'}
[T1134.002] Access Token Manipulation: Create Process with Token Current version : 2.0
Version changed from : 1.3 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:53.370000+00:00 2026-04-15 19:55:37.484000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.3 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Microsoft Command-line Logging', 'description': 'Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.', 'url': 'https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing'}
[T1578.001] Modify Cloud Compute Infrastructure: Create Snapshot Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:34.416000+00:00 2026-04-16 20:07:52.934000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'AWS Cloud Trail Backup API', 'description': 'Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail. Retrieved April 27, 2020.', 'url': 'https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html'} external_references {'source_name': 'GCP - Creating and Starting a VM', 'description': 'Google. (2020, April 23). Creating and Starting a VM instance. Retrieved May 1, 2020.', 'url': 'https://cloud.google.com/compute/docs/instances/create-start-instance#api_2'} external_references {'source_name': 'Cloud Audit Logs', 'description': 'Google. (n.d.). Audit Logs. Retrieved June 1, 2020.', 'url': 'https://cloud.google.com/logging/docs/audit#admin-activity'} external_references {'source_name': 'Azure - Monitor Logs', 'description': 'Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor. Retrieved May 1, 2020.', 'url': 'https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor'}
[T1574.001] Hijack Execution Flow: DLL Current version : 3.0
Version changed from : 2.1 → 3.0
Details dictionary_item_added STIX Field Old value New Value x_mitre_remote_support False
dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-11-06 17:52:37.747000+00:00 2026-04-15 22:57:22.515000+00:00 x_mitre_version 2.1 3.0 kill_chain_phases[1] {'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'execution'} kill_chain_phases[0] {'kill_chain_name': 'mitre-attack', 'phase_name': 'persistence'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'stealth'}
iterable_item_removed STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'}
[T1622] Debugger Evasion Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:32.196000+00:00 2026-04-15 19:57:49.208000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth external_references[9]['url'] https://github.com/vxunderground/VX-API/tree/main/Anti%20Debug https://web.archive.org/web/20250904153443/https://github.com/vxunderground/VX-API/tree/main#anti-debug x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
[T1078.001] Valid Accounts: Default Accounts Current version : 2.0
Version changed from : 1.5 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:51.181000+00:00 2026-04-15 22:50:51.753000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.5 2.0
[T1678] Delay Execution Current version : 2.0
Version changed from : 1.0 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-21 23:58:09.956000+00:00 2026-04-15 19:57:37.301000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_version 1.0 2.0
[T1578.003] Modify Cloud Compute Infrastructure: Delete Cloud Instance Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:56.705000+00:00 2026-04-16 20:07:52.915000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'AWS CloudTrail Search', 'description': 'Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances. Retrieved June 17, 2020.', 'url': 'https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/'} external_references {'source_name': 'Cloud Audit Logs', 'description': 'Google. (n.d.). Audit Logs. Retrieved June 1, 2020.', 'url': 'https://cloud.google.com/logging/docs/audit#admin-activity'} external_references {'source_name': 'Azure Activity Logs', 'description': 'Microsoft. (n.d.). View Azure activity logs. Retrieved June 17, 2020.', 'url': 'https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs'}
[T1140] Deobfuscate/Decode Files or Information Current version : 2.0
Version changed from : 1.4 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:40.925000+00:00 2026-04-15 19:58:25.069000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.4 2.0
[T1610] Deploy Container Current version : 2.0
Version changed from : 1.4 → 2.0
+
+
+ t Adversaries may deploy a container into an environment to fa t Adversaries may deploy a container into an environment to fa cilitate execution or evade defenses. In some cases, adversa cilitate execution or evade defenses. In some cases, adversa ries may deploy a new container to execute processes associa ries may deploy a new container to execute processes associa ted with a particular image or deployment, such as processes ted with a particular image or deployment, such as processes that execute or download malware. In others, an adversary m that execute or download malware. In others, an adversary m ay deploy a new container configured without network rules, ay deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within th user limitations, etc. to bypass existing defenses within th e environment. In Kubernetes environments, an adversary may e environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack. a specific node in order to [Escape to Host](https://attack. mitre.org/techniques/T1611) and access other containers runn mitre.org/techniques/T1611) and access other containers runn ing on the node. (Citation: AppSecco Kubernetes Namespace Br ing on the node. (Citation: AppSecco Kubernetes Namespace Br eakout 2020) Containers can be deployed by various means, s eakout 2020) Containers can be deployed by various means, s uch as via Docker's <code>create</code> and <code>start</cod uch as via Docker's <code>create</code> and <code>start</cod e> APIs or via a web application such as the Kubernetes dash e> APIs or via a web application such as the Kubernetes dash board or Kubeflow. (Citation: Docker Containers API )(Citatio board or Kubeflow. (Citation: Docker Container)(Citation: Ku n: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) In Ku bernetes Dashboard)(Citation: Kubeflow Pipelines) In Kuberne bernetes environments, containers may be deployed through wo tes environments, containers may be deployed through workloa rkloads such as ReplicaSets or DaemonSets, which can allow c ds such as ReplicaSets or DaemonSets, which can allow contai ontainers to be deployed across multiple nodes.(Citation: Ku ners to be deployed across multiple nodes.(Citation: Kuberne bernetes Workload Management) Adversaries may deploy contain tes Workload Management) Adversaries may deploy containers b ers based on retrieved or built malicious images or from ben ased on retrieved or built malicious images or from benign i ign images that download and execute malicious payloads at r mages that download and execute malicious payloads at runtim untime.(Citation: Aqua Build Images on Hosts) e.(Citation: Aqua Build Images on Hosts)
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_remote_support False
dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:49.017000+00:00 2026-04-15 19:59:11.024000+00:00 description Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
+
+Containers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow. (Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) In Kubernetes environments, containers may be deployed through workloads such as ReplicaSets or DaemonSets, which can allow containers to be deployed across multiple nodes.(Citation: Kubernetes Workload Management) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts) Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
+
+Containers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow. (Citation: Docker Container)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) In Kubernetes environments, containers may be deployed through workloads such as ReplicaSets or DaemonSets, which can allow containers to be deployed across multiple nodes.(Citation: Kubernetes Workload Management) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts) external_references[3]['source_name'] Docker Containers API Docker Container external_references[3]['description'] Docker. (n.d.). Docker Engine API v1.41 Reference - Container. Retrieved March 29, 2021. DockerDocs. (n.d.). Retrieved December 8, 2025. external_references[3]['url'] https://docs.docker.com/engine/api/v1.41/#tag/Container https://docs.docker.com/reference/cli/docker/container/create/ x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.4 2.0
iterable_item_removed STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'}
[T1006] Direct Volume Access Current version : 3.0
Version changed from : 2.3 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:23.015000+00:00 2026-04-15 19:59:05.018000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.3 3.0
[T1600.002] Weaken Encryption: Disable Crypto Hardware Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:01.374000+00:00 2026-04-16 20:07:53.028000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
[T1078.002] Valid Accounts: Domain Accounts Current version : 2.0
Version changed from : 1.5 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:21.034000+00:00 2026-04-15 22:50:57.880000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.5 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'TechNet Audit Policy', 'description': 'Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.', 'url': 'https://technet.microsoft.com/en-us/library/dn487457.aspx'} external_references {'source_name': 'Ubuntu SSSD Docs', 'description': 'Ubuntu. (n.d.). SSSD. Retrieved September 23, 2021.', 'url': 'https://ubuntu.com/server/docs/service-sssd'}
[T1556.001] Modify Authentication Process: Domain Controller Authentication Current version : 3.0
Version changed from : 2.1 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:27.324000+00:00 2026-04-16 20:07:53.091000+00:00 kill_chain_phases[1]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.1 3.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'TechNet Audit Policy', 'description': 'Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.', 'url': 'https://technet.microsoft.com/en-us/library/dn487457.aspx'}
[T1484] Domain or Tenant Policy Modification Current version : 4.0
Version changed from : 3.2 → 4.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:33.897000+00:00 2026-04-16 20:07:53.114000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 3.2 4.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'CISA SolarWinds Cloud Detection', 'description': 'CISA. (2021, January 8). Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments. Retrieved January 8, 2021.', 'url': 'https://us-cert.cisa.gov/ncas/alerts/aa21-008a'} external_references {'source_name': 'Microsoft 365 Defender Solorigate', 'description': 'Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021.', 'url': 'https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/'} external_references {'source_name': 'Microsoft - Azure Sentinel ADFSDomainTrustMods', 'description': 'Microsoft. (2020, December). Azure Sentinel Detections. Retrieved December 30, 2020.', 'url': 'https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml'} external_references {'source_name': 'Microsoft - Update or Repair Federated domain', 'description': 'Microsoft. (2020, September 14). Update or repair the settings of a federated domain in Office 365, Azure, or Intune. Retrieved December 30, 2020.', 'url': 'https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365'} external_references {'source_name': 'Sygnia Golden SAML', 'description': 'Sygnia. (2020, December). Detection and Hunting of Golden SAML Attack. Retrieved November 17, 2024.', 'url': 'https://www.sygnia.co/threat-reports-and-advisories/golden-saml-attack/'}
[T1036.007] Masquerading: Double File Extension Current version : 2.0
Version changed from : 1.0 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:25.732000+00:00 2026-04-15 20:33:07.592000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Seqrite DoubleExtension', 'description': 'Seqrite. (n.d.). How to avoid dual attack and vulnerable files with double extension?. Retrieved July 27, 2021.', 'url': 'https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/'}
[T1601.002] Modify System Image: Downgrade System Image Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:39.331000+00:00 2026-04-16 20:07:53.109000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
[T1574.004] Hijack Execution Flow: Dylib Hijacking Current version : 3.0
Version changed from : 2.1 → 3.0
Details dictionary_item_added STIX Field Old value New Value x_mitre_remote_support False
dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:39.243000+00:00 2026-04-15 22:58:27.104000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.1 3.0 kill_chain_phases[1] {'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'execution'} kill_chain_phases[0] {'kill_chain_name': 'mitre-attack', 'phase_name': 'persistence'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'stealth'}
iterable_item_removed STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'} external_references {'source_name': 'Apple Developer Doco Archive Run-Path', 'description': 'Apple Inc.. (2012, July 7). Run-Path Dependent Libraries. Retrieved March 31, 2021.', 'url': 'https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/RunpathDependentLibraries.html'}
[T1027.007] Obfuscated Files or Information: Dynamic API Resolution Current version : 2.0
Version changed from : 1.0 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 22:24:25.266000+00:00 2026-04-15 22:17:50.411000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth external_references[3]['url'] https://dr4k0nia.github.io/dotnet/coding/2022/08/10/HInvoke-and-avoiding-PInvoke.html?s=03 https://dr4k0nia.github.io/posts/HInvoke-and-avoiding-PInvoke/ x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 2.0
[T1574.006] Hijack Execution Flow: Dynamic Linker Hijacking Current version : 3.0
Version changed from : 2.1 → 3.0
Details dictionary_item_added STIX Field Old value New Value x_mitre_remote_support False
dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:51.810000+00:00 2026-04-15 22:57:21.530000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.1 3.0 kill_chain_phases[1] {'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'execution'} kill_chain_phases[0] {'kill_chain_name': 'mitre-attack', 'phase_name': 'persistence'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'stealth'}
iterable_item_removed STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'}
[T1055.001] Process Injection: Dynamic-link Library Injection Current version : 2.0
Version changed from : 1.4 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:36.680000+00:00 2026-04-15 22:26:57.009000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.4 2.0
[T1218.015] System Binary Proxy Execution: Electron Applications Current version : 2.0
Version changed from : 1.0 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 22:24:54.174000+00:00 2026-04-20 18:01:23.195000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 2.0
iterable_item_added STIX Field Old value New Value x_mitre_contributors Uriel Kosayev
[T1548.004] Abuse Elevation Control Mechanism: Elevated Execution with Prompt Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:16.860000+00:00 2026-04-15 19:51:53.527000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
iterable_item_removed STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'}
[T1564.008] Hide Artifacts: Email Hiding Rules Current version : 2.0
Version changed from : 1.4 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:23.364000+00:00 2026-04-15 20:18:10.251000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.4 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Microsoft BEC Campaign', 'description': 'Carr, N., Sellmer, S. (2021, June 14). Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign. Retrieved June 15, 2021.', 'url': 'https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/'}
[T1027.009] Obfuscated Files or Information: Embedded Payloads Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 19:58:03.051000+00:00 2026-04-15 22:18:17.938000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
[T1027.013] Obfuscated Files or Information: Encrypted/Encoded File Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 19:58:05.840000+00:00 2026-04-15 22:18:22.179000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
[T1480.001] Execution Guardrails: Environmental Keying Current version : 2.0
Version changed from : 1.1 → 2.0
+
+
+ t Adversaries may environmentally key payloads or other featur t Adversaries may environmentally key payloads or other featur es of malware to evade defenses and constraint execution to es of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cry a specific target environment. Environmental keying uses cry ptography to constrain execution or actions based on adversa ptography to constrain execution or actions based on adversa ry supplied environment specific conditions that are expecte ry supplied environment specific conditions that are expecte d to be present on the target. Environmental keying is an im d to be present on the target. Environmental keying is an im plementation of [Execution Guardrails](https://attack.mitre. plementation of [Execution Guardrails](https://attack.mitre. org/techniques/T1480) that utilizes cryptographic techniques org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Cl of values in a given computing environment.(Citation: EK Cl ueless Agents) Values can be derived from target-specific e ueless Agents) Values can be derived from target-specific e lements and used to generate a decryption key for an encrypt lements and used to generate a decryption key for an encrypt ed payload. Target-specific values can be derived from speci ed payload. Target-specific values can be derived from speci fic network shares, physical devices, software/software vers fic network shares, physical devices, software/software vers ions, files, joined AD domains, system time, and local/exter ions, files, joined AD domains, system time, and local/exter nal IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Cita nal IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Cita tion: Proofpoint Router Malvertising)(Citation: EK Impeding tion: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citatio Malware Analysis)(Citation: Environmental Keyed HTA) By gene n: E bowla: Genetic Malware) By generating the decryption key rating the decryption keys from target-specific environmenta s from target-specific environmental values , environmental k l values, environmental keying can make sand box detection, a eying can make sandbox detection, anti-virus detection, crow nti-virus detection, cro wdsourcing of information , and rever dsourcing of information, and reverse engineering difficult.se engineering difficult.(Citation: Kaspersky Gauss Whitepap(Citation: Kaspersky Gauss Whitepaper)(Citation: Eb owla: Gen er) These difficulties can sl ow do wn the incident response p etic Mal ware) These difficulties can slow down the incident rocess and help adversaries hide their tactics, techniques, response process and help adversaries hide their tactics, teand procedures (TTPs). Similar to [Obfuscated Files or Info chniques, and procedures (TTPs). Similar to [Obfuscated Fil rmation](https://attack.mitre.org/techniques/T1027), adversa es or Information](https://attack.mitre.org/techniques/T1027 ries may use environmental keying to help protect their TTPs ), adversaries may use environmental keying to help protect and evade detection. Environmental keying may be used to de their TTPs and evade detection. Environmental keying may be liver an encrypted payload to the target that will use targe used to deliver an encrypted payload to the target that will t-specific values to decrypt the payload before execution.(C use target-specific values to decrypt the payload before ex itation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding M ecution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK alware Analysis)(Citation: Environmental Keyed HTA)(Citation Impeding Malware Analysis)(Citation: Environmental Keyed HTA : Demiguise Guardrail Router Logo) By utilizing target-speci )(Citation: E bowla: Genetic Malware)(Citation: Demiguise Gua fic values to decrypt the payload the adversary can avoid pa rdrail Router Logo) By utilizing target-specific values to d ckaging the decryption key with the payload or sending it ov ecrypt the payload the adversary can avoid packaging the dec er a potentially monitored network connection. Depending on ryption key with the payload or sending it over a potentiall the technique for gathering target-specific values, reverse y monitored network connection. Depending on the technique f engineering of the encrypted payload can be exceptionally dior gathering target-specific values, reverse engineering of fficult.(Citation: Kaspersky Gauss Whitepaper) This can be u the encrypted payload can be exceptionally difficult.(Citatised to prevent exposure of capabilities in environments that on: Kaspersky Gauss Whitepaper) This can be used to prevent are not intended to be compromised or operated within. Lik exposure of capabilities in environments that are not intend e other [Execution Guardrails](https://attack.mitre.org/tech ed to be compromised or operated within. Like other [Execut niques/T1480), environmental keying can be used to prevent e ion Guardrails](https://attack.mitre.org/techniques/T1480), xposure of capabilities in environments that are not intende environmental keying can be used to prevent exposure of capa d to be compromised or operated within. This activity is dis bilities in environments that are not intended to be comprom tinct from typical [Virtualization/Sandbox Evasion](https:// ised or operated within. This activity is distinct from typi attack.mitre.org/techniques/T1497). While use of [Virtualiza cal [Virtualization/Sandbox Evasion](https://attack.mitre.or tion/Sandbox Evasion](https://attack.mitre.org/techniques/T1 g/techniques/T1497). While use of [Virtualization/Sandbox Ev 497) may involve checking for known sandbox values and conti asion](https://attack.mitre.org/techniques/T1497) may involv nuing with execution only if there is no match, the use of e e checking for known sandbox values and continuing with exec nvironmental keying will involve checking for an expected ta ution only if there is no match, the use of environmental ke rget-specific value that must match for decryption and subse ying will involve checking for an expected target-specific v quent execution to be successful. alue that must match for decryption and subsequent execution to be successful.
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:35.768000+00:00 2026-04-15 20:07:10.470000+00:00 description Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)
+
+Values can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper)(Citation: Ebowla: Genetic Malware) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).
+
+Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.
+
+Like other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful. Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)
+
+Values can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).
+
+Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.
+
+Like other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful. kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Ebowla: Genetic Malware', 'description': 'Morrow, T., Pitts, J. (2016, October 28). Genetic Malware: Designing Payloads for Specific Targets. Retrieved January 18, 2019.', 'url': 'https://github.com/Genetic-Malware/Ebowla/blob/master/Eko_2016_Morrow_Pitts_Master.pdf'}
[T1574.005] Hijack Execution Flow: Executable Installer File Permissions Weakness Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_added STIX Field Old value New Value x_mitre_remote_support False
dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:56.875000+00:00 2026-04-15 23:02:03.423000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0 kill_chain_phases[1] {'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'execution'} kill_chain_phases[0] {'kill_chain_name': 'mitre-attack', 'phase_name': 'persistence'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'stealth'}
iterable_item_removed STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'}
[T1480] Execution Guardrails Current version : 2.0
Version changed from : 1.3 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:03.764000+00:00 2026-04-15 20:03:40.312000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.3 2.0
[T1211] Exploitation for Stealth Current version : 2.0
Version changed from : 1.5 → 2.0
+
+
+ t Adversaries may exploit a system or application vulnerabilit t Adversaries may exploit vulnerabilities to evade detection b y to bypass security features. Exploitation of a vulnerabili y hiding activity, suppressing logging, or operating within ty occurs when an adversary takes advantage of a programming trusted or unmonitored components. Adversaries may exploit error in a program, service, or within the operating system a system or application vulnerability to avoid detection wh software or kernel itself to execute adversary-controlled c ile maintaining access within an environment. Exploitation o ode. Vulnerabilities may exist in defensive security softwar ccurs when an adversary leverages a programming flaw to exec e that can be used to disable or circumvent them. Adversari ute code in a manner that minimizes visibility or blends in es may have prior knowledge through reconnaissance that secu with legitimate activity. Rather than directly disabling d rity software exists within an environment or they may perfo efenses, adversaries may use exploitation to circumvent moni rm checks during or shortly after the system is compromised toring and logging mechanisms. This can include abusing vuln for [Security Software Discovery](https://attack.mitre.org/t erabilities in logging pipelines, security tools, or cloud i echniques/T1518/001). The security software will likely be t nfrastructure to evade audit trails, suppress alerts, or ope argeted directly for exploitation. There are examples of ant rate without generating telemetry. Adversaries may identif ivirus software being targeted by persistent threat groups t y these opportunities through prior reconnaissance or by per o avoid detection. There have also been examples of vulnera forming discovery of security controls after initial access. bilities in public cloud infrastructure of SaaS applications In some cases, vulnerabilities in SaaS or public cloud envi that may bypass defense boundaries (Citation: Salesforce ze ronments may be exploited to evade logging, obscure activity ro-day in facebook phishing attack), evade security logs (Ci , or deploy infrastructure that remains hidden from standard tation: Bypassing CloudTrail in AWS Service Catalog), or dep monitoring tools.(Citation: Bypassing CloudTrail in AWS Ser loy hidden infrastructure.(Citation: GhostToken GCP flaw) vice Catalog)(Citation: GhostToken GCP flaw)
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:39.960000+00:00 2026-04-15 13:36:04.483000+00:00 name Exploitation for Defense Evasion Exploitation for Stealth description Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.
+
+Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.
+
+There have also been examples of vulnerabilities in public cloud infrastructure of SaaS applications that may bypass defense boundaries (Citation: Salesforce zero-day in facebook phishing attack), evade security logs (Citation: Bypassing CloudTrail in AWS Service Catalog), or deploy hidden infrastructure.(Citation: GhostToken GCP flaw) Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
+
+Adversaries may exploit a system or application vulnerability to avoid detection while maintaining access within an environment. Exploitation occurs when an adversary leverages a programming flaw to execute code in a manner that minimizes visibility or blends in with legitimate activity.
+
+Rather than directly disabling defenses, adversaries may use exploitation to circumvent monitoring and logging mechanisms. This can include abusing vulnerabilities in logging pipelines, security tools, or cloud infrastructure to evade audit trails, suppress alerts, or operate without generating telemetry.
+
+Adversaries may identify these opportunities through prior reconnaissance or by performing discovery of security controls after initial access. In some cases, vulnerabilities in SaaS or public cloud environments may be exploited to evade logging, obscure activity, or deploy infrastructure that remains hidden from standard monitoring tools.(Citation: Bypassing CloudTrail in AWS Service Catalog)(Citation: GhostToken GCP flaw) kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.5 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Salesforce zero-day in facebook phishing attack', 'description': 'Bill Toulas. (2023, August 2). Hackers exploited Salesforce zero-day in Facebook phishing attack. Retrieved September 18, 2023.', 'url': 'https://www.bleepingcomputer.com/news/security/hackers-exploited-salesforce-zero-day-in-facebook-phishing-attack/'}
[T1564.014] Hide Artifacts: Extended Attributes Current version : 2.0
Version changed from : 1.0 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-09-17 17:58:26.729000+00:00 2026-04-15 20:19:25.896000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_version 1.0 2.0
[T1055.011] Process Injection: Extra Window Memory Injection Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:19.059000+00:00 2026-04-15 22:27:04.367000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Microsoft SendNotifyMessage function', 'description': 'Microsoft. (n.d.). SendNotifyMessage function. Retrieved December 16, 2017.', 'url': 'https://msdn.microsoft.com/library/windows/desktop/ms644953.aspx'}
[T1070.004] Indicator Removal: File Deletion Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:27.978000+00:00 2026-04-15 20:28:46.342000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
[T1222] File and Directory Permissions Modification Current version : 3.0
Version changed from : 2.3 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:52.570000+00:00 2026-04-16 20:07:53.078000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.3 3.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'EventTracker File Permissions Feb 2014', 'description': 'Netsurion. (2014, February 19). Monitoring File Permission Changes with the Windows Security Log. Retrieved August 19, 2018.', 'url': 'https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/'}
[T1564.012] Hide Artifacts: File/Path Exclusions Current version : 2.0
Version changed from : 1.0 → 2.0
+
+
+ t Adversaries may attempt to hide their file-based artifacts b t Adversaries may attempt to hide their file-based artifacts b y writing them to specific folders or file names excluded fr y writing them to specific folders or file names excluded fr om antivirus (AV) scanning and other defensive capabilities. om antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions t AV and other file-based scanners often include exclusions t o optimize performance as well as ease installation and legi o optimize performance as well as ease installation and legi timate use of applications. These exclusions may be contextu timate use of applications. These exclusions may be contextu al (e.g., scans are only initiated in response to specific t al (e.g., scans are only initiated in response to specific t riggering events/alerts), but are also often hardcoded strin riggering events/alerts), but are also often hardcoded strin gs referencing specific folders and/or files assumed to be t gs referencing specific folders and/or files assumed to be t rusted and legitimate.(Citation: Microsoft File Folder Exclu rusted and legitimate.(Citation: Microsoft File Folder Exclu sions) Adversaries may abuse these exclusions to hide their sions) Adversaries may abuse these exclusions to hide their file-based artifacts. For example, rather than tampering w file-based artifacts. For example, rather than tampering w ith tool settings to add a new exclusion (i.e., [Disable or ith tool settings to add a new exclusion (i.e., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001 ) Modify Tools](https://attack.mitre.org/techniques/T168 5)), a ), adversaries may drop their file-based payloads in default dversaries may drop their file-based payloads in default or or otherwise well-known exclusions. Adversaries may also us otherwise well-known exclusions. Adversaries may also use [S e [Security Software Discovery](https://attack.mitre.org/tec ecurity Software Discovery](https://attack.mitre.org/techniq hniques/T1518/001) and other [Discovery](https://attack.mitr ues/T1518/001) and other [Discovery](https://attack.mitre.or e.org/tactics/TA0007)/[Reconnaissance](https://attack.mitre. g/tactics/TA0007)/[Reconnaissance](https://attack.mitre.org/ org/tactics/TA0043) activities to both discover and verify e tactics/TA0043) activities to both discover and verify exist xisting exclusions in a victim environment. ing exclusions in a victim environment.
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 22:35:31.731000+00:00 2026-04-16 19:21:42.768000+00:00 description Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate.(Citation: Microsoft File Folder Exclusions)
+
+Adversaries may abuse these exclusions to hide their file-based artifacts. For example, rather than tampering with tool settings to add a new exclusion (i.e., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)), adversaries may drop their file-based payloads in default or otherwise well-known exclusions. Adversaries may also use [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) and other [Discovery](https://attack.mitre.org/tactics/TA0007)/[Reconnaissance](https://attack.mitre.org/tactics/TA0043) activities to both discover and verify existing exclusions in a victim environment. Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate.(Citation: Microsoft File Folder Exclusions)
+
+Adversaries may abuse these exclusions to hide their file-based artifacts. For example, rather than tampering with tool settings to add a new exclusion (i.e., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1685)), adversaries may drop their file-based payloads in default or otherwise well-known exclusions. Adversaries may also use [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) and other [Discovery](https://attack.mitre.org/tactics/TA0007)/[Reconnaissance](https://attack.mitre.org/tactics/TA0043) activities to both discover and verify existing exclusions in a victim environment. kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 2.0
[T1027.011] Obfuscated Files or Information: Fileless Storage Current version : 3.0
Version changed from : 2.1 → 3.0
+
+
+ t Adversaries may store data in "fileless" formats to conceal t Adversaries may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be br malicious activity from defenses. Fileless storage can be br oadly defined as any format other than a file. Common exampl oadly defined as any format other than a file. Common exampl es of non-volatile fileless storage in Windows systems inclu es of non-volatile fileless storage in Windows systems inclu de the Windows Registry, event logs, or WMI repository.(Cita de the Windows Registry, event logs, or WMI repository.(Cita tion: Microsoft Fileless)(Citation: SecureList Fileless) Sha tion: Microsoft Fileless)(Citation: SecureList Fileless) Sha red memory directories on Linux systems (`/dev/shm`, `/run/s red memory directories on Linux systems (`/dev/shm`, `/run/s hm`, `/var/run`, and `/var/lock`) and volatile directories o hm`, `/var/run`, and `/var/lock`) and volatile directories o n Network Devices (`/tmp` and `/volatile`) may also be consi n Network Devices (`/tmp` and `/volatile`) may also be consi dered fileless storage, as files written to these directorie dered fileless storage, as files written to these directorie s are mapped directly to RAM and not stored on the disk.(Cit s are mapped directly to RAM and not stored on the disk.(Cit ation: Elastic Binary Executed from Shared Memory Directory) ation: Elastic Binary Executed from Shared Memory Directory) (Citation: Akami Frog4Shell 2024)(Citation: Aquasec Muhstik (Citation: Akami Frog4Shell 2024)(Citation: Aquasec Muhstik Malware 2024)(Citation: Bitsight 7777 Botnet)(Citation: CISC Malware 2024)(Citation: Bitsight 7777 Botnet)(Citation: CISC O Nexus 900 Config). Similar to fileless in-memory behavior O Nexus 900 Config). Similar to fileless in-memory behavior s such as [Reflective Code Loading](https://attack.mitre.org s such as [Reflective Code Loading](https://attack.mitre.org /techniques/T1620) and [Process Injection](https://attack.mi /techniques/T1620) and [Process Injection](https://attack.mi tre.org/techniques/T1055), fileless data storage may remain tre.org/techniques/T1055), fileless data storage may remain undetected by anti-virus and other endpoint security tools t undetected by antivirus and other endpoint security tools th hat can only access specific file formats from disk storage. at can only access specific file formats from disk storage. Leveraging fileless storage may also allow adversaries to b Leveraging fileless storage may also allow adversaries to by ypass the protections offered by read-only file systems in Lpass the protections offered by read -only file systems in Liinux.(Citation: Sysdig Fileless Malware 23022) Adversaries nux.(Citation: Sysdig Fileless Malware 23022) Adversaries m may use fileless storage to conceal various types of stored ay use fileless storage to conceal various types of stored d data, including payloads/shellcode (potentially being used a ata, including payloads/shellcode (potentially being used as s part of [Persistence](https://attack.mitre.org/tactics/TA0 part of [Persistence](https://attack.mitre.org/tactics/TA00 003)) and collected data not yet exfiltrated from the victim 03)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techni (e.g., [Local Data Staging](https://attack.mitre.org/techniq ques/T1074/001)). Adversaries also often encrypt, encode, sp ues/T1074/001)). Adversaries also often encrypt, encode, spl lice, or otherwise obfuscate this fileless data when stored. ice, or otherwise obfuscate this fileless data when stored. Some forms of fileless storage activity may indirectly cr Some forms of fileless storage activity may indirectly cre eate artifacts in the file system, but in central and otherw ate artifacts in the file system, but in central and otherwi ise difficult to inspect formats such as the WMI (e.g., `%Sy se difficult to inspect formats such as the WMI (e.g., `%Sys stemRoot%\System32\Wbem\Repository`) or Registry (e.g., `%Sy temRoot%\System32\Wbem\Repository`) or Registry (e.g., `%Sys stemRoot%\System32\Config`) physical files.(Citation: Micros temRoot%\System32\Config`) physical files.(Citation: Microso oft Fileless) ft Fileless)
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-06-05 15:30:20.139000+00:00 2026-04-15 22:18:39.119000+00:00 description Adversaries may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) Shared memory directories on Linux systems (`/dev/shm`, `/run/shm`, `/var/run`, and `/var/lock`) and volatile directories on Network Devices (`/tmp` and `/volatile`) may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk.(Citation: Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell 2024)(Citation: Aquasec Muhstik Malware 2024)(Citation: Bitsight 7777 Botnet)(Citation: CISCO Nexus 900 Config).
+
+Similar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage. Leveraging fileless storage may also allow adversaries to bypass the protections offered by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)
+
+Adversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored.
+
+Some forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\System32\Wbem\Repository`) or Registry (e.g., `%SystemRoot%\System32\Config`) physical files.(Citation: Microsoft Fileless) Adversaries may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) Shared memory directories on Linux systems (`/dev/shm`, `/run/shm`, `/var/run`, and `/var/lock`) and volatile directories on Network Devices (`/tmp` and `/volatile`) may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk.(Citation: Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell 2024)(Citation: Aquasec Muhstik Malware 2024)(Citation: Bitsight 7777 Botnet)(Citation: CISCO Nexus 900 Config).
+
+Similar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by antivirus and other endpoint security tools that can only access specific file formats from disk storage. Leveraging fileless storage may also allow adversaries to bypass the protections offered by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)
+
+Adversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored.
+
+Some forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\System32\Wbem\Repository`) or Registry (e.g., `%SystemRoot%\System32\Config`) physical files.(Citation: Microsoft Fileless) kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.1 3.0
[T1553.001] Subvert Trust Controls: Gatekeeper Bypass Current version : 2.0
Version changed from : 1.3 → 2.0
+
+
+ t Adversaries may modify file attributes and subvert Gatekeepe t Adversaries may modify file attributes and subvert Gatekeepe r functionality to evade user prompts and execute untrusted r functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as la programs. Gatekeeper is a set of technologies that act as la yer of Apple’s security model to ensure only trusted applica yer of Apple’s security model to ensure only trusted applica tions are executed on a host. Gatekeeper was built on top of tions are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notariz to include Code Signing, security policy compliance, Notariz ation, and more. Gatekeeper also treats applications running ation, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.( for the first time differently than reopened applications.( Citation: TheEclecticLightCompany Quarantine and the flag)(C Citation: TheEclecticLightCompany Quarantine and the flag)(C itation: TheEclecticLightCompany apple notarization ) Based itation: TheEclecticLightCompany apple notarization ) Based on an opt-in system, when files are downloaded an extended on an opt-in system, when files are downloaded an extended attribute (xattr) called `com.apple.quarantine` (also known attribute (xattr) called `com.apple.quarantine` (also known as a quarantine flag) can be set on the file by the applicat as a quarantine flag) can be set on the file by the applicat ion performing the download. Launch Services opens the appli ion performing the download. Launch Services opens the appli cation in a suspended state. For first run applications with cation in a suspended state. For first run applications with the quarantine flag set, Gatekeeper executes the following the quarantine flag set, Gatekeeper executes the following functions: 1. Checks extended attribute – Gatekeeper checks functions: 1. Checks extended attribute – Gatekeeper checks for the quarantine flag, then provides an alert prompt to t for the quarantine flag, then provides an alert prompt to t he user to allow or deny execution.(Citation: OceanLotus for he user to allow or deny execution.(Citation: OceanLotus for OS X)(Citation: 20 macOS Common Tools and Techniques) 2. C OS X)(Citation: 20 macOS Common Tools and Techniques) 2. C hecks System Policies - Gatekeeper checks the system securit hecks System Policies - Gatekeeper checks the system securit y policy, allowing execution of apps downloaded from either y policy, allowing execution of apps downloaded from either just the App Store or the App Store and identified developer just the App Store or the App Store and identified developer s. 3. Code Signing – Gatekeeper checks for a valid code sig s. 3. Code Signing – Gatekeeper checks for a valid code sig nature from an Apple Developer ID. 4. Notarization - Using nature from an Apple Developer ID. 4. Notarization - Using the `api.apple-cloudkit.com` API, Gatekeeper reaches out to the `api.apple-cloudkit.com` API, Gatekeeper reaches out to Apple servers to verify or pull down the notarization ticket Apple servers to verify or pull down the notarization ticket and ensure the ticket is not revoked. Users can override no and ensure the ticket is not revoked. Users can override no tarization, which will result in a prompt of executing an “u tarization, which will result in a prompt of executing an “u nauthorized app” and the security policy will be modified. nauthorized app” and the security policy will be modified. Adversaries can subvert one or multiple security controls wi Adversaries can subvert one or multiple security controls wi thin Gatekeeper checks through logic errors (e.g. [Exploitat thin Gatekeeper checks through logic errors (e.g. [Exploitat ion for Defense Evasion ](https://attack.mitre.org/techniques ion for Stealth ](https://attack.mitre.org/techniques/T1211)) /T1211)), unchecked file types, and external libraries. For , unchecked file types, and external libraries. For example, example, prior to macOS 13 Ventura, code signing and notariz prior to macOS 13 Ventura, code signing and notarization ch ation checks were only conducted on first launch, allowing a ecks were only conducted on first launch, allowing adversari dversaries to write malicious executables to previously open es to write malicious executables to previously opened appli ed applications in order to bypass Gatekeeper security check cations in order to bypass Gatekeeper security checks.(Citat s.(Citation: theevilbit gatekeeper bypass 2021)(Citation: Ap ion: theevilbit gatekeeper bypass 2021)(Citation: Applicatio plication Bundle Manipulation Brandon Dalton) Applications n Bundle Manipulation Brandon Dalton) Applications and file and files loaded onto the system from a USB flash drive, opt s loaded onto the system from a USB flash drive, optical dis ical disk, external hard drive, from a drive shared over the k, external hard drive, from a drive shared over the local n local network, or using the curl command may not set the qu etwork, or using the curl command may not set the quarantine arantine flag. Additionally, it is possible to avoid setting flag. Additionally, it is possible to avoid setting the qua the quarantine flag using [Drive-by Compromise](https://att rantine flag using [Drive-by Compromise](https://attack.mitr ack.mitre.org/techniques/T1189). e.org/techniques/T1189).
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:36.535000+00:00 2026-04-16 20:07:52.996000+00:00 description Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: TheEclecticLightCompany apple notarization )
+
+Based on an opt-in system, when files are downloaded an extended attribute (xattr) called `com.apple.quarantine` (also known as a quarantine flag) can be set on the file by the application performing the download. Launch Services opens the application in a suspended state. For first run applications with the quarantine flag set, Gatekeeper executes the following functions:
+
+1. Checks extended attribute – Gatekeeper checks for the quarantine flag, then provides an alert prompt to the user to allow or deny execution.(Citation: OceanLotus for OS X)(Citation: 20 macOS Common Tools and Techniques)
+
+2. Checks System Policies - Gatekeeper checks the system security policy, allowing execution of apps downloaded from either just the App Store or the App Store and identified developers.
+
+3. Code Signing – Gatekeeper checks for a valid code signature from an Apple Developer ID.
+
+4. Notarization - Using the `api.apple-cloudkit.com` API, Gatekeeper reaches out to Apple servers to verify or pull down the notarization ticket and ensure the ticket is not revoked. Users can override notarization, which will result in a prompt of executing an “unauthorized app” and the security policy will be modified.
+
+Adversaries can subvert one or multiple security controls within Gatekeeper checks through logic errors (e.g. [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211)), unchecked file types, and external libraries. For example, prior to macOS 13 Ventura, code signing and notarization checks were only conducted on first launch, allowing adversaries to write malicious executables to previously opened applications in order to bypass Gatekeeper security checks.(Citation: theevilbit gatekeeper bypass 2021)(Citation: Application Bundle Manipulation Brandon Dalton)
+
+Applications and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command may not set the quarantine flag. Additionally, it is possible to avoid setting the quarantine flag using [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: TheEclecticLightCompany apple notarization )
+
+Based on an opt-in system, when files are downloaded an extended attribute (xattr) called `com.apple.quarantine` (also known as a quarantine flag) can be set on the file by the application performing the download. Launch Services opens the application in a suspended state. For first run applications with the quarantine flag set, Gatekeeper executes the following functions:
+
+1. Checks extended attribute – Gatekeeper checks for the quarantine flag, then provides an alert prompt to the user to allow or deny execution.(Citation: OceanLotus for OS X)(Citation: 20 macOS Common Tools and Techniques)
+
+2. Checks System Policies - Gatekeeper checks the system security policy, allowing execution of apps downloaded from either just the App Store or the App Store and identified developers.
+
+3. Code Signing – Gatekeeper checks for a valid code signature from an Apple Developer ID.
+
+4. Notarization - Using the `api.apple-cloudkit.com` API, Gatekeeper reaches out to Apple servers to verify or pull down the notarization ticket and ensure the ticket is not revoked. Users can override notarization, which will result in a prompt of executing an “unauthorized app” and the security policy will be modified.
+
+Adversaries can subvert one or multiple security controls within Gatekeeper checks through logic errors (e.g. [Exploitation for Stealth](https://attack.mitre.org/techniques/T1211)), unchecked file types, and external libraries. For example, prior to macOS 13 Ventura, code signing and notarization checks were only conducted on first launch, allowing adversaries to write malicious executables to previously opened applications in order to bypass Gatekeeper security checks.(Citation: theevilbit gatekeeper bypass 2021)(Citation: Application Bundle Manipulation Brandon Dalton)
+
+Applications and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command may not set the quarantine flag. Additionally, it is possible to avoid setting the quarantine flag using [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.3 2.0
[T1484.001] Domain or Tenant Policy Modification: Group Policy Modification Current version : 2.0
Version changed from : 1.1 → 2.0
+
+
+ t Adversaries may modify Group Policy Objects (GPOs) to subver t Adversaries may modify Group Policy Objects (GPOs) to subver t the intended discretionary access controls for a domain, u t the intended discretionary access controls for a domain, u sually with the intention of escalating privileges on the do sually with the intention of escalating privileges on the do main. Group policy allows for centralized management of user main. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are co and computer settings in Active Directory (AD). GPOs are co ntainers for group policy settings made up of files stored w ntainers for group policy settings made up of files stored w ithin a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\ ithin a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\ Policies\`.(Citation: TechNet Group Policy Basics)(Citation: Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) Like other objects in AD ADSecurity GPO Persistence 2016) Like other objects in AD , GPOs have access controls associated with them. By default , GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPO all user accounts in the domain have permission to read GPO s. It is possible to delegate GPO access control permissions s. It is possible to delegate GPO access control permissions , e.g. write access, to specific users or groups in the doma , e.g. write access, to specific users or groups in the doma in. Malicious GPO modifications can be used to implement ma in. Malicious GPO modifications can be used to implement ma ny other malicious behaviors such as [Scheduled Task/Job](ht ny other malicious behaviors such as [Scheduled Task/Job](ht tps://attack.mitre.org/techniques/T1053), [Disable or Modify tps://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001 ), [Ing Tools](https://attack.mitre.org/techniques/T168 5), [Ingress ress Tool Transfer](https://attack.mitre.org/techniques/T110 Tool Transfer](https://attack.mitre.org/techniques/T1105), 5), [Create Account](https://attack.mitre.org/techniques/T11 [Create Account](https://attack.mitre.org/techniques/T1136), 36), [Service Execution](https://attack.mitre.org/techniques [Service Execution](https://attack.mitre.org/techniques/T15 /T1569/002), and more.(Citation: ADSecurity GPO Persistence 69/002), and more.(Citation: ADSecurity GPO Persistence 201 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abus 6)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing ing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citat GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: ion: Microsoft Hacking Team Breach) Since GPOs can control s Microsoft Hacking Team Breach) Since GPOs can control so ma o many user and machine settings in the AD environment, ther ny user and machine settings in the AD environment, there ar e are a great number of potential attacks that can stem from e a great number of potential attacks that can stem from thi this GPO abuse.(Citation: Wald0 Guide to GPOs) For example s GPO abuse.(Citation: Wald0 Guide to GPOs) For example, pu , publicly available scripts such as <code>New-GPOImmediateT blicly available scripts such as <code>New-GPOImmediateTask< ask</code> can be leveraged to automate the creation of a ma /code> can be leveraged to automate the creation of a malici licious [Scheduled Task/Job](https://attack.mitre.org/techni ous [Scheduled Task/Job](https://attack.mitre.org/techniques ques/T1053) by modifying GPO settings, in this case modifyin /T1053) by modifying GPO settings, in this case modifying <c g <code><GPO_PATH>\Machine\Preferences\ScheduledTasks\ ode><GPO_PATH>\Machine\Preferences\ScheduledTasks\Sche ScheduledTasks.xml</code>.(Citation: Wald0 Guide to GPOs)(Ci duledTasks.xml</code>.(Citation: Wald0 Guide to GPOs)(Citati tation: Harmj0y Abusing GPO Permissions) In some cases an ad on: Harmj0y Abusing GPO Permissions) In some cases an advers versary might modify specific user rights like SeEnableDeleg ary might modify specific user rights like SeEnableDelegatio ationPrivilege, set in <code><GPO_PATH>\MACHINE\Micros nPrivilege, set in <code><GPO_PATH>\MACHINE\Microsoft\ oft\Windows NT\SecEdit\GptTmpl.inf</code>, to achieve a subt Windows NT\SecEdit\GptTmpl.inf</code>, to achieve a subtle A le AD backdoor with complete control of the domain because t D backdoor with complete control of the domain because the u he user account under the adversary's control would then be ser account under the adversary's control would then be able able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPri to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivile vilege Right) ge Right)
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:50.475000+00:00 2026-04-16 20:07:52.883000+00:00 description Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path `\\SYSVOL\\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
+
+Like other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.
+
+Malicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)
+
+For example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right) Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path `\\SYSVOL\\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
+
+Like other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.
+
+Malicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1685), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)
+
+For example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right) kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
[T1027.006] Obfuscated Files or Information: HTML Smuggling Current version : 2.0
Version changed from : 1.3 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:27.501000+00:00 2026-04-15 22:19:27.839000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.3 2.0
[T1564.005] Hide Artifacts: Hidden File System Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:29.855000+00:00 2026-04-15 20:22:45.621000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
[T1564.001] Hide Artifacts: Hidden Files and Directories Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:34.244000+00:00 2026-04-15 20:23:13.914000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_version 1.2 2.0
[T1564.002] Hide Artifacts: Hidden Users Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:05.113000+00:00 2026-04-15 20:23:44.205000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
[T1564.003] Hide Artifacts: Hidden Window Current version : 2.0
Version changed from : 1.4 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:23.485000+00:00 2026-04-15 20:23:51.965000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_version 1.4 2.0
[T1564] Hide Artifacts Current version : 2.0
Version changed from : 1.4 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:31.407000+00:00 2026-04-15 20:17:25.231000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.4 2.0
[T1574] Hijack Execution Flow Current version : 2.0
Version changed from : 1.3 → 2.0
Details dictionary_item_added STIX Field Old value New Value x_mitre_remote_support False
dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:13.820000+00:00 2026-04-20 21:18:17.156000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.3 2.0 kill_chain_phases[1] {'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'execution'} kill_chain_phases[0] {'kill_chain_name': 'mitre-attack', 'phase_name': 'persistence'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'stealth'}
iterable_item_removed STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'} external_references {'source_name': 'Autoruns for Windows', 'description': 'Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020.', 'url': 'https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns'}
[T1556.007] Modify Authentication Process: Hybrid Identity Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 22:40:10.913000+00:00 2026-04-16 20:07:52.922000+00:00 kill_chain_phases[1]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
[T1564.011] Hide Artifacts: Ignore Process Interrupts Current version : 2.0
Version changed from : 1.0 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 22:41:11.807000+00:00 2026-04-15 20:24:37.027000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 2.0
[T1070] Indicator Removal Current version : 3.0
Version changed from : 2.4 → 3.0
+
+
+ t Adversaries may delete or modify artifacts generated within t Adversaries may selectively delete or modify artifacts gener systems to remove evidence of their presence or hinder defen ated to reduce indications of their presence and blend in wi ses. Various artifacts may be created by an adversary or som th legitimate activity. Rather than broadly removing evidenc ething that can be attributed to an adversary’s actions. Typ e, adversaries may target specific artifacts that appear ano ically these artifacts are used as defensive indicators rela malous or are likely to draw scrutiny, while leaving suffici ted to monitored events, such as strings from downloaded fil ent data intact to maintain the appearance of normal system es, logs that are generated from user actions, and other dat behavior. Artifacts such as command histories, log entries, a analyzed by defenders. Location, format, and type of artif or file metadata may be altered in ways that align with exp act (such as command or login history) are often specific to ected user or system activity. Location, format, and type of each platform. Removal of these indicators may interfere w artifact (such as command or login history) are often platf ith event collection, reporting, or other processes used to orm-specific, allowing adversaries to tailor modifications t detect intrusion activity. This may compromise the integrity hat minimize suspicion. These actions may not prevent detec of security solutions by causing notable events to go unrep tion entirely but can delay recognition of malicious activit orted. This activity may also impede forensic analysis and i y or reduce the fidelity of alerts by making events appear b ncident response, due to lack of sufficient data to determin enign or consistent with routine operations. Additionally, s e what occurred. electively removed or modified artifacts may still be recove rable through deeper forensic analysis, though their absence or alteration can complicate timeline reconstruction and at tribution.
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:59.237000+00:00 2026-04-15 15:10:02.929000+00:00 description Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
+
+Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred. Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity. Rather than broadly removing evidence, adversaries may target specific artifacts that appear anomalous or are likely to draw scrutiny, while leaving sufficient data intact to maintain the appearance of normal system behavior.
+
+Artifacts such as command histories, log entries, or file metadata may be altered in ways that align with expected user or system activity. Location, format, and type of artifact (such as command or login history) are often platform-specific, allowing adversaries to tailor modifications that minimize suspicion.
+
+These actions may not prevent detection entirely but can delay recognition of malicious activity or reduce the fidelity of alerts by making events appear benign or consistent with routine operations. Additionally, selectively removed or modified artifacts may still be recoverable through deeper forensic analysis, though their absence or alteration can complicate timeline reconstruction and attribution. kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.4 3.0
[T1027.005] Obfuscated Files or Information: Indicator Removal from Tools Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:13.906000+00:00 2026-04-15 22:19:28.558000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
[T1202] Indirect Command Execution Current version : 2.0
Version changed from : 1.3 → 2.0
+
+
+ t Adversaries may abuse utilities that allow for command execu t Adversaries may abuse utilities that allow for command execu tion to bypass security restrictions that limit the use of c tion to bypass security restrictions that limit the use of c ommand-line interpreters. Various Windows utilities may be u ommand-line interpreters. Various Windows utilities may be u sed to execute commands, possibly without invoking [cmd](htt sed to execute commands, possibly without invoking [cmd](htt ps://attack.mitre.org/software/S0106). For example, [Forfile ps://attack.mitre.org/software/S0106). For example, [Forfile s](https://attack.mitre.org/software/S0193), the Program Com s](https://attack.mitre.org/software/S0193), the Program Com patibility Assistant (`pcalua.exe`), components of the Windo patibility Assistant (`pcalua.exe`), components of the Windo ws Subsystem for Linux (WSL), `Scriptrunner.exe`, as well as ws Subsystem for Linux (WSL), `Scriptrunner.exe`, as well as other utilities may invoke the execution of programs and co other utilities may invoke the execution of programs and co mmands from a [Command and Scripting Interpreter](https://at mmands from a [Command and Scripting Interpreter](https://at tack.mitre.org/techniques/T1059), Run window, or via scripts tack.mitre.org/techniques/T1059), Run window, or via scripts .(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Fo .(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Fo rfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(C rfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(C itation: SS64)(Citation: Bleeping Computer - Scriptrunner.ex itation: SS64)(Citation: Bleeping Computer - Scriptrunner.ex e) Adversaries may also abuse the `ssh.exe` binary to execut e) Adversaries may also abuse the `ssh.exe` binary to execut e malicious commands via the `ProxyCommand` and `LocalComman e malicious commands via the `ProxyCommand` and `LocalComman d` options, which can be invoked via the `-o` flag or by mod d` options, which can be invoked via the `-o` flag or by mod ifying the SSH config file.(Citation: Threat Actor Targets t ifying the SSH config file.(Citation: Threat Actor Targets t he Manufacturing industry with Lumma Stealer and Amadey Bot) he Manufacturing industry with Lumma Stealer and Amadey Bot) Adversaries may abuse these features for [Defense Evasion ] Adversaries may abuse these features for [Stealth ](https:/ (https://attack.mitre.org/tactics/TA0005), specifically to p /attack.mitre.org/tactics/TA0005), specifically to perform a erform arbitrary execution while subverting detections and/o rbitrary execution while subverting detections and/or mitiga r mitigation controls (such as Group Policy) that limit/prev tion controls (such as Group Policy) that limit/prevent the ent the usage of [cmd](https://attack.mitre.org/software/S01 usage of [cmd](https://attack.mitre.org/software/S0106) or f 06) or file extensions more commonly associated with malicio ile extensions more commonly associated with malicious paylo us payloads. ads.
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:40.495000+00:00 2026-04-15 20:31:14.152000+00:00 description Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (`pcalua.exe`), components of the Windows Subsystem for Linux (WSL), `Scriptrunner.exe`, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe) Adversaries may also abuse the `ssh.exe` binary to execute malicious commands via the `ProxyCommand` and `LocalCommand` options, which can be invoked via the `-o` flag or by modifying the SSH config file.(Citation: Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot)
+
+Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads. Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (`pcalua.exe`), components of the Windows Subsystem for Linux (WSL), `Scriptrunner.exe`, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe) Adversaries may also abuse the `ssh.exe` binary to execute malicious commands via the `ProxyCommand` and `LocalCommand` options, which can be invoked via the `-o` flag or by modifying the SSH config file.(Citation: Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot)
+
+Adversaries may abuse these features for [Stealth](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads. kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.3 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'RSA Forfiles Aug 2017', 'description': 'Partington, E. (2017, August 14). Are you looking out for forfiles.exe (if you are watching for cmd.exe). Retrieved January 22, 2018.', 'url': 'https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe'}
[T1553.004] Subvert Trust Controls: Install Root Certificate Current version : 2.0
Version changed from : 1.3 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:21.832000+00:00 2026-04-16 20:07:52.931000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.3 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Microsoft Sigcheck May 2017', 'description': 'Russinovich, M. et al.. (2017, May 22). Sigcheck. Retrieved April 3, 2018.', 'url': 'https://docs.microsoft.com/sysinternals/downloads/sigcheck'} external_references {'source_name': 'Tripwire AppUNBlocker', 'description': 'Smith, T. (2016, October 27). AppUNBlocker: Bypassing AppLocker. Retrieved December 19, 2017.', 'url': 'https://www.tripwire.com/state-of-security/off-topic/appunblocker-bypassing-applocker/'}
[T1218.004] System Binary Proxy Execution: InstallUtil Current version : 3.0
Version changed from : 2.1 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:34.798000+00:00 2026-04-15 22:39:41.457000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.1 3.0
[T1036.001] Masquerading: Invalid Code Signature Current version : 2.0
Version changed from : 1.0 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:15.520000+00:00 2026-04-15 20:38:13.564000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 2.0
[T1127.003] Trusted Developer Utilities Proxy Execution: JamPlus Current version : 2.0
Version changed from : 1.0 → 2.0
Details dictionary_item_added STIX Field Old value New Value x_mitre_remote_support False
dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-17 21:42:31.066000+00:00 2026-04-15 22:45:43.373000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 2.0 kill_chain_phases[0] {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'stealth'}
iterable_item_added STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'execution'}
[T1027.016] Obfuscated Files or Information: Junk Code Insertion Current version : 2.0
Version changed from : 1.0 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 19:58:37.495000+00:00 2026-04-15 22:19:48.489000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 2.0
[T1574.013] Hijack Execution Flow: KernelCallbackTable Current version : 2.0
Version changed from : 1.0 → 2.0
Details dictionary_item_added STIX Field Old value New Value x_mitre_remote_support False
dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:11.077000+00:00 2026-04-15 23:01:58.951000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 2.0 kill_chain_phases[1] {'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'execution'} kill_chain_phases[0] {'kill_chain_name': 'mitre-attack', 'phase_name': 'persistence'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'stealth'}
iterable_item_removed STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'}
[T1027.012] Obfuscated Files or Information: LNK Icon Smuggling Current version : 2.0
Version changed from : 1.0 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:04.385000+00:00 2026-04-15 22:20:54.005000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth external_references[2]['url'] https://www.uperesia.com/booby-trapped-shortcut https://web.archive.org/web/20171225152553/https://www.uperesia.com/booby-trapped-shortcut x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 2.0
[T1222.002] File and Directory Permissions Modification: Linux and Mac Permissions Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:21.839000+00:00 2026-04-22 15:51:53.173000+00:00 name Linux and Mac File and Directory Permissions Modification Linux and Mac Permissions kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
[T1055.015] Process Injection: ListPlanting Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:33.701000+00:00 2026-04-15 22:28:31.388000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
[T1078.003] Valid Accounts: Local Accounts Current version : 2.0
Version changed from : 1.5 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:39.874000+00:00 2026-04-15 22:51:08.702000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.5 2.0
[T1218.014] System Binary Proxy Execution: MMC Current version : 3.0
Version changed from : 2.1 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:40.236000+00:00 2026-04-15 22:39:47.445000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.1 3.0
[T1127.001] Trusted Developer Utilities Proxy Execution: MSBuild Current version : 2.0
Version changed from : 1.4 → 2.0
Details dictionary_item_added STIX Field Old value New Value x_mitre_remote_support False
dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:22.881000+00:00 2026-04-15 22:45:30.815000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.4 2.0 kill_chain_phases[0] {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'stealth'}
iterable_item_added STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'execution'}
[T1134.003] Access Token Manipulation: Make and Impersonate Token Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:05.200000+00:00 2026-04-15 19:56:16.233000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Microsoft Command-line Logging', 'description': 'Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.', 'url': 'https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing'}
[T1553.005] Subvert Trust Controls: Mark-of-the-Web Bypass Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:01.286000+00:00 2026-04-16 20:07:53.040000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Disable automount for ISO', 'description': 'wordmann. (2022, February 8). Disable Disc Imgage. Retrieved February 8, 2022.', 'url': 'https://gist.github.com/wdormann/fca29e0dcda8b5c0472e73e10c78c3e7'}
[T1036.010] Masquerading: Masquerade Account Name Current version : 2.0
Version changed from : 1.0 → 2.0
+
+
+ t Adversaries may match or approximate the names of legitimate t Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This wil accounts to make newly created ones appear benign. This wil l typically occur during [Create Account](https://attack.mit l typically occur during [Create Account](https://attack.mit re.org/techniques/T1136), although accounts may also be rena re.org/techniques/T1136), although accounts may also be rena med at a later date. This may also coincide with [Account Ac med at a later date. This may also coincide with [Account Ac cess Removal](https://attack.mitre.org/techniques/T1531) if cess Removal](https://attack.mitre.org/techniques/T1531) if the actor first deletes an account before re-creating one wi the actor first deletes an account before re-creating one wi th the same name.(Citation: Huntress MOVEit 2023) Often, ad th the same name.(Citation: Huntress MOVEit 2023) Often, ad versaries will attempt to masquerade as service accounts, su versaries will attempt to masquerade as service accounts, su ch as those associated with legitimate software, data backup ch as those associated with legitimate software, data backup s, or container cluster management.(Citation: Elastic CUBA R s, or container cluster management.(Citation: Elastic CUBA R ansomware 2022)(Citation: Aquasec Kubernetes Attack 2023) Th ansomware 2022)(Citation: Aquasec Kubernetes Attack 2023) Th ey may also give accounts generic, trustworthy names, such a ey may also give accounts generic, trustworthy names, such a s “admin”, “help”, or “root.”(Citation: Invictus IR Cloud Ra s “admin”, “help”, or “root.”(Citation: Invictus IR Cloud Ra nsomware 2024) Sometimes adversaries may model account names nsomware 2024) Sometimes adversaries may model account names off of those already existing in the system, as a follow-on off of those already existing in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/te behavior to [Account Discovery](https://attack.mitre.org/te chniques/T1087). Note that this is distinct from [Imperso chniques/T1087). Note that this is distinct from [Imperso nation](https://attack.mitre.org/techniques/T1656 ), which de nation](https://attack.mitre.org/techniques/T1684/001 ), whic scribes impersonating specific trusted individuals or organi h describes impersonating specific trusted individuals or or zations, rather than user or service account names. ganizations, rather than user or service account names.
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 22:48:14.966000+00:00 2026-04-17 14:21:43.719000+00:00 description Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during [Create Account](https://attack.mitre.org/techniques/T1136), although accounts may also be renamed at a later date. This may also coincide with [Account Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first deletes an account before re-creating one with the same name.(Citation: Huntress MOVEit 2023)
+
+Often, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec Kubernetes Attack 2023) They may also give accounts generic, trustworthy names, such as “admin”, “help”, or “root.”(Citation: Invictus IR Cloud Ransomware 2024) Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087).
+
+Note that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1656), which describes impersonating specific trusted individuals or organizations, rather than user or service account names. Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during [Create Account](https://attack.mitre.org/techniques/T1136), although accounts may also be renamed at a later date. This may also coincide with [Account Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first deletes an account before re-creating one with the same name.(Citation: Huntress MOVEit 2023)
+
+Often, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec Kubernetes Attack 2023) They may also give accounts generic, trustworthy names, such as “admin”, “help”, or “root.”(Citation: Invictus IR Cloud Ransomware 2024) Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087).
+
+Note that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1684/001), which describes impersonating specific trusted individuals or organizations, rather than user or service account names. kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 2.0
[T1036.008] Masquerading: Masquerade File Type Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-08 17:44:11.183000+00:00 2026-04-15 20:39:13.971000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_version 1.1 2.0
[T1036.004] Masquerading: Masquerade Task or Service Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:00.215000+00:00 2026-04-15 20:39:39.311000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
[T1036] Masquerading Current version : 2.0
Version changed from : 1.8 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:42.609000+00:00 2026-04-15 20:32:00.311000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_version 1.8 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Twitter ItsReallyNick Masquerading Update', 'description': 'Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved September 12, 2024.', 'url': 'https://x.com/ItsReallyNick/status/1055321652777619457'} external_references {'source_name': 'Elastic Masquerade Ball', 'description': 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.', 'url': 'https://www.elastic.co/blog/how-hunt-masquerade-ball'}
[T1036.005] Masquerading: Match Legitimate Resource Name or Location Current version : 3.0
Version changed from : 2.0 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:28.950000+00:00 2026-04-15 20:39:41.881000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.0 3.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Twitter ItsReallyNick Masquerading Update', 'description': 'Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved September 12, 2024.', 'url': 'https://x.com/ItsReallyNick/status/1055321652777619457'} external_references {'source_name': 'Docker Images', 'description': 'Docker. (n.d.). Docker Images. Retrieved April 6, 2021.', 'url': 'https://docs.docker.com/engine/reference/commandline/images/'} external_references {'source_name': 'Elastic Masquerade Ball', 'description': 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.', 'url': 'https://www.elastic.co/blog/how-hunt-masquerade-ball'}
[T1218.013] System Binary Proxy Execution: Mavinject Current version : 3.0
Version changed from : 2.0 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:28.606000+00:00 2026-04-15 22:39:41.553000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.0 3.0
[T1556] Modify Authentication Process Current version : 3.0
Version changed from : 2.6 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:36.944000+00:00 2026-04-16 20:07:52.977000+00:00 kill_chain_phases[1]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.6 3.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Clymb3r Function Hook Passwords Sept 2013', 'description': 'Bialek, J. (2013, September 15). Intercepting Password Changes With Function Hooking. Retrieved November 21, 2017.', 'url': 'https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/'} external_references {'source_name': 'Xorrior Authorization Plugins', 'description': 'Chris Ross. (2018, October 17). Persistent Credential Theft with Authorization Plugins. Retrieved April 22, 2021.', 'url': 'https://xorrior.com/persistent-credential-theft/'} external_references {'source_name': 'Dell Skeleton', 'description': 'Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved April 8, 2019.', 'url': 'https://www.secureworks.com/research/skeleton-key-malware-analysis'} external_references {'source_name': 'dump_pwd_dcsync', 'description': 'Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.', 'url': 'https://adsecurity.org/?p=2053'} external_references {'source_name': 'TechNet Audit Policy', 'description': 'Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.', 'url': 'https://technet.microsoft.com/en-us/library/dn487457.aspx'}
[T1578.005] Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations Current version : 3.0
Version changed from : 2.0 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 22:49:17.012000+00:00 2026-04-16 20:07:53.098000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.0 3.0
[T1578] Modify Cloud Compute Infrastructure Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:26.284000+00:00 2026-04-16 20:07:52.919000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
[T1666] Modify Cloud Resource Hierarchy Current version : 2.0
Version changed from : 1.0 → 2.0
+
+
+ t Adversaries may attempt to modify hierarchical structures in t Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to infrastructure-as-a-service (IaaS) environments in order to evade defenses. IaaS environments often group resources evade defenses. IaaS environments often group resources into a hierarchy, enabling improved resource management and into a hierarchy, enabling improved resource management and application of policies to relevant groups. Hierarchical str application of policies to relevant groups. Hierarchical str uctures differ among cloud providers. For example, in AWS en uctures differ among cloud providers. For example, in AWS en vironments, multiple accounts can be grouped under a single vironments, multiple accounts can be grouped under a single organization, while in Azure environments, multiple subscrip organization, while in Azure environments, multiple subscrip tions can be grouped under a single management group.(Citati tions can be grouped under a single management group.(Citati on: AWS Organizations)(Citation: Microsoft Azure Resources) on: AWS Organizations)(Citation: Microsoft Azure Resources) Adversaries may add, delete, or otherwise modify resource g Adversaries may add, delete, or otherwise modify resource g roups within an IaaS hierarchy. For example, in Azure enviro roups within an IaaS hierarchy. For example, in Azure enviro nments, an adversary who has gained access to a Global Admin nments, an adversary who has gained access to a Global Admin istrator account may create new subscriptions in which to de istrator account may create new subscriptions in which to de ploy resources. They may also engage in subscription hijacki ploy resources. They may also engage in subscription hijacki ng by transferring an existing pay-as-you-go subscription fr ng by transferring an existing pay-as-you-go subscription fr om a victim tenant to an adversary-controlled tenant. This w om a victim tenant to an adversary-controlled tenant. This w ill allow the adversary to use the victim’s compute resource ill allow the adversary to use the victim’s compute resource s without generating logs on the victim tenant.(Citation: Mi s without generating logs on the victim tenant.(Citation: Mi crosoft Peach Sandstorm 2023)(Citation: Microsoft Subscripti crosoft Peach Sandstorm 2023)(Citation: Microsoft Subscripti on Hijacking 2022) In AWS environments, adversaries with ap on Hijacking 2022) In AWS environments, adversaries with ap propriate permissions in a given account may call the `Leave propriate permissions in a given account may call the `Leave Organization` API, causing the account to be severed from th Organization` API, causing the account to be severed from th e AWS Organization to which it was tied and removing any Ser e AWS Organization to which it was tied and removing any Ser vice Control Policies, guardrails, or restrictions imposed u vice Control Policies, guardrails, or restrictions imposed u pon it by its former Organization. Alternatively, adversarie pon it by its former Organization. Alternatively, adversarie s may call the `CreateAccount` API in order to create a new s may call the `CreateAccount` API in order to create a new account within an AWS Organization. This account will use th account within an AWS Organization. This account will use th e same payment methods registered to the payment account but e same payment methods registered to the payment account but may not be subject to existing detections or Service Contro may not be subject to existing detections or Service Contro l Policies.(Citation: AWS RE: Inforce Threat Detection 2024 ) l Policies.(Citation: AWS re Inforce Trust Mod )
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 22:49:45.874000+00:00 2026-04-16 20:07:52.999000+00:00 description Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses.
+
+IaaS environments often group resources into a hierarchy, enabling improved resource management and application of policies to relevant groups. Hierarchical structures differ among cloud providers. For example, in AWS environments, multiple accounts can be grouped under a single organization, while in Azure environments, multiple subscriptions can be grouped under a single management group.(Citation: AWS Organizations)(Citation: Microsoft Azure Resources)
+
+Adversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. They may also engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant. This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm 2023)(Citation: Microsoft Subscription Hijacking 2022)
+
+In AWS environments, adversaries with appropriate permissions in a given account may call the `LeaveOrganization` API, causing the account to be severed from the AWS Organization to which it was tied and removing any Service Control Policies, guardrails, or restrictions imposed upon it by its former Organization. Alternatively, adversaries may call the `CreateAccount` API in order to create a new account within an AWS Organization. This account will use the same payment methods registered to the payment account but may not be subject to existing detections or Service Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024) Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses.
+
+IaaS environments often group resources into a hierarchy, enabling improved resource management and application of policies to relevant groups. Hierarchical structures differ among cloud providers. For example, in AWS environments, multiple accounts can be grouped under a single organization, while in Azure environments, multiple subscriptions can be grouped under a single management group.(Citation: AWS Organizations)(Citation: Microsoft Azure Resources)
+
+Adversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. They may also engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant. This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm 2023)(Citation: Microsoft Subscription Hijacking 2022)
+
+In AWS environments, adversaries with appropriate permissions in a given account may call the `LeaveOrganization` API, causing the account to be severed from the AWS Organization to which it was tied and removing any Service Control Policies, guardrails, or restrictions imposed upon it by its former Organization. Alternatively, adversaries may call the `CreateAccount` API in order to create a new account within an AWS Organization. This account will use the same payment methods registered to the payment account but may not be subject to existing detections or Service Control Policies.(Citation: AWS re Inforce Trust Mod) kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment external_references[2]['source_name'] AWS RE:Inforce Threat Detection 2024 AWS re Inforce Trust Mod external_references[2]['description'] Ben Fletcher and Steve de Vera. (2024, June). New tactics and techniques for proactive threat detection. Retrieved September 25, 2024. AWS re Inforce. (2024, June). Retrieved April 15, 2026. external_references[2]['url'] https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf https://d1.awsstatic.com/onedam/marketing-channels/website/aws/en_US/events/approved/reinforce-2025/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 2.0
[T1112] Modify Registry Current version : 3.0
Version changed from : 2.0 → 3.0
+
+
+ t Adversaries may interact with the Windows Registry as part o t Adversaries may interact with the Windows Registry as part o f a variety of other techniques to aid in defense evasion, p f a variety of other techniques to aid in defense evasion, p ersistence, and execution. Access to specific areas of the ersistence, and execution. Access to specific areas of the Registry depends on account permissions, with some keys requ Registry depends on account permissions, with some keys requ iring administrator-level access. The built-in Windows comma iring administrator-level access. The built-in Windows comma nd-line utility [Reg](https://attack.mitre.org/software/S007 nd-line utility [Reg](https://attack.mitre.org/software/S007 5) may be used for local or remote Registry modification.(Ci 5) may be used for local or remote Registry modification.(Ci tation: Microsoft Reg) Other tools, such as remote access to tation: Microsoft Reg) Other tools, such as remote access to ols, may also contain functionality to interact with the Reg ols, may also contain functionality to interact with the Reg istry through the Windows API. The Registry may be modified istry through the Windows API. The Registry may be modified in order to hide configuration information or malicious pay in order to hide configuration information or malicious pay loads via [Obfuscated Files or Information](https://attack.m loads via [Obfuscated Files or Information](https://attack.m itre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2 itre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2 019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft 019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra 2018) The Registry may also be modified to [Impair Defenses 2018) The Registry may also be modified to impair defenses, ](https://attack.mitre.org/techni ques/T1562) , such as by ena such as by enabling macros for all Microsoft Office product bling macros for all Microsoft Office products, allowing pri s, allowing privilege escalation without alerting the user, vilege escalation without alerting the user, increasing the increasing the maximum number of allowed outbound re quests , ma ximum number of allowed outbound requests, and/or modifyin and/or modifying systems to store plainte xt credentials in mg systems to store plaintext credentials in memory.(Citationemory.(Citation: CISA LockBit 2023)(Citation: Unit42 BabySha : CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019) T rk Feb 2019) The Registry of a remote system may be modifie he Registry of a remote system may be modified to aid in exe d to aid in execution of files as part of lateral movement. cution of files as part of lateral movement. It requires the It requires the remote Registry service to be running on the remote Registry service to be running on the target system. target system.(Citation: Microsoft Remote) Often [Valid Acc (Citation: Microsoft Remote) Often [Valid Accounts](https:// ounts](https://attack.mitre.org/techniques/T1078) are requir attack.mitre.org/techniques/T1078) are required, along with ed, along with access to the remote system's [SMB/Windows Ad access to the remote system's [SMB/Windows Admin Shares](htt min Shares](https://attack.mitre.org/techniques/T1021/002) f ps://attack.mitre.org/techniques/T1021/002) for RPC communic or RPC communication. Finally, Registry modifications may a ation. Finally, Registry modifications may also include act lso include actions to hide keys, such as prepending key nam ions to hide keys, such as prepending key names with a null es with a null character, which will cause an error and/or b character, which will cause an error and/or be ignored when e ignored when read via [Reg](https://attack.mitre.org/softw read via [Reg](https://attack.mitre.org/software/S0075) or o are/S0075) or other utilities using the Win32 API.(Citation: ther utilities using the Win32 API.(Citation: Microsoft Regh Microsoft Reghide NOV 2006) Adversaries may abuse these pse ide NOV 2006) Adversaries may abuse these pseudo-hidden keys udo-hidden keys to conceal payloads/commands used to maintai to conceal payloads/commands used to maintain persistence.( n persistence.(Citation: TrendMicro POWELIKS AUG 2014)(Citat Citation: TrendMicro POWELIKS AUG 2014)(Citation: SpectorOps ion: SpectorOps Hiding Reg Jul 2017) Hiding Reg Jul 2017)
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:49.294000+00:00 2026-04-16 20:07:53.021000+00:00 description Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.
+
+Access to specific areas of the Registry depends on account permissions, with some keys requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification.(Citation: Microsoft Reg) Other tools, such as remote access tools, may also contain functionality to interact with the Registry through the Windows API.
+
+The Registry may be modified in order to hide configuration information or malicious payloads via [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra 2018) The Registry may also be modified to [Impair Defenses](https://attack.mitre.org/techniques/T1562), such as by enabling macros for all Microsoft Office products, allowing privilege escalation without alerting the user, increasing the maximum number of allowed outbound requests, and/or modifying systems to store plaintext credentials in memory.(Citation: CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019)
+
+The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system.(Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.
+
+Finally, Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API.(Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.(Citation: TrendMicro POWELIKS AUG 2014)(Citation: SpectorOps Hiding Reg Jul 2017) Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.
+
+Access to specific areas of the Registry depends on account permissions, with some keys requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification.(Citation: Microsoft Reg) Other tools, such as remote access tools, may also contain functionality to interact with the Registry through the Windows API.
+
+The Registry may be modified in order to hide configuration information or malicious payloads via [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra 2018) The Registry may also be modified to impair defenses, such as by enabling macros for all Microsoft Office products, allowing privilege escalation without alerting the user, increasing the maximum number of allowed outbound requests, and/or modifying systems to store plaintext credentials in memory.(Citation: CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019)
+
+The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system.(Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.
+
+Finally, Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API.(Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.(Citation: TrendMicro POWELIKS AUG 2014)(Citation: SpectorOps Hiding Reg Jul 2017) kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.0 3.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Microsoft 4657 APR 2017', 'description': 'Miroshnikov, A. & Hall, J. (2017, April 18). 4657(S): A registry value was modified. Retrieved August 9, 2018.', 'url': 'https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657'} external_references {'source_name': 'Microsoft RegDelNull July 2016', 'description': 'Russinovich, M. & Sharkey, K. (2016, July 4). RegDelNull v1.11. Retrieved August 10, 2018.', 'url': 'https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull'}
[T1601] Modify System Image Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:13.730000+00:00 2026-04-16 20:07:53.013000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Cisco IOS Software Integrity Assurance - Image File Verification', 'description': 'Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020.', 'url': 'https://tools.cisco.com/security/center/resources/integrity_assurance.html#7'} external_references {'source_name': 'Cisco IOS Software Integrity Assurance - Run-Time Memory Verification', 'description': 'Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.', 'url': 'https://tools.cisco.com/security/center/resources/integrity_assurance.html#13'}
[T1218.005] System Binary Proxy Execution: Mshta Current version : 3.0
Version changed from : 2.1 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:03.265000+00:00 2026-04-15 22:40:01.325000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.1 3.0
[T1218.007] System Binary Proxy Execution: Msiexec Current version : 3.0
Version changed from : 2.1 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:38.626000+00:00 2026-04-15 22:40:01.230000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.1 3.0
[T1556.006] Modify Authentication Process: Multi-Factor Authentication Current version : 2.0
Version changed from : 1.4 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 19:58:59.338000+00:00 2026-04-16 20:07:52.875000+00:00 kill_chain_phases[1]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.4 2.0
[T1480.002] Execution Guardrails: Mutual Exclusion Current version : 2.0
Version changed from : 1.0 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 22:50:39.088000+00:00 2026-04-15 20:07:21.724000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 2.0
[T1564.004] Hide Artifacts: NTFS File Attributes Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:35.944000+00:00 2026-04-15 20:24:50.745000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Oddvar Moe ADS2 Apr 2018', 'description': 'Moe, O. (2018, April 11). Putting Data in Alternate Data Streams and How to Execute It - Part 2. Retrieved June 30, 2018.', 'url': 'https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/'} external_references {'source_name': 'Oddvar Moe ADS1 Jan 2018', 'description': 'Moe, O. (2018, January 14). Putting Data in Alternate Data Streams and How to Execute It. Retrieved June 30, 2018.', 'url': 'https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/'} external_references {'source_name': 'Symantec ADS May 2009', 'description': 'Pravs. (2009, May 25). What you need to know about alternate data streams in windows? Is your Data secure? Can you restore that?. Retrieved March 21, 2018.', 'url': 'https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore'}
[T1557.001] Adversary-in-the-Middle: Name Resolution Poisoning and SMB Relay Current version : 2.0
Version changed from : 1.4 → 2.0
+
+
+ t By responding to LLMNR/NBT-NS network traffic, adversaries m t By responding to LLMNR/NBT-NS/mDNS network traffic, adversar ay spoof an authoritative source for name resolution to forc ies may spoof an authoritative source for name resolution to e communication with an adversary controlled system. This ac force communication with an adversary controlled system.(Ci tivity may be used to collect or relay authentication materi tation: BlackCat ransomware) This activity may be used to coals. Link-Local Multicast Name Resolution (LLMNR) and NetB llect or relay authentication materials. Link-Local Multic IOS Name Service (NBT-NS) are Microsoft Windows components t ast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS hat serve as alternate methods of host identification. LLMNR ) are Microsoft Windows components that serve as alternate m is based upon the Domain Name System (DNS) format and allow ethods of host identification. LLMNR is based upon the Domai s hosts on the same local link to perform name resolution fo n Name System (DNS) format and allows hosts on the same loca r other hosts. NBT-NS identifies systems on a local network l link to perform name resolution for other hosts. NBT-NS id by their NetBIOS name. (Citation: Wikipedia LLMNR)(Citation: entifies systems on a local network by their NetBIOS name.(C TechNet NetBIOS) Adversaries can spoof an authoritative so itation: Wikipedia LLMNR)(Citation: TechNet NetBIOS) Multic urce for name resolution on a victim network by responding t ast Domain Name System(mDNS) is a zero-configuration service o LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know used to resolve hostnames to IP addresses with “.local” as the identity of the requested host, effectively poisoning th a top-level domain. MDNS is based upon Domain Name System (D e service so that the victims will communicate with the adve NS) format and allows hosts on the same network segment to p rsary controlled system. If the requested host belongs to a erform name resolution for other hosts, using multicast.(Cit resource that requires identification/authentication, the us ation: mDNS RFC) Adversaries can spoof an authoritative souername and NTLMv2 hash will then be sent to the adversary co rce for name resolution on a victim network by responding to ntrolled system. The adversary can then collect the hash inf LLMNR (UDP 5355)/NBT-NS (UDP 137)/mDNS (UDP 5353) traffic a ormation sent over the wire through tools that monitor the p s if they know the identity of the requested host, effectiveorts for traffic or through [Network Sniffing](https://attac ly poisoning the service so that the victims will communicat k.mitre.org/techniques/T1040) and crack the hashes offline t e with the adversary controlled system. If the requested hos hrough [Brute Force](https://attack.mitre.org/techniques/T11 t belongs to a resource that requires identification/authent 10) to obtain the plaintext passwords. In some cases where ication, the username and NTLMv2 hash will then be sent to t an adversary has access to a system that is in the authentic he adversary controlled system. The adversary can then colle ation path between systems or when automated scans that use ct the hash information sent over the wire through tools tha credentials attempt to authenticate to an adversary controll t monitor the ports for traffic or through [Network Sniffing ed system, the NTLMv1/v2 hashes can be intercepted and relay ](https://attack.mitre.org/techniques/T1040) and crack the h ed to access and execute code against a target system. The r ashes offline through [Brute Force](https://attack.mitre.org elay step can happen in conjunction with poisoning but may a /techniques/T1110) to obtain the plaintext passwords. In so lso be independent of it.(Citation: byt3bl33d3r NTLM Relayin me cases where an adversary has access to a system that is i g)(Citation: Secure Ideas SMB Relay) Additionally, adversari n the authentication path between systems or when automated es may encapsulate the NTLMv1/v2 hashes into various protoco scans that use credentials attempt to authenticate to an adv ls, such as LDAP, SMB, MSSQL and HTTP, to expand and use mul ersary controlled system, the NTLMv1/v2 hashes can be interc tiple services with the valid NTLM response. Several tools epted and relayed to access and execute code against a targe may be used to poison name services within local networks s t system. The relay step can happen in conjunction with pois uch as NBNSpoof, Metasploit, and [Responder](https://attack. oning but may also be independent of it.(Citation: byt3bl33d mitre.org/software/S0174).(Citation: GitHub NBNSpoof)(Citati 3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Addition on: Rapid7 LLMNR Spoofer)(Citation: GitHub Responder) ally, adversaries may encapsulate the NTLMv1/v2 hashes into various other protocols, such as LDAP, MSSQL and HTTP, to ex pand and use multiple services with the valid NTLM response. Several tools may be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder] (https://attack.mitre.org/software/S0174).(Citation: GitHub NBNSpoof)(Citation: Rapid7 LLMNR Spoofer)(Citation: GitHub R esponder)
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:52.462000+00:00 2026-02-03 16:53:09.295000+00:00 name LLMNR/NBT-NS Poisoning and SMB Relay Name Resolution Poisoning and SMB Relay description By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.
+
+Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR)(Citation: TechNet NetBIOS)
+
+Adversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords.
+
+In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv1/v2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Additionally, adversaries may encapsulate the NTLMv1/v2 hashes into various protocols, such as LDAP, SMB, MSSQL and HTTP, to expand and use multiple services with the valid NTLM response.
+
+Several tools may be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174).(Citation: GitHub NBNSpoof)(Citation: Rapid7 LLMNR Spoofer)(Citation: GitHub Responder) By responding to LLMNR/NBT-NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system.(Citation: BlackCat ransomware) This activity may be used to collect or relay authentication materials.
+
+Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name.(Citation: Wikipedia LLMNR)(Citation: TechNet NetBIOS)
+
+Multicast Domain Name System(mDNS) is a zero-configuration service used to resolve hostnames to IP addresses with “.local” as a top-level domain. MDNS is based upon Domain Name System (DNS) format and allows hosts on the same network segment to perform name resolution for other hosts, using multicast.(Citation: mDNS RFC)
+
+Adversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137)/mDNS (UDP 5353) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords.
+
+In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv1/v2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Additionally, adversaries may encapsulate the NTLMv1/v2 hashes into various other protocols, such as LDAP, MSSQL and HTTP, to expand and use multiple services with the valid NTLM response.
+
+Several tools may be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174).(Citation: GitHub NBNSpoof)(Citation: Rapid7 LLMNR Spoofer)(Citation: GitHub Responder) external_references[6]['source_name'] GitHub Conveigh mDNS RFC external_references[6]['description'] Robertson, K. (2016, August 28). Conveigh. Retrieved November 17, 2017. S. Cheshire, M. Krochmal. (2013, February). Multicast DNS. Retrieved February 2, 2026. external_references[6]['url'] https://github.com/Kevin-Robertson/Conveigh https://datatracker.ietf.org/doc/html/rfc6762 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.4 2.0
iterable_item_added STIX Field Old value New Value external_references {'source_name': 'BlackCat ransomware', 'description': 'Lucas Silva, Leandro Froes. (2022, April 18). An Investigation of the BlackCat Ransomware via Trend Micro Vision One. Retrieved February 2, 2026.', 'url': 'https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html'} x_mitre_contributors Arad Inbar
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Sternsecurity LLMNR-NBTNS', 'description': 'Sternstein, J. (2013, November). Local Network Attacks: LLMNR and NBT-NS Poisoning. Retrieved November 17, 2017.', 'url': 'https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning'}
[T1599.001] Network Boundary Bridging: Network Address Translation Traversal Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:46.071000+00:00 2026-04-16 20:07:52.887000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_version 1.2 2.0
[T1599] Network Boundary Bridging Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:16.493000+00:00 2026-04-16 20:07:53.048000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
[T1556.004] Modify Authentication Process: Network Device Authentication Current version : 3.0
Version changed from : 2.1 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:38.719000+00:00 2026-04-16 20:07:53.117000+00:00 kill_chain_phases[1]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.1 3.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Cisco IOS Software Integrity Assurance - Image File Verification', 'description': 'Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020.', 'url': 'https://tools.cisco.com/security/center/resources/integrity_assurance.html#7'} external_references {'source_name': 'Cisco IOS Software Integrity Assurance - Run-Time Memory Verification', 'description': 'Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.', 'url': 'https://tools.cisco.com/security/center/resources/integrity_assurance.html#13'}
[T1556.008] Modify Authentication Process: Network Provider DLL Current version : 2.0
Version changed from : 1.0 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 22:51:56.379000+00:00 2026-04-16 20:07:53.025000+00:00 kill_chain_phases[1]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 2.0
[T1070.005] Indicator Removal: Network Share Connection Removal Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:11.691000+00:00 2026-04-15 20:29:50.512000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
[T1027] Obfuscated Files or Information Current version : 2.0
Version changed from : 1.7 → 2.0
+
+
+ t Adversaries may attempt to make an executable or file diffic t Adversaries may attempt to make an executable or file diffic ult to discover or analyze by encrypting, encoding, or other ult to discover or analyze by encrypting, encoding, or other wise obfuscating its contents on the system or in transit. T wise obfuscating its contents on the system or in transit. T his is common behavior that can be used across different pla his is common behavior that can be used across different pla tforms and the network to evade defenses. Payloads may be tforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detecti compressed, archived, or encrypted in order to avoid detecti on. These payloads may be used during Initial Access or late on. These payloads may be used during Initial Access or late r to mitigate detection. Sometimes a user's action may be re r to mitigate detection. Sometimes a user's action may be re quired to open and [Deobfuscate/Decode Files or Information] quired to open and [Deobfuscate/Decode Files or Information] (https://attack.mitre.org/techniques/T1140) for [User Execut (https://attack.mitre.org/techniques/T1140) for [User Execut ion](https://attack.mitre.org/techniques/T1204). The user ma ion](https://attack.mitre.org/techniques/T1204). The user ma y also be required to input a password to open a password pr y also be required to input a password to open a password pr otected compressed/encrypted file that was provided by the a otected compressed/encrypted file that was provided by the a dversary. (Citation: Volexity PowerDuke November 2016) Adver dversary.(Citation: Volexity PowerDuke November 2016) Advers saries may also use compressed or archived scripts, such as aries may also use compressed or archived scripts, such as J JavaScript. Portions of files can also be encoded to hide avaScript. Portions of files can also be encoded to hide t the plain-text strings that would otherwise help defenders w he plain-text strings that would otherwise help defenders wi ith discovery. (Citation: Linux/Cdorked.A We Live Security A th discovery.(Citation: Linux/Cdorked.A We Live Security Ana nalysis) Payloads may also be split into separate, seemingly lysis) Payloads may also be split into separate, seemingly b benign files that only reveal malicious functionality when enign files that only reveal malicious functionality when re reassembled. (Citation: Carbon Black Obfuscation Sept 2016) assembled.(Citation: Carbon Black Obfuscation Sept 2016) Ad Adversaries may also abuse [Command Obfuscation](https://at versaries may also abuse [Command Obfuscation](https://attac tack.mitre.org/techniques/T1027/010) to obscure commands exe k.mitre.org/techniques/T1027/010) to obscure commands execut cuted from payloads or directly via [Command and Scripting I ed from payloads or directly via [Command and Scripting Inte nterpreter](https://attack.mitre.org/techniques/T1059). Envi rpreter](https://attack.mitre.org/techniques/T1059). Environ ronment variables, aliases, characters, and other platform/l ment variables, aliases, characters, and other platform/lang anguage specific semantics can be used to evade signature ba uage specific semantics can be used to evade signature based sed detections and application control mechanisms. (Citation detections and application control mechanisms.(Citation: Fi : FireEye Obfuscation June 2017) (Citation: FireEye Revoke-O reEye Obfuscation June 2017)(Citation: Fire Eye Revoke-Obfusc bfuscation July 2017)(Citation: PaloAlto EncodedCommand Marc ation July 2017)(Citation: PaloAlto EncodedCommand March 201 h 2017) 7)
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:15.265000+00:00 2026-04-15 22:14:56.435000+00:00 description Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
+
+Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript.
+
+Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)
+
+Adversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
+
+Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.(Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript.
+
+Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery.(Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.(Citation: Carbon Black Obfuscation Sept 2016)
+
+Adversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.7 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'GitHub Revoke-Obfuscation', 'description': 'Bohannon, D. (2017, July 27). Revoke-Obfuscation. Retrieved February 12, 2018.', 'url': 'https://github.com/danielbohannon/Revoke-Obfuscation'} external_references {'source_name': 'GitHub Office-Crackros Aug 2016', 'description': 'Carr, N. (2016, August 14). OfficeCrackros. Retrieved February 12, 2018.', 'url': 'https://github.com/itsreallynick/office-crackros'}
[T1218.008] System Binary Proxy Execution: Odbcconf Current version : 3.0
Version changed from : 2.1 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:55.622000+00:00 2026-04-15 22:40:01.263000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.1 3.0
[T1036.011] Masquerading: Overwrite Process Arguments Current version : 2.0
Version changed from : 1.0 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 19:58:30.391000+00:00 2026-04-15 20:40:03.475000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 2.0
[T1134.004] Access Token Manipulation: Parent PID Spoofing Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:06.759000+00:00 2026-04-15 19:54:42.976000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth external_references[2]['url'] https://www.countercept.com/blog/detecting-parent-pid-spoofing/ https://web.archive.org/web/20200726110643/https://blog.f-secure.com/detecting-parent-pid-spoofing/ x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Microsoft Process Creation Flags May 2018', 'description': 'Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags. Retrieved June 4, 2019.', 'url': 'https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags'} external_references {'source_name': 'Secuirtyinbits Ataware3 May 2019', 'description': 'Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2) Ataware Ransomware Part 3. Retrieved June 6, 2019.', 'url': 'https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3'}
[T1550.002] Use Alternate Authentication Material: Pass the Hash Current version : 2.0
Version changed from : 1.3 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:32.459000+00:00 2026-04-15 22:48:07.235000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.3 2.0
iterable_item_removed STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'}
[T1550.003] Use Alternate Authentication Material: Pass the Ticket Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:59.861000+00:00 2026-04-15 22:47:57.805000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
iterable_item_removed STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'} external_references {'source_name': 'CERT-EU Golden Ticket Protection', 'description': 'Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.', 'url': 'https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf'}
[T1556.002] Modify Authentication Process: Password Filter DLL Current version : 3.0
Version changed from : 2.1 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:39.067000+00:00 2026-04-16 20:07:53.031000+00:00 kill_chain_phases[1]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.1 3.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Clymb3r Function Hook Passwords Sept 2013', 'description': 'Bialek, J. (2013, September 15). Intercepting Password Changes With Function Hooking. Retrieved November 21, 2017.', 'url': 'https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/'}
[T1601.001] Modify System Image: Patch System Image Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:26.083000+00:00 2026-04-16 20:07:53.106000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Cisco IOS Software Integrity Assurance - Image File Verification', 'description': 'Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020.', 'url': 'https://tools.cisco.com/security/center/resources/integrity_assurance.html#7'} external_references {'source_name': 'Cisco IOS Software Integrity Assurance - Run-Time Memory Verification', 'description': 'Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.', 'url': 'https://tools.cisco.com/security/center/resources/integrity_assurance.html#13'}
[T1574.007] Hijack Execution Flow: Path Interception by PATH Environment Variable Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_added STIX Field Old value New Value x_mitre_remote_support False
dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:22.736000+00:00 2026-04-15 23:01:52.753000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0 kill_chain_phases[1] {'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'execution'} kill_chain_phases[0] {'kill_chain_name': 'mitre-attack', 'phase_name': 'persistence'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'stealth'}
iterable_item_removed STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'}
[T1574.008] Hijack Execution Flow: Path Interception by Search Order Hijacking Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_added STIX Field Old value New Value x_mitre_remote_support False
dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:49.665000+00:00 2026-04-15 23:01:48.263000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0 kill_chain_phases[1] {'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'execution'} kill_chain_phases[0] {'kill_chain_name': 'mitre-attack', 'phase_name': 'persistence'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'stealth'}
iterable_item_removed STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'}
[T1574.009] Hijack Execution Flow: Path Interception by Unquoted Path Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_added STIX Field Old value New Value x_mitre_remote_support False
dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:19.228000+00:00 2026-04-15 23:01:45.477000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0 kill_chain_phases[1] {'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'execution'} kill_chain_phases[0] {'kill_chain_name': 'mitre-attack', 'phase_name': 'persistence'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'stealth'}
iterable_item_removed STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'}
[T1647] Plist File Modification Current version : 2.0
Version changed from : 1.0 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:00.573000+00:00 2026-04-16 20:07:52.947000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 2.0
[T1556.003] Modify Authentication Process: Pluggable Authentication Modules Current version : 3.0
Version changed from : 2.1 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:21.118000+00:00 2026-04-16 20:07:53.037000+00:00 kill_chain_phases[1]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.1 3.0
[T1027.014] Obfuscated Files or Information: Polymorphic Code Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 19:59:00.006000+00:00 2026-04-15 22:20:58.199000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
[T1205.001] Traffic Signaling: Port Knocking Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:04.301000+00:00 2026-04-15 22:44:49.425000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
[T1055.002] Process Injection: Portable Executable Injection Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:01.839000+00:00 2026-04-15 22:28:35.452000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
[T1542] Pre-OS Boot Current version : 2.0
Version changed from : 1.3 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:01.466000+00:00 2026-04-17 18:38:50.048000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.3 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'ITWorld Hard Disk Health Dec 2014', 'description': "Pinola, M. (2014, December 14). 3 tools to check your hard drive's health and make sure it's not already dying on you. Retrieved November 17, 2024.", 'url': 'https://www.computerworld.com/article/1484887/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html'}
[T1055.009] Process Injection: Proc Memory Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:25.806000+00:00 2026-04-15 22:28:52.682000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
[T1564.010] Hide Artifacts: Process Argument Spoofing Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:40.325000+00:00 2026-04-15 20:25:25.946000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Mandiant Endpoint Evading 2019', 'description': 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.', 'url': 'https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode'}
[T1055.013] Process Injection: Process Doppelgänging Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:56.422000+00:00 2026-04-15 22:28:53.747000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'hasherezade Process Doppelgänging Dec 2017', 'description': 'hasherezade. (2017, December 18). Process Doppelgänging – a new way to impersonate a process. Retrieved December 20, 2017.', 'url': 'https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/'} external_references {'source_name': 'Microsoft PsSetCreateProcessNotifyRoutine routine', 'description': 'Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved December 20, 2017.', 'url': 'https://msdn.microsoft.com/library/windows/hardware/ff559951.aspx'}
[T1055.012] Process Injection: Process Hollowing Current version : 2.0
Version changed from : 1.4 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:14.559000+00:00 2026-04-15 22:30:23.429000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.4 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Nviso Spoof Command Line 2020', 'description': 'Daman, R. (2020, February 4). The return of the spoof part 2: Command line spoofing. Retrieved November 19, 2021.', 'url': 'https://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/'} external_references {'source_name': 'Mandiant Endpoint Evading 2019', 'description': 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.', 'url': 'https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode'}
[T1055] Process Injection Current version : 2.0
Version changed from : 1.4 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:43.053000+00:00 2026-04-15 22:26:41.663000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.4 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'GNU Acct', 'description': 'GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved December 20, 2017.', 'url': 'https://www.gnu.org/software/acct/'} external_references {'source_name': 'Elastic Process Injection July 2017', 'description': 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.', 'url': 'https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process'} external_references {'source_name': 'RHEL auditd', 'description': 'Jahoda, M. et al.. (2017, March 14). redhat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017.', 'url': 'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing'} external_references {'source_name': 'ArtOfMemoryForensics', 'description': 'Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved December 20, 2017.'} external_references {'source_name': 'Microsoft Sysmon v6 May 2017', 'description': 'Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved December 13, 2017.', 'url': 'https://docs.microsoft.com/sysinternals/downloads/sysmon'} external_references {'source_name': 'Chokepoint preload rootkits', 'description': 'stderr. (2014, February 14). Detecting Userland Preload Rootkits. Retrieved December 20, 2017.', 'url': 'http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html'}
[T1055.008] Process Injection: Ptrace System Calls Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:33.344000+00:00 2026-04-15 22:30:27.359000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'ArtOfMemoryForensics', 'description': 'Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved December 20, 2017.'} external_references {'source_name': 'GNU Acct', 'description': 'GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved December 20, 2017.', 'url': 'https://www.gnu.org/software/acct/'} external_references {'source_name': 'RHEL auditd', 'description': 'Jahoda, M. et al.. (2017, March 14). redhat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017.', 'url': 'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing'} external_references {'source_name': 'Chokepoint preload rootkits', 'description': 'stderr. (2014, February 14). Detecting Userland Preload Rootkits. Retrieved December 20, 2017.', 'url': 'http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html'}
[T1216.001] System Script Proxy Execution: PubPrn Current version : 3.0
Version changed from : 2.1 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:22.022000+00:00 2026-04-15 22:42:36.777000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.1 3.0
[T1542.004] Pre-OS Boot: ROMMONkit Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:11.524000+00:00 2026-04-17 18:38:49.551000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
[T1600.001] Weaken Encryption: Reduce Key Space Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:40.223000+00:00 2026-04-16 20:07:53.005000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
[T1620] Reflective Code Loading Current version : 2.0
Version changed from : 1.3 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:44.030000+00:00 2026-04-15 22:32:18.632000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth external_references[7]['url'] https://www.intezer.com/blog/research/acbackdoor-analysis-of-a-new-multiplatform-backdoor/ https://intezer.com/acbackdoor-analysis-of-a-new-multiplatform-backdoor/ x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.3 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'MDSec Detecting DOTNET', 'description': 'MDSec Research. (n.d.). Detecting and Advancing In-Memory .NET Tradecraft. Retrieved October 4, 2021.', 'url': 'https://www.mdsec.co.uk/2020/06/detecting-and-advancing-in-memory-net-tradecraft/'}
[T1218.009] System Binary Proxy Execution: Regsvcs/Regasm Current version : 3.0
Version changed from : 2.1 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:21.181000+00:00 2026-04-15 22:41:42.115000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.1 3.0
[T1218.010] System Binary Proxy Execution: Regsvr32 Current version : 3.0
Version changed from : 2.2 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:17.377000+00:00 2026-04-15 22:41:58.327000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.2 3.0
[T1070.010] Indicator Removal: Relocate Malware Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-05 16:08:40.119000+00:00 2026-04-15 20:29:55.911000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_version 1.2 2.0
[T1036.003] Masquerading: Rename Legitimate Utilities Current version : 3.0
Version changed from : 2.0 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:18.517000+00:00 2026-04-15 20:40:54.471000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.0 3.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Twitter ItsReallyNick Masquerading Update', 'description': 'Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved September 12, 2024.', 'url': 'https://x.com/ItsReallyNick/status/1055321652777619457'}
[T1564.009] Hide Artifacts: Resource Forking Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:14.736000+00:00 2026-04-15 20:25:32.891000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
[T1556.005] Modify Authentication Process: Reversible Encryption Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:27.587000+00:00 2026-04-16 20:07:53.082000+00:00 kill_chain_phases[1]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
[T1578.004] Modify Cloud Compute Infrastructure: Revert Cloud Instance Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:21.210000+00:00 2026-04-16 20:07:52.953000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
[T1036.002] Masquerading: Right-to-Left Override Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:58.683000+00:00 2026-04-15 20:41:03.753000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth external_references[3]['url'] https://resources.infosecinstitute.com/spoof-using-right-to-left-override-rtlo-technique-2/ https://web.archive.org/web/20151102094333/https://resources.infosecinstitute.com/spoof-using-right-to-left-override-rtlo-technique-2/ x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
[T1207] Rogue Domain Controller Current version : 3.0
Version changed from : 2.2 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:48.823000+00:00 2026-04-16 20:07:52.911000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.2 3.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'GitHub DCSYNCMonitor', 'description': 'Spencer S. (2018, February 22). DCSYNCMonitor. Retrieved March 30, 2018.', 'url': 'https://github.com/shellster/DCSYNCMonitor'} external_references {'source_name': 'Microsoft DirSync', 'description': 'Microsoft. (n.d.). Polling for Changes Using the DirSync Control. Retrieved March 30, 2018.', 'url': 'https://msdn.microsoft.com/en-us/library/ms677626.aspx'} external_references {'source_name': 'ADDSecurity DCShadow Feb 2018', 'description': 'Lucand,G. (2018, February 18). Detect DCShadow, impossible?. Retrieved March 30, 2018.', 'url': 'https://adds-security.blogspot.fr/2018/02/detecter-dcshadow-impossible.html'}
[T1014] Rootkit Current version : 2.0
Version changed from : 1.3 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:24.032000+00:00 2026-04-15 22:32:28.874000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_version 1.3 2.0
[T1564.006] Hide Artifacts: Run Virtual Instance Current version : 2.0
Version changed from : 1.3 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-11-05 15:22:05.269000+00:00 2026-04-15 20:26:04.116000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_version 1.3 2.0
[T1218.011] System Binary Proxy Execution: Rundll32 Current version : 3.0
Version changed from : 2.5 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:20.567000+00:00 2026-04-15 22:42:03.135000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_version 2.5 3.0
[T1134.005] Access Token Manipulation: SID-History Injection Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:16.316000+00:00 2026-04-15 19:55:14.114000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Microsoft Get-ADUser', 'description': 'Microsoft. (n.d.). Active Directory Cmdlets - Get-ADUser. Retrieved November 30, 2017.', 'url': 'https://technet.microsoft.com/library/ee617241.aspx'} external_references {'source_name': 'AdSecurity SID History Sept 2015', 'description': 'Metcalf, S. (2015, September 19). Sneaky Active Directory Persistence #14: SID History. Retrieved November 30, 2017.', 'url': 'https://adsecurity.org/?p=1772'} external_references {'source_name': 'Microsoft DsAddSidHistory', 'description': 'Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November 30, 2017.', 'url': 'https://msdn.microsoft.com/library/ms677982.aspx'}
[T1553.003] Subvert Trust Controls: SIP and Trust Provider Hijacking Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:48.200000+00:00 2026-04-16 20:07:53.087000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Entrust Enable CAPI2 Aug 2017', 'description': 'Entrust Datacard. (2017, August 16). How do I enable CAPI 2.0 logging in Windows Vista, Windows 7 and Windows 2008 Server?. Retrieved January 31, 2018.', 'url': 'http://www.entrust.net/knowledge-base/technote.cfm?tn=8165'} external_references {'source_name': 'Microsoft Audit Registry July 2012', 'description': 'Microsoft. (2012, July 2). Audit Registry. Retrieved January 31, 2018.', 'url': 'https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v=ws.10)'} external_references {'source_name': 'Microsoft Registry Auditing Aug 2016', 'description': 'Microsoft. (2016, August 31). Registry (Global Object Access Auditing). Retrieved January 31, 2018.', 'url': 'https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11)'}
[T1027.017] Obfuscated Files or Information: SVG Smuggling Current version : 2.0
Version changed from : 1.0 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 19:58:43.263000+00:00 2026-04-15 22:22:02.298000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 2.0
[T1679] Selective Exclusion Current version : 2.0
Version changed from : 1.0 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-22 03:50:30.406000+00:00 2026-04-15 22:32:31.453000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_version 1.0 2.0
[T1574.010] Hijack Execution Flow: Services File Permissions Weakness Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_added STIX Field Old value New Value x_mitre_remote_support False
dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:09.575000+00:00 2026-04-15 23:02:37.539000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0 kill_chain_phases[1] {'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'execution'} kill_chain_phases[0] {'kill_chain_name': 'mitre-attack', 'phase_name': 'persistence'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'stealth'}
iterable_item_removed STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'}
[T1574.011] Hijack Execution Flow: Services Registry Permissions Weakness Current version : 2.0
Version changed from : 1.3 → 2.0
Details dictionary_item_added STIX Field Old value New Value x_mitre_remote_support False
dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:27.075000+00:00 2026-04-15 23:02:58.258000+00:00 x_mitre_version 1.3 2.0 kill_chain_phases[1] {'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'execution'} kill_chain_phases[0] {'kill_chain_name': 'mitre-attack', 'phase_name': 'persistence'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'stealth'}
iterable_item_removed STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'} external_references {'source_name': 'Autoruns for Windows', 'description': 'Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020.', 'url': 'https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns'}
[T1548.001] Abuse Elevation Control Mechanism: Setuid and Setgid Current version : 2.0
Version changed from : 1.2 → 2.0
+
+
+ t An adversary may abuse configurations where an application h t An adversary may abuse configurations where an application h as the setuid or setgid bits set in order to get code runnin as the setuid or setgid bits set in order to get code runnin g in a different (and possibly more privileged) user’s conte g in a different (and possibly more privileged) user’s conte xt. On Linux or macOS, when the setuid or setgid bits are se xt. On Linux or macOS, when the setuid or setgid bits are se t for an application binary, the application will run with t t for an application binary, the application will run with t he privileges of the owning user or group respectively.(Cita he privileges of the owning user or group respectively.(Cita tion: setuid man page) Normally an application is run in the tion: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group o current user’s context, regardless of which user or group o wns the application. However, there are instances where prog wns the application. However, there are instances where prog rams need to be executed in an elevated context to function rams need to be executed in an elevated context to function properly, but the user running them may not have the specifi properly, but the user running them may not have the specifi c required privileges. Instead of creating an entry in the c required privileges. Instead of creating an entry in the sudoers file, which must be done by root, any user can speci sudoers file, which must be done by root, any user can speci fy the setuid or setgid flag to be set for their own applica fy the setuid or setgid flag to be set for their own applica tions (i.e. [Linux and Mac File and Directory Permissions Mo tions (i.e. [Linux and Mac Permissions](https://attack.mitre dification ](https://attack.mitre.org/techniques/T1222/002))..org/techniques/T1222/002)). The <code>chmod</code> command The <code>chmod</code> command can set these bits with bitm can set these bits with bitmasking, <code>chmod 4777 [file]< asking, <code>chmod 4777 [file]</code> or via shorthand nami /code> or via shorthand naming, <code>chmod u+s [file]</code ng, <code>chmod u+s [file]</code>. This will enable the setu >. This will enable the setuid bit. To enable the setgid bit id bit. To enable the setgid bit, <code>chmod 2775</code> an , <code>chmod 2775</code> and <code>chmod g+s</code> can be d <code>chmod g+s</code> can be used. Adversaries can use t used. Adversaries can use this mechanism on their own malwa his mechanism on their own malware to make sure they're able re to make sure they're able to execute in elevated contexts to execute in elevated contexts in the future.(Citation: OS in the future.(Citation: OSX Keydnap malware) This abuse is X Keydnap malware) This abuse is often part of a "shell esca often part of a "shell escape" or other actions to bypass a pe" or other actions to bypass an execution environment with n execution environment with restricted permissions. Altern restricted permissions. Alternatively, adversaries may cho atively, adversaries may choose to find and target vulnerabl ose to find and target vulnerable binaries with the setuid o e binaries with the setuid or setgid bits already enabled (i r setgid bits already enabled (i.e. [File and Directory Disc .e. [File and Directory Discovery](https://attack.mitre.org/ overy](https://attack.mitre.org/techniques/T1083)). The setu techniques/T1083)). The setuid and setguid bits are indicate id and setguid bits are indicated with an "s" instead of an d with an "s" instead of an "x" when viewing a file's attrib "x" when viewing a file's attributes via <code>ls -l</code>. utes via <code>ls -l</code>. The <code>find</code> command c The <code>find</code> command can also be used to search fo an also be used to search for such files. For example, <code r such files. For example, <code>find / -perm +4000 2>/dev/n >find / -perm +4000 2>/dev/null</code> can be used to find f ull</code> can be used to find files with setuid set and <co iles with setuid set and <code>find / -perm +2000 2>/dev/nul de>find / -perm +2000 2>/dev/null</code> may be used for set l</code> may be used for setgid. Binaries that have these bi gid. Binaries that have these bits set may then be abused by ts set may then be abused by adversaries.(Citation: GTFOBins adversaries.(Citation: GTFOBins Suid) Suid)
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:53.456000+00:00 2026-04-15 19:52:13.675000+00:00 description An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
+
+Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222/002)). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgid bit, chmod 2775 and chmod g+s can be used.
+
+Adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware) This abuse is often part of a "shell escape" or other actions to bypass an execution environment with restricted permissions.
+
+Alternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)). The setuid and setguid bits are indicated with an "s" instead of an "x" when viewing a file's attributes via ls -l. The find command can also be used to search for such files. For example, find / -perm +4000 2>/dev/null can be used to find files with setuid set and find / -perm +2000 2>/dev/null may be used for setgid. Binaries that have these bits set may then be abused by adversaries.(Citation: GTFOBins Suid) An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
+
+Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac Permissions](https://attack.mitre.org/techniques/T1222/002)). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgid bit, chmod 2775 and chmod g+s can be used.
+
+Adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware) This abuse is often part of a "shell escape" or other actions to bypass an execution environment with restricted permissions.
+
+Alternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)). The setuid and setguid bits are indicated with an "s" instead of an "x" when viewing a file's attributes via ls -l. The find command can also be used to search for such files. For example, find / -perm +4000 2>/dev/null can be used to find files with setuid set and find / -perm +2000 2>/dev/null may be used for setgid. Binaries that have these bits set may then be abused by adversaries.(Citation: GTFOBins Suid) x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
iterable_item_removed STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'}
[T1205.002] Traffic Signaling: Socket Filters Current version : 2.0
Version changed from : 1.0 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:19.274000+00:00 2026-04-15 22:45:22.463000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'crowdstrike bpf socket filters', 'description': 'Jamie Harries. (2022, May 25). Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun. Retrieved October 18, 2022.', 'url': 'https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/'}
[T1027.002] Obfuscated Files or Information: Software Packing Current version : 2.0
Version changed from : 1.3 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:29.503000+00:00 2026-04-15 22:15:31.610000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.3 2.0
[T1036.006] Masquerading: Space after Filename Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:32.287000+00:00 2026-04-15 20:41:09.462000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
[T1027.003] Obfuscated Files or Information: Steganography Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:20.395000+00:00 2026-04-15 22:21:09.201000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
[T1027.008] Obfuscated Files or Information: Stripped Payloads Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 19:58:18.337000+00:00 2026-04-15 22:21:58.918000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
[T1553] Subvert Trust Controls Current version : 2.0
Version changed from : 1.3 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:16.766000+00:00 2026-04-16 20:07:53.101000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.3 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'SpectorOps Code Signing Dec 2017', 'description': 'Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018.', 'url': 'https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec'}
[T1548.003] Abuse Elevation Control Mechanism: Sudo and Sudo Caching Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:26.105000+00:00 2026-04-15 19:52:35.310000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
iterable_item_removed STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'}
[T1216.002] System Script Proxy Execution: SyncAppvPublishingServer Current version : 2.0
Version changed from : 1.0 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 23:13:55.573000+00:00 2026-04-15 22:42:56.654000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 2.0
[T1218] System Binary Proxy Execution Current version : 4.0
Version changed from : 3.2 → 4.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:43.406000+00:00 2026-04-15 22:37:10.607000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 3.2 4.0
[T1497.001] Virtualization/Sandbox Evasion: System Checks Current version : 3.0
Version changed from : 2.3 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:33.591000+00:00 2026-04-15 22:51:53.404000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.3 3.0
[T1542.001] Pre-OS Boot: System Firmware Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:26.714000+00:00 2026-04-17 18:38:49.546000+00:00 kill_chain_phases[1]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'McAfee CHIPSEC Blog', 'description': 'Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017.', 'url': 'https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/'} external_references {'source_name': 'MITRE Copernicus', 'description': 'Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.', 'url': 'http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about'} external_references {'source_name': 'Intel HackingTeam UEFI Rootkit', 'description': "Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved November 17, 2024.", 'url': 'https://web.archive.org/web/20170313124421/http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html'} external_references {'source_name': 'Github CHIPSEC', 'description': 'Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017.', 'url': 'https://github.com/chipsec/chipsec'} external_references {'source_name': 'MITRE Trustworthy Firmware Measurement', 'description': 'Upham, K. (2014, March). Going Deep into the BIOS with MITRE Firmware Security Research. Retrieved January 5, 2016.', 'url': 'http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research'}
[T1216] System Script Proxy Execution Current version : 3.0
Version changed from : 2.1 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:37.665000+00:00 2026-04-15 22:42:22.297000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.1 3.0
[T1548.006] Abuse Elevation Control Mechanism: TCC Manipulation Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 23:14:58.393000+00:00 2026-04-15 19:52:55.058000+00:00 external_references[2]['url'] https://interpressecurity.com/resources/return-of-the-macos-tcc/ https://web.archive.org/web/20240411112413/https://interpressecurity.com/resources/return-of-the-macos-tcc/ x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
iterable_item_removed STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'}
[T1542.005] Pre-OS Boot: TFTP Boot Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:33.317000+00:00 2026-04-17 18:38:49.555000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Cisco IOS Software Integrity Assurance - Secure Boot', 'description': 'Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Secure Boot. Retrieved October 19, 2020.', 'url': 'https://tools.cisco.com/security/center/resources/integrity_assurance.html#35'} external_references {'source_name': 'Cisco IOS Software Integrity Assurance - Image File Verification', 'description': 'Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020.', 'url': 'https://tools.cisco.com/security/center/resources/integrity_assurance.html#7'} external_references {'source_name': 'Cisco IOS Software Integrity Assurance - Run-Time Memory Verification', 'description': 'Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.', 'url': 'https://tools.cisco.com/security/center/resources/integrity_assurance.html#13'} external_references {'source_name': 'Cisco IOS Software Integrity Assurance - Command History', 'description': 'Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020.', 'url': 'https://tools.cisco.com/security/center/resources/integrity_assurance.html#23'} external_references {'source_name': 'Cisco IOS Software Integrity Assurance - Boot Information', 'description': 'Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot Information. Retrieved October 21, 2020.', 'url': 'https://tools.cisco.com/security/center/resources/integrity_assurance.html#26'}
[T1221] Template Injection Current version : 2.0
Version changed from : 1.4 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:28.862000+00:00 2026-04-15 22:44:24.229000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.4 2.0
[T1548.005] Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 23:15:17.608000+00:00 2026-04-15 19:53:18.398000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
iterable_item_removed STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'}
[T1055.003] Process Injection: Thread Execution Hijacking Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:42.433000+00:00 2026-04-15 22:30:40.463000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
[T1055.005] Process Injection: Thread Local Storage Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:32.111000+00:00 2026-04-15 22:30:51.339000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Elastic Process Injection July 2017', 'description': 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.', 'url': 'https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process'}
[T1497.003] Virtualization/Sandbox Evasion: Time Based Checks Current version : 3.0
Version changed from : 2.0 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:44.870000+00:00 2026-04-15 22:52:39.442000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_version 2.0 3.0
[T1070.006] Indicator Removal: Timestomp Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:43.937000+00:00 2026-04-15 20:30:57.770000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
[T1134.001] Access Token Manipulation: Token Impersonation/Theft Current version : 2.0
Version changed from : 1.3 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:04.117000+00:00 2026-04-15 19:54:20.663000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.3 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Microsoft Command-line Logging', 'description': 'Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.', 'url': 'https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing'}
[T1205] Traffic Signaling Current version : 3.0
Version changed from : 2.5 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:43.225000+00:00 2026-04-15 22:44:32.591000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.5 3.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'GitLab WakeOnLAN', 'description': 'Perry, David. (2020, August 11). WakeOnLAN (WOL). Retrieved February 17, 2021.', 'url': 'https://gitlab.com/wireshark/wireshark/-/wikis/WakeOnLAN'}
[T1484.002] Domain or Tenant Policy Modification: Trust Modification Current version : 3.0
Version changed from : 2.2 → 3.0
+
+
+ t Adversaries may add new domain trusts, modify the properties t Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configur of existing domain trusts, or otherwise change the configur ation of trust relationships between domains and tenants to ation of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow auth as whether or not user identities are federated, allow auth entication and authorization properties to apply between dom entication and authorization properties to apply between dom ains or tenants for the purpose of accessing shared resource ains or tenants for the purpose of accessing shared resource s.(Citation: Microsoft - Azure AD Federation) These trust ob s.(Citation: Microsoft - Azure AD Federation) These trust ob jects may include accounts, credentials, and other authentic jects may include accounts, credentials, and other authentic ation material applied to servers, tokens, and domains. Man ation material applied to servers, tokens, and domains. Man ipulating these trusts may allow an adversary to escalate pr ipulating these trusts may allow an adversary to escalate pr ivileges and/or evade defenses by modifying settings to add ivileges and/or evade defenses by modifying settings to add objects which they control. For example, in Microsoft Active objects which they control. For example, in Microsoft Active Directory (AD) environments, this may be used to forge [SAM Directory (AD) environments, this may be used to forge [SAM L Tokens](https://attack.mitre.org/techniques/T1606/002) wit L Tokens](https://attack.mitre.org/techniques/T1606/002) wit hout the need to compromise the signing certificate to forge hout the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domai new credentials. Instead, an adversary can manipulate domai n trusts to add their own signing certificate. An adversary n trusts to add their own signing certificate. An adversary may also convert an AD domain to a federated domain using Ac may also convert an AD domain to a federated domain using Ac tive Directory Federation Services (AD FS), which may enable tive Directory Federation Services (AD FS), which may enable malicious trust modifications such as altering the claim is malicious trust modifications such as altering the claim is suance rules to log in any valid set of credentials as a spe suance rules to log in any valid set of credentials as a spe cified user.(Citation: AADInternals zure AD Federated Domain cified user.(Citation: AADInternals zure AD Federated Domain ) An adversary may also add a new federated identity provi ) An adversary may also add a new federated identity provi der to an identity tenant such as Okta or AWS IAM Identity C der to an identity tenant such as Okta or AWS IAM Identity C enter, which may enable the adversary to authenticate as any enter, which may enable the adversary to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonati user of the tenant.(Citation: Okta Cross-Tenant Impersonati on 2023) This may enable the threat actor to gain broad acce on 2023) This may enable the threat actor to gain broad acce ss into a variety of cloud-based services that leverage the ss into a variety of cloud-based services that leverage the identity tenant. For example, in AWS environments, an advers identity tenant. For example, in AWS environments, an advers ary that creates a new identity provider for an AWS Organiza ary that creates a new identity provider for an AWS Organiza tion will be able to federate into all of the AWS Organizati tion will be able to federate into all of the AWS Organizati on member accounts without creating identities for each of t on member accounts without creating identities for each of t he member accounts.(Citation: AWS RE: Inforce Threat Detectio he member accounts.(Citation: AWS re Inforce Trust Mod ) n 2024 )
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:32.244000+00:00 2026-04-16 20:07:52.987000+00:00 description Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow authentication and authorization properties to apply between domains or tenants for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.
+
+Manipulating these trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, in Microsoft Active Directory (AD) environments, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002) without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert an AD domain to a federated domain using Active Directory Federation Services (AD FS), which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.(Citation: AADInternals zure AD Federated Domain)
+
+An adversary may also add a new federated identity provider to an identity tenant such as Okta or AWS IAM Identity Center, which may enable the adversary to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to gain broad access into a variety of cloud-based services that leverage the identity tenant. For example, in AWS environments, an adversary that creates a new identity provider for an AWS Organization will be able to federate into all of the AWS Organization member accounts without creating identities for each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024) Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow authentication and authorization properties to apply between domains or tenants for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.
+
+Manipulating these trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, in Microsoft Active Directory (AD) environments, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002) without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert an AD domain to a federated domain using Active Directory Federation Services (AD FS), which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.(Citation: AADInternals zure AD Federated Domain)
+
+An adversary may also add a new federated identity provider to an identity tenant such as Okta or AWS IAM Identity Center, which may enable the adversary to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to gain broad access into a variety of cloud-based services that leverage the identity tenant. For example, in AWS environments, an adversary that creates a new identity provider for an AWS Organization will be able to federate into all of the AWS Organization member accounts without creating identities for each of the member accounts.(Citation: AWS re Inforce Trust Mod) kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment external_references[1]['source_name'] AWS RE:Inforce Threat Detection 2024 AWS re Inforce Trust Mod external_references[1]['description'] Ben Fletcher and Steve de Vera. (2024, June). New tactics and techniques for proactive threat detection. Retrieved September 25, 2024. AWS re Inforce. (2024, June). Retrieved April 15, 2026. external_references[1]['url'] https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf https://d1.awsstatic.com/onedam/marketing-channels/website/aws/en_US/events/approved/reinforce-2025/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.2 3.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'CISA SolarWinds Cloud Detection', 'description': 'CISA. (2021, January 8). Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments. Retrieved January 8, 2021.', 'url': 'https://us-cert.cisa.gov/ncas/alerts/aa21-008a'} external_references {'source_name': 'Microsoft - Azure Sentinel ADFSDomainTrustMods', 'description': 'Microsoft. (2020, December). Azure Sentinel Detections. Retrieved December 30, 2020.', 'url': 'https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml'} external_references {'source_name': 'Microsoft - Update or Repair Federated domain', 'description': 'Microsoft. (2020, September 14). Update or repair the settings of a federated domain in Office 365, Azure, or Intune. Retrieved December 30, 2020.', 'url': 'https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365'} external_references {'source_name': 'Sygnia Golden SAML', 'description': 'Sygnia. (2020, December). Detection and Hunting of Golden SAML Attack. Retrieved November 17, 2024.', 'url': 'https://www.sygnia.co/threat-reports-and-advisories/golden-saml-attack/'}
[T1127] Trusted Developer Utilities Proxy Execution Current version : 2.0
Version changed from : 1.3 → 2.0
Details dictionary_item_added STIX Field Old value New Value x_mitre_remote_support False
dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:40.055000+00:00 2026-04-15 22:45:17.637000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.3 2.0 kill_chain_phases[0] {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'} {'kill_chain_name': 'mitre-attack', 'phase_name': 'stealth'}
iterable_item_added STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'execution'}
[T1535] Unused/Unsupported Cloud Regions Current version : 2.0
Version changed from : 1.1 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:49.853000+00:00 2026-04-15 22:48:40.705000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
[T1550] Use Alternate Authentication Material Current version : 2.0
Version changed from : 1.5 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:46.684000+00:00 2026-04-15 22:48:07.391000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.5 2.0
iterable_item_removed STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'} external_references {'source_name': 'TechNet Audit Policy', 'description': 'Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.', 'url': 'https://technet.microsoft.com/en-us/library/dn487457.aspx'}
[T1497.002] Virtualization/Sandbox Evasion: User Activity Based Checks Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:06.305000+00:00 2026-04-15 22:52:22.149000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
[T1564.007] Hide Artifacts: VBA Stomping Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:22.623000+00:00 2026-04-15 20:26:09.220000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'oletools toolkit', 'description': 'decalage2. (2019, December 3). python-oletools. Retrieved September 18, 2020.', 'url': 'https://github.com/decalage2/oletools'}
[T1055.014] Process Injection: VDSO Hijacking Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:08.040000+00:00 2026-04-15 22:30:51.756000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'GNU Acct', 'description': 'GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved December 20, 2017.', 'url': 'https://www.gnu.org/software/acct/'} external_references {'source_name': 'RHEL auditd', 'description': 'Jahoda, M. et al.. (2017, March 14). redhat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017.', 'url': 'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing'} external_references {'source_name': 'ArtOfMemoryForensics', 'description': 'Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved December 20, 2017.'} external_references {'source_name': 'Chokepoint preload rootkits', 'description': 'stderr. (2014, February 14). Detecting Userland Preload Rootkits. Retrieved December 20, 2017.', 'url': 'http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html'}
[T1078] Valid Accounts Current version : 3.0
Version changed from : 2.8 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:14.095000+00:00 2026-04-15 22:49:37.148000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.8 3.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'TechNet Audit Policy', 'description': 'Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.', 'url': 'https://technet.microsoft.com/en-us/library/dn487457.aspx'}
[T1218.012] System Binary Proxy Execution: Verclsid Current version : 3.0
Version changed from : 2.1 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:01.930000+00:00 2026-04-15 22:42:21.088000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.1 3.0
[T1497] Virtualization/Sandbox Evasion Current version : 2.0
Version changed from : 1.4 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:02.638000+00:00 2026-04-15 22:52:12.932000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.4 2.0
[T1600] Weaken Encryption Current version : 2.0
Version changed from : 1.1 → 2.0
+
+
+ t Adversaries may compromise a network device’s encryption cap t Adversaries may compromise a network device’s encryption cap ability in order to bypass encryption that would otherwise p ability in order to bypass encryption that would otherwise p rotect data communications. (Citation: Cisco Synful Knock Ev rotect data communications.(Citation: Cisco Synful Knock Evo olution) Encryption can be used to protect transmitted netw lution) Encryption can be used to protect transmitted netwo ork traffic to maintain its confidentiality (protect against rk traffic to maintain its confidentiality (protect against unauthorized disclosure) and integrity (protect against una unauthorized disclosure) and integrity (protect against unau uthorized changes). Encryption ciphers are used to convert a thorized changes). Encryption ciphers are used to convert a plaintext message to ciphertext and can be computationally plaintext message to ciphertext and can be computationally i intensive to decipher without the associated decryption key. ntensive to decipher without the associated decryption key. Typically, longer keys increase the cost of cryptanalysis, Typically, longer keys increase the cost of cryptanalysis, o or decryption without the key. Adversaries can compromise a r decryption without the key. Adversaries can compromise an nd manipulate devices that perform encryption of network tra d manipulate devices that perform encryption of network traf ffic. For example, through behaviors such as [Modify System fic. For example, through behaviors such as [Modify System I Image](https://attack.mitre.org/techniques/T1601), [Reduce K mage](https://attack.mitre.org/techniques/T1601), [Reduce Ke ey Space](https://attack.mitre.org/techniques/T1600/001), an y Space](https://attack.mitre.org/techniques/T1600/001), and d [Disable Crypto Hardware](https://attack.mitre.org/techniq [Disable Crypto Hardware](https://attack.mitre.org/techniqu ues/T1600/002), an adversary can negatively effect and/or el es/T1600/002), an adversary can negatively effect and/or eli iminate a device’s ability to securely encrypt network traff minate a device’s ability to securely encrypt network traffi ic. This poses a greater risk of unauthorized disclosure and c. This poses a greater risk of unauthorized disclosure and may help facilitate data manipulation, Credential Access, o may help facilitate data manipulation, Credential Access, or r Collection efforts. (Citation: Cisco Blog Legacy Device At Collection efforts.(Citation: Cisco Blog Legacy Device Atta tacks) cks)
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:30.124000+00:00 2026-04-16 20:07:53.046000+00:00 description Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)
+
+Encryption can be used to protect transmitted network traffic to maintain its confidentiality (protect against unauthorized disclosure) and integrity (protect against unauthorized changes). Encryption ciphers are used to convert a plaintext message to ciphertext and can be computationally intensive to decipher without the associated decryption key. Typically, longer keys increase the cost of cryptanalysis, or decryption without the key.
+
+Adversaries can compromise and manipulate devices that perform encryption of network traffic. For example, through behaviors such as [Modify System Image](https://attack.mitre.org/techniques/T1601), [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001), and [Disable Crypto Hardware](https://attack.mitre.org/techniques/T1600/002), an adversary can negatively effect and/or eliminate a device’s ability to securely encrypt network traffic. This poses a greater risk of unauthorized disclosure and may help facilitate data manipulation, Credential Access, or Collection efforts. (Citation: Cisco Blog Legacy Device Attacks) Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications.(Citation: Cisco Synful Knock Evolution)
+
+Encryption can be used to protect transmitted network traffic to maintain its confidentiality (protect against unauthorized disclosure) and integrity (protect against unauthorized changes). Encryption ciphers are used to convert a plaintext message to ciphertext and can be computationally intensive to decipher without the associated decryption key. Typically, longer keys increase the cost of cryptanalysis, or decryption without the key.
+
+Adversaries can compromise and manipulate devices that perform encryption of network traffic. For example, through behaviors such as [Modify System Image](https://attack.mitre.org/techniques/T1601), [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001), and [Disable Crypto Hardware](https://attack.mitre.org/techniques/T1600/002), an adversary can negatively effect and/or eliminate a device’s ability to securely encrypt network traffic. This poses a greater risk of unauthorized disclosure and may help facilitate data manipulation, Credential Access, or Collection efforts.(Citation: Cisco Blog Legacy Device Attacks) kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
[T1550.004] Use Alternate Authentication Material: Web Session Cookie Current version : 2.0
Version changed from : 1.5 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:20.943000+00:00 2026-04-15 22:48:02.590000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.5 2.0
iterable_item_removed STIX Field Old value New Value kill_chain_phases {'kill_chain_name': 'mitre-attack', 'phase_name': 'defense-evasion'}
[T1222.001] File and Directory Permissions Modification: Windows Permissions Current version : 2.0
Version changed from : 1.2 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:37.826000+00:00 2026-04-22 15:51:17.272000+00:00 name Windows File and Directory Permissions Modification Windows Permissions kill_chain_phases[0]['phase_name'] defense-evasion defense-impairment x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'EventTracker File Permissions Feb 2014', 'description': 'Netsurion. (2014, February 19). Monitoring File Permission Changes with the Windows Security Log. Retrieved August 19, 2018.', 'url': 'https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/'}
[T1220] XSL Script Processing Current version : 2.0
Version changed from : 1.3 → 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:33.993000+00:00 2026-04-15 22:53:58.559000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth external_references[4]['url'] https://www.microsoft.com/download/details.aspx?id=21714 https://web.archive.org/web/20190508171106/https://www.microsoft.com/en-us/download/details.aspx?id=21714 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.3 2.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Twitter SquiblyTwo Detection APR 2018', 'description': 'Desimone, J. (2018, April 18). Status Update. Retrieved September 12, 2024.', 'url': 'https://x.com/dez_/status/986614411711442944'}
Minor Version Changes [T1059] Command and Scripting Interpreter Current version : 2.7
Version changed from : 2.6 → 2.7
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:57.520000+00:00 2026-01-27 20:03:38.098000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.6 2.7
iterable_item_added STIX Field Old value New Value x_mitre_platforms Containers x_mitre_platforms SaaS
[T1053] Scheduled Task/Job Current version : 2.5
Version changed from : 2.4 → 2.5
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:38.539000+00:00 2026-04-06 13:58:22.807000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.4 2.5
iterable_item_added STIX Field Old value New Value x_mitre_platforms Network Devices
Patches [T1557] Adversary-in-the-Middle Current version : 2.5
+
+
+ t Adversaries may attempt to position themselves between two o t Adversaries may attempt to position themselves between two o r more networked devices using an adversary-in-the-middle (A r more networked devices using an adversary-in-the-middle (A iTM) technique to support follow-on behaviors such as [Netwo iTM) technique to support follow-on behaviors such as [Netwo rk Sniffing](https://attack.mitre.org/techniques/T1040), [Tr rk Sniffing](https://attack.mitre.org/techniques/T1040), [Tr ansmitted Data Manipulation](https://attack.mitre.org/techni ansmitted Data Manipulation](https://attack.mitre.org/techni ques/T1565/002), or replay attacks ([Exploitation for Creden ques/T1565/002), or replay attacks ([Exploitation for Creden tial Access](https://attack.mitre.org/techniques/T1212)). By tial Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can de abusing features of common networking protocols that can de termine the flow of network traffic (e.g. ARP, DNS, LLMNR, e termine the flow of network traffic (e.g. ARP, DNS, LLMNR, e tc.), adversaries may force a device to communicate through tc.), adversaries may force a device to communicate through an adversary controlled system so they can collect informati an adversary controlled system so they can collect informati on or perform additional actions.(Citation: Rapid7 MiTM Basi on or perform additional actions.(Citation: Rapid7 MiTM Basi cs) For example, adversaries may manipulate victim DNS sett cs) For example, adversaries may manipulate victim DNS sett ings to enable other malicious activities such as preventing ings to enable other malicious activities such as preventing /redirecting users from accessing legitimate sites and/or pu /redirecting users from accessing legitimate sites and/or pu shing additional malware.(Citation: ttint_rat)(Citation: dns shing additional malware.(Citation: ttint_rat)(Citation: dns _changer_trojans)(Citation: ad_blocker_with_miner) Adversari _changer_trojans)(Citation: ad_blocker_with_miner) Adversari es may also manipulate DNS and leverage their position in or es may also manipulate DNS and leverage their position in or der to intercept user credentials, including access tokens ( der to intercept user credentials, including access tokens ( [Steal Application Access Token](https://attack.mitre.org/te [Steal Application Access Token](https://attack.mitre.org/te chniques/T1528)) and session cookies ([Steal Web Session Coo chniques/T1528)) and session cookies ([Steal Web Session Coo kie](https://attack.mitre.org/techniques/T1539)).(Citation: kie](https://attack.mitre.org/techniques/T1539)).(Citation: volexity_0day_sophos_FW)(Citation: Token tactics) [Downgrade volexity_0day_sophos_FW)(Citation: Token tactics) [Downgrade Attack](https://attack.mitre.org/techniques/T15 62/010)s can Attack](https://attack.mitre.org/techniques/T1689)s can als also be used to establish an AiTM position, such as by negoo be used to establish an AiTM position, such as by negotiattiating a less secure, deprecated, or weaker version of comm ing a less secure, deprecated, or weaker version of communic unication protocol (SSL/TLS) or encryption algorithm.(Citati ation protocol (SSL/TLS) or encryption algorithm.(Citation: on: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls _tls)(Citation: tlseminar_downgrade_att) Adversaries may al )(Citation: tlseminar_downgrade_att) Adversaries may also l so leverage the AiTM position to attempt to monitor and/or m everage the AiTM position to attempt to monitor and/or modif odify traffic, such as in [Transmitted Data Manipulation](ht y traffic, such as in [Transmitted Data Manipulation](https: tps://attack.mitre.org/techniques/T1565/002). Adversaries ca //attack.mitre.org/techniques/T1565/002). Adversaries can se n setup a position similar to AiTM to prevent traffic from f tup a position similar to AiTM to prevent traffic from flowi lowing to the appropriate destination, potentially to [Impai ng to the appropriate destination, potentially to impair def r Defenses](https://attack.mitre.org/techniques/T1562) and/o enses and/or in support of a [Network Denial of Service](httr in support of a [Network Denial of Service](https://attackps://attack.mitre.org/techniques/T1498). .mitre.org/techniques/T1498).
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:20.163000+00:00 2026-04-17 14:18:32.903000+00:00 description Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)
+
+For example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials, including access tokens ([Steal Application Access Token](https://attack.mitre.org/techniques/T1528)) and session cookies ([Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)).(Citation: volexity_0day_sophos_FW)(Citation: Token tactics) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)
+
+Adversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498). Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)
+
+For example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials, including access tokens ([Steal Application Access Token](https://attack.mitre.org/techniques/T1528)) and session cookies ([Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)).(Citation: volexity_0day_sophos_FW)(Citation: Token tactics) [Downgrade Attack](https://attack.mitre.org/techniques/T1689)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)
+
+Adversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to impair defenses and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498). x_mitre_attack_spec_version 3.2.0 3.3.0
[T1588.007] Obtain Capabilities: Artificial Intelligence Current version : 1.1
+
+
+ t Adversaries may obtain access to generative artificial intel t Adversaries may obtain access to generative artificial intel ligence tools, such as large language models (LLMs), to aid ligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks to inform, bolster, and enable a variety of malicious tasks , including conducting [Reconnaissance](https://attack.mitre , including conducting [Reconnaissance](https://attack.mitre .org/tactics/TA0043), creating basic scripts, assisting soci .org/tactics/TA0043), creating basic scripts, assisting soci al engineering, and even developing payloads.(Citation: MSFT al engineering, and even developing payloads.(Citation: MSFT -AI) For example, by utilizing a publicly available LLM an -AI) For example, by utilizing a publicly available LLM an adversary is essentially outsourcing or automating certain adversary is essentially outsourcing or automating certain tasks to the tool. Using AI, the adversary may draft and gen tasks to the tool. Using AI, the adversary may draft and gen erate content in a variety of written languages to be used i erate content in a variety of written languages to be used i n [Phishing](https://attack.mitre.org/techniques/T1566)/[Phi n [Phishing](https://attack.mitre.org/techniques/T1566)/[Phi shing for Information](https://attack.mitre.org/techniques/T shing for Information](https://attack.mitre.org/techniques/T 1598) campaigns. The same publicly available tool may furthe 1598) campaigns. The same publicly available tool may furthe r enable vulnerability or other offensive research supportin r enable vulnerability or other offensive research supportin g [Develop Capabilities](https://attack.mitre.org/techniques g [Develop Capabilities](https://attack.mitre.org/techniques /T1587). AI tools may also automate technical tasks by gener /T1587). AI tools may also automate technical tasks by gener ating, refining, or otherwise enhancing (e.g., [Obfuscated F ating, refining, or otherwise enhancing (e.g., [Obfuscated F iles or Information](https://attack.mitre.org/techniques/T10 iles or Information](https://attack.mitre.org/techniques/T10 27)) malicious scripts and payloads.(Citation: OpenAI-CTI) F 27)) malicious scripts and payloads.(Citation: OpenAI-CTI) F inally, AI-generated text, images, audio, and video may be u inally, AI-generated text, images, audio, and video may be u sed for fraud, [Impersonation](https://attack.mitre.org/tech sed for fraud, [Impersonation](https://attack.mitre.org/tech niques/T1656 ), and other malicious activities.(Citation: Goo niques/T1684/001 ), and other malicious activities.(Citation: gle-Vishing24)(Citation: IC3-AI24)(Citation: WSJ-Vishing-AI2 Google-Vishing24)(Citation: IC3-AI24)(Citation: WSJ-Vishing 4) -AI24)
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:23.190000+00:00 2026-04-17 16:06:03.711000+00:00 description Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks, including conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043), creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT-AI)
+
+For example, by utilizing a publicly available LLM an adversary is essentially outsourcing or automating certain tasks to the tool. Using AI, the adversary may draft and generate content in a variety of written languages to be used in [Phishing](https://attack.mitre.org/techniques/T1566)/[Phishing for Information](https://attack.mitre.org/techniques/T1598) campaigns. The same publicly available tool may further enable vulnerability or other offensive research supporting [Develop Capabilities](https://attack.mitre.org/techniques/T1587). AI tools may also automate technical tasks by generating, refining, or otherwise enhancing (e.g., [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)) malicious scripts and payloads.(Citation: OpenAI-CTI) Finally, AI-generated text, images, audio, and video may be used for fraud, [Impersonation](https://attack.mitre.org/techniques/T1656), and other malicious activities.(Citation: Google-Vishing24)(Citation: IC3-AI24)(Citation: WSJ-Vishing-AI24)
+ Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks, including conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043), creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT-AI)
+
+For example, by utilizing a publicly available LLM an adversary is essentially outsourcing or automating certain tasks to the tool. Using AI, the adversary may draft and generate content in a variety of written languages to be used in [Phishing](https://attack.mitre.org/techniques/T1566)/[Phishing for Information](https://attack.mitre.org/techniques/T1598) campaigns. The same publicly available tool may further enable vulnerability or other offensive research supporting [Develop Capabilities](https://attack.mitre.org/techniques/T1587). AI tools may also automate technical tasks by generating, refining, or otherwise enhancing (e.g., [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)) malicious scripts and payloads.(Citation: OpenAI-CTI) Finally, AI-generated text, images, audio, and video may be used for fraud, [Impersonation](https://attack.mitre.org/techniques/T1684/001), and other malicious activities.(Citation: Google-Vishing24)(Citation: IC3-AI24)(Citation: WSJ-Vishing-AI24)
+ x_mitre_attack_spec_version 3.2.0 3.3.0
[T1176.001] Software Extensions: Browser Extensions Current version : 1.1
+
+
+ t Adversaries may abuse internet browser extensions to establi t Adversaries may abuse internet browser extensions to establi sh persistent access to victim systems. Browser extensions o sh persistent access to victim systems. Browser extensions o r plugins are small programs that can add functionality to a r plugins are small programs that can add functionality to a nd customize aspects of internet browsers. They can be insta nd customize aspects of internet browsers. They can be insta lled directly via a local file or custom URL or through a br lled directly via a local file or custom URL or through a br owser's app store - an official online platform where users owser's app store - an official online platform where users can browse, install, and manage extensions for a specific we can browse, install, and manage extensions for a specific we b browser. Extensions generally inherit the web browser's pe b browser. Extensions generally inherit the web browser's pe rmissions previously granted.(Citation: Wikipedia Browser Ex rmissions previously granted.(Citation: Wikipedia Browser Ex tension)(Citation: Chrome Extensions Definition) Maliciou tension)(Citation: Chrome Extensions Definition) Maliciou s extensions can be installed into a browser through malicio s extensions can be installed into a browser through malicio us app store downloads masquerading as legitimate extensions us app store downloads masquerading as legitimate extensions , through social engineering, or by an adversary that has al , through social engineering, or by an adversary that has al ready compromised a system. Security can be limited on brows ready compromised a system. Security can be limited on brows er app stores, so it may not be difficult for malicious exte er app stores, so it may not be difficult for malicious exte nsions to defeat automated scanners.(Citation: Malicious Chr nsions to defeat automated scanners.(Citation: Malicious Chr ome Extension Numbers) Depending on the browser, adversaries ome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install up may also manipulate an extension's update url to install up dates from an adversary-controlled server or manipulate the dates from an adversary-controlled server or manipulate the mobile configuration file to silently install additional ext mobile configuration file to silently install additional ext ensions. Adversaries may abuse how chromium-based browsers ensions. Adversaries may abuse how chromium-based browsers load extensions by modifying or replacing the Preferences a load extensions by modifying or replacing the Preferences a nd/or Secure Preferences files to silently install malicious nd/or Secure Preferences files to silently install malicious extensions. When the browser is not running, adversaries ca extensions. When the browser is not running, adversaries ca n alter these files, ensuring the extension is loaded, grant n alter these files, ensuring the extension is loaded, grant ed desired permissions, and will persist in browser sessions ed desired permissions, and will persist in browser sessions . This method does not require user consent and extensions a . This method does not require user consent and extensions a re silently loaded in the background from disk or from the b re silently loaded in the background from disk or from the b rowser's trusted store.(Citation: Pulsedive) Previous to rowser's trusted store.(Citation: Pulsedive) Previous to macOS 11, adversaries could silently install browser extensi macOS 11, adversaries could silently install browser extensi ons via the command line using the <code>profiles</code> too ons via the command line using the <code>profiles</code> too l to install malicious <code>.mobileconfig</code> files. In l to install malicious <code>.mobileconfig</code> files. In macOS 11+, the use of the <code>profiles</code> tool can no macOS 11+, the use of the <code>profiles</code> tool can no longer install configuration profiles; however, <code>.mobil longer install configuration profiles; however, <code>.mobil econfig</code> files can be planted and installed with user econfig</code> files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS) O interaction.(Citation: xorrior chrome extensions macOS) O nce the extension is installed, it can browse to websites in nce the extension is installed, it can browse to websites in the background, steal all information that a user enters in the background, steal all information that a user enters in to a browser (including credentials), and be used as an inst to a browser (including credentials), and be used as an inst aller for a RAT for persistence.(Citation: Chrome Extension aller for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension) There have also been instances of b All Chrome Extension) There have also been instances of b otnets using a persistent backdoor through malicious Chrome otnets using a persistent backdoor through malicious Chrome extensions for [Command and Control](https://attack.mitre.or extensions for [Command and Control](https://attack.mitre.or g/tactics/TA0011).(Citation: Stantinko Botnet)(Citation: Chr g/tactics/TA0011).(Citation: Stantinko Botnet)(Citation: Chr ome Extension C2 Malware) Adversaries may also use browser e ome Extension C2 Malware) Adversaries may also use browser e xtensions to modify browser permissions and components, priv xtensions to modify browser permissions and components, priv acy settings, and other security controls for [Defense Evasi acy settings, and other security controls for [Stealth ](http on ](https://attack.mitre.org/tactics/TA0005).(Citation: Brows://attack.mitre.org/tactics/TA0005).(Citation: Browers Fria ers FriarFox)(Citation: Browser Adrozek) rFox)(Citation: Browser Adrozek)
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value description Adversaries may abuse internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality to and customize aspects of internet browsers. They can be installed directly via a local file or custom URL or through a browser's app store - an official online platform where users can browse, install, and manage extensions for a specific web browser. Extensions generally inherit the web browser's permissions previously granted.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)
+
+Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores, so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary-controlled server or manipulate the mobile configuration file to silently install additional extensions.
+
+Adversaries may abuse how chromium-based browsers load extensions by modifying or replacing the Preferences and/or Secure Preferences files to silently install malicious extensions. When the browser is not running, adversaries can alter these files, ensuring the extension is loaded, granted desired permissions, and will persist in browser sessions. This method does not require user consent and extensions are silently loaded in the background from disk or from the browser's trusted store.(Citation: Pulsedive)
+
+Previous to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles; however, .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)
+
+Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension)
+
+There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions for [Command and Control](https://attack.mitre.org/tactics/TA0011).(Citation: Stantinko Botnet)(Citation: Chrome Extension C2 Malware) Adversaries may also use browser extensions to modify browser permissions and components, privacy settings, and other security controls for [Defense Evasion](https://attack.mitre.org/tactics/TA0005).(Citation: Browers FriarFox)(Citation: Browser Adrozek) Adversaries may abuse internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality to and customize aspects of internet browsers. They can be installed directly via a local file or custom URL or through a browser's app store - an official online platform where users can browse, install, and manage extensions for a specific web browser. Extensions generally inherit the web browser's permissions previously granted.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)
+
+Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores, so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary-controlled server or manipulate the mobile configuration file to silently install additional extensions.
+
+Adversaries may abuse how chromium-based browsers load extensions by modifying or replacing the Preferences and/or Secure Preferences files to silently install malicious extensions. When the browser is not running, adversaries can alter these files, ensuring the extension is loaded, granted desired permissions, and will persist in browser sessions. This method does not require user consent and extensions are silently loaded in the background from disk or from the browser's trusted store.(Citation: Pulsedive)
+
+Previous to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles; however, .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)
+
+Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension)
+
+There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions for [Command and Control](https://attack.mitre.org/tactics/TA0011).(Citation: Stantinko Botnet)(Citation: Chrome Extension C2 Malware) Adversaries may also use browser extensions to modify browser permissions and components, privacy settings, and other security controls for [Stealth](https://attack.mitre.org/tactics/TA0005).(Citation: Browers FriarFox)(Citation: Browser Adrozek)
[T1526] Cloud Service Discovery Current version : 1.4
+
+
+ t An adversary may attempt to enumerate the cloud services run t An adversary may attempt to enumerate the cloud services run ning on a system after gaining access. These methods can dif ning on a system after gaining access. These methods can dif fer from platform-as-a-service (PaaS), to infrastructure-as- fer from platform-as-a-service (PaaS), to infrastructure-as- a-service (IaaS), or software-as-a-service (SaaS). Many serv a-service (IaaS), or software-as-a-service (SaaS). Many serv ices exist throughout the various cloud providers and can in ices exist throughout the various cloud providers and can in clude Continuous Integration and Continuous Delivery (CI/CD) clude Continuous Integration and Continuous Delivery (CI/CD) , Lambda Functions, Entra ID, etc. They may also include sec , Lambda Functions, Entra ID, etc. They may also include sec urity services, such as AWS GuardDuty and Microsoft Defender urity services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs. Adversaries may attempt to discov Google Cloud Audit Logs. Adversaries may attempt to discov er information about the services enabled throughout the env er information about the services enabled throughout the env ironment. Azure tools and APIs, such as the Microsoft Graph ironment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, res and services, including applications, management groups, res ources and policy definitions, and their relationships that ources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Ma are accessible by an identity.(Citation: Azure - Resource Ma nager API)(Citation: Azure AD Graph API) For example, Storm nager API)(Citation: Azure AD Graph API) For example, Storm spotter is an open source tool for enumerating and construct spotter is an open source tool for enumerating and construct ing a graph for Azure resources and services, and Pacu is an ing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports severa open source AWS exploitation framework that supports severa l methods for discovering cloud services.(Citation: Azure - l methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu) Adversaries may use th Stormspotter)(Citation: GitHub Pacu) Adversaries may use th e information gained to shape follow-on behaviors, such as t e information gained to shape follow-on behaviors, such as t argeting data or credentials from enumerated services or eva argeting data or credentials from enumerated services or eva ding identified defenses through [Disable or Modify Tools](h ding identified defenses through [Disable or Modify Tools](h ttps://attack.mitre.org/techniques/T1562 /001) or [Disable or ttps://attack.mitre.org/techniques/T168 5) or [Disable or Mod Modify Cloud Logs](https://attack.mitre.org/techniques/T156 ify Cloud Log](https://attack.mitre.org/techniques/T1 685 /002/008 ).).
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:30.791000+00:00 2026-04-17 14:17:35.798000+00:00 description An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
+
+Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
+
+For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)
+
+Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008). An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
+
+Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
+
+For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)
+
+Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1685) or [Disable or Modify Cloud Log](https://attack.mitre.org/techniques/T1685/002). x_mitre_attack_spec_version 3.2.0 3.3.0
[T1554] Compromise Host Software Binary Current version : 2.2
+
+
+ t Adversaries may modify host software binaries to establish p t Adversaries may modify host software binaries to establish p ersistent access to systems. Software binaries/executables p ersistent access to systems. Software binaries/executables p rovide a wide range of system commands or services, programs rovide a wide range of system commands or services, programs , and libraries. Common software binaries are SSH clients, F , and libraries. Common software binaries are SSH clients, F TP clients, email clients, web browsers, and many other user TP clients, email clients, web browsers, and many other user or server applications. Adversaries may establish persiste or server applications. Adversaries may establish persiste nce though modifications to host software binaries. For exam nce though modifications to host software binaries. For exam ple, an adversary may replace or otherwise infect a legitima ple, an adversary may replace or otherwise infect a legitima te application binary (or support files) with a backdoor. Si te application binary (or support files) with a backdoor. Si nce these binaries may be routinely executed by applications nce these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify a software access to the host. An adversary may also modify a software binary such as an SSH client in order to persistently colle binary such as an SSH client in order to persistently colle ct credentials during logins (i.e., [Modify Authentication P ct credentials during logins (i.e., [Modify Authentication P rocess](https://attack.mitre.org/techniques/T1556)).(Citatio rocess](https://attack.mitre.org/techniques/T1556)).(Citatio n: Google Cloud Mandiant UNC3886 2024) An adversary may als n: Google Cloud Mandiant UNC3886 2024) An adversary may als o modify an existing binary by patching in malicious functio o modify an existing binary by patching in malicious functio nality (e.g., IAT Hooking/Entry point patching)(Citation: Un nality (e.g., IAT Hooking/Entry point patching)(Citation: Un it42 Banking Trojans Hooking 2022) prior to the binary’s leg it42 Banking Trojans Hooking 2022) prior to the binary’s leg itimate execution. For example, an adversary may modify the itimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched i entry point of a binary to point to malicious code patched i n by the adversary before resuming normal execution flow.(Ci n by the adversary before resuming normal execution flow.(Ci tation: ESET FontOnLake Analysis 2021) After modifying a bi tation: ESET FontOnLake Analysis 2021) After modifying a bi nary, an adversary may attempt to [Impair Defenses] (https:// nary, an adversary may attempt to impair defenses by prevent attack.mitre.org/techniques/T1562) by pre venting it from upd ing it from updating (e.g., via the `yum-versionlock` commanating (e.g., via the `yum-versionlock` command or `versionlod or `versionlock.list` file in Linux systems that use the y ck.list` file in Linux systems that use the yum package mana um package manager).(Citation: Google Cloud Mandiant UNC3886 ger).(Citation: Google Cloud Mandiant UNC3886 2024) 2024)
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:07.572000+00:00 2026-04-16 18:57:08.883000+00:00 description Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.
+
+Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify a software binary such as an SSH client in order to persistently collect credentials during logins (i.e., [Modify Authentication Process](https://attack.mitre.org/techniques/T1556)).(Citation: Google Cloud Mandiant UNC3886 2024)
+
+An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)
+
+After modifying a binary, an adversary may attempt to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by preventing it from updating (e.g., via the `yum-versionlock` command or `versionlock.list` file in Linux systems that use the yum package manager).(Citation: Google Cloud Mandiant UNC3886 2024) Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.
+
+Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify a software binary such as an SSH client in order to persistently collect credentials during logins (i.e., [Modify Authentication Process](https://attack.mitre.org/techniques/T1556)).(Citation: Google Cloud Mandiant UNC3886 2024)
+
+An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)
+
+After modifying a binary, an adversary may attempt to impair defenses by preventing it from updating (e.g., via the `yum-versionlock` command or `versionlock.list` file in Linux systems that use the yum package manager).(Citation: Google Cloud Mandiant UNC3886 2024) x_mitre_attack_spec_version 3.2.0 3.3.0
[T1565] Data Manipulation Current version : 1.1
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:13.111000+00:00 2026-01-20 15:10:23.526000+00:00 external_references[1]['url'] https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf?__hstc=147695848.3e8f1a482c8f8d4531507747318e660b.1680005306711.1680005306711.1680005306711.1&__hssc=147695848.1.1680005306711&__hsfp=3000179024&hsCtaTracking=189ec409-ae2d-4909-8bf1-62dcdd694372%7Cca91d317-8f10-4a38-9f80-367f551ad64d https://web.archive.org/web/20220105132433/https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf x_mitre_attack_spec_version 3.2.0 3.3.0
[T1190] Exploit Public-Facing Application Current version : 2.8
+
+
+ t Adversaries may attempt to exploit a weakness in an Internet t Adversaries may attempt to exploit a weakness in an Internet -facing host or system to initially access a network. The we -facing host or system to initially access a network. The we akness in the system can be a software bug, a temporary glit akness in the system can be a software bug, a temporary glit ch, or a misconfiguration. Exploited applications are often ch, or a misconfiguration. Exploited applications are often websites/web servers, but can also include databases (like websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device ad SQL), standard services (like SMB or SSH), network device ad ministration and management protocols (like SNMP and Smart I ministration and management protocols (like SNMP and Smart I nstall), and any other system with Internet-accessible open nstall), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network In SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network In frastructure Devices 2018)(Citation: Cisco Blog Legacy Devic frastructure Devices 2018)(Citation: Cisco Blog Legacy Devic e Attacks)(Citation: NVD CVE-2014-7169) On ESXi infrastructu e Attacks)(Citation: NVD CVE-2014-7169) On ESXi infrastructu re, adversaries may exploit exposed OpenSLP services; they m re, adversaries may exploit exposed OpenSLP services; they m ay alternatively exploit exposed VMware vCenter servers.(Cit ay alternatively exploit exposed VMware vCenter servers.(Cit ation: Recorded Future ESXiArgs Ransomware 2023)(Citation: A ation: Recorded Future ESXiArgs Ransomware 2023)(Citation: A rs Technica VMWare Code Execution Vulnerability 2021) Depend rs Technica VMWare Code Execution Vulnerability 2021) Depend ing on the flaw being exploited, this may also involve [Expl ing on the flaw being exploited, this may also involve [Expl oitation for Defense Evasion ](https://attack.mitre.org/techn oitation for Stealth ](https://attack.mitre.org/techniques/T1 iques/T1211) or [Exploitation for Client Execution](https:// 211) or [Exploitation for Client Execution](https://attack.m attack.mitre.org/techniques/T1203). If an application is ho itre.org/techniques/T1203). If an application is hosted on sted on cloud-based infrastructure and/or is containerized, cloud-based infrastructure and/or is containerized, then exp then exploiting it may lead to compromise of the underlying loiting it may lead to compromise of the underlying instance instance or container. This can allow an adversary a path to or container. This can allow an adversary a path to access access the cloud or container APIs (e.g., via the [Cloud In the cloud or container APIs (e.g., via the [Cloud Instance M stance Metadata API](https://attack.mitre.org/techniques/T15 etadata API](https://attack.mitre.org/techniques/T1552/005)) 52/005)), exploit container host access via [Escape to Host] , exploit container host access via [Escape to Host](https:/ (https://attack.mitre.org/techniques/T1611), or take advanta /attack.mitre.org/techniques/T1611), or take advantage of we ge of weak identity and access management policies. Adversa ak identity and access management policies. Adversaries may ries may also exploit edge network infrastructure and relate also exploit edge network infrastructure and related applia d appliances, specifically targeting devices that do not sup nces, specifically targeting devices that do not support rob port robust host-based defenses.(Citation: Mandiant Fortinet ust host-based defenses.(Citation: Mandiant Fortinet Zero Da Zero Day)(Citation: Wired Russia Cyberwar) For websites an y)(Citation: Wired Russia Cyberwar) For websites and databa d databases, the OWASP top 10 and CWE top 25 highlight the m ses, the OWASP top 10 and CWE top 25 highlight the most comm ost common web-based vulnerabilities.(Citation: OWASP Top 10 on web-based vulnerabilities.(Citation: OWASP Top 10)(Citati )(Citation: CWE top 25) on: CWE top 25)
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value description Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
+
+Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) On ESXi infrastructure, adversaries may exploit exposed OpenSLP services; they may alternatively exploit exposed VMware vCenter servers.(Citation: Recorded Future ESXiArgs Ransomware 2023)(Citation: Ars Technica VMWare Code Execution Vulnerability 2021) Depending on the flaw being exploited, this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
+
+If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
+
+Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)
+
+For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25) Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
+
+Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) On ESXi infrastructure, adversaries may exploit exposed OpenSLP services; they may alternatively exploit exposed VMware vCenter servers.(Citation: Recorded Future ESXiArgs Ransomware 2023)(Citation: Ars Technica VMWare Code Execution Vulnerability 2021) Depending on the flaw being exploited, this may also involve [Exploitation for Stealth](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
+
+If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
+
+Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)
+
+For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)
[T1587.004] Develop Capabilities: Exploits Current version : 1.0
+
+
+ t Adversaries may develop exploits that can be used during tar t Adversaries may develop exploits that can be used during tar geting. An exploit takes advantage of a bug or vulnerability geting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to o in order to cause unintended or unanticipated behavior to o ccur on computer hardware or software. Rather than finding/m ccur on computer hardware or software. Rather than finding/m odifying exploits from online or purchasing them from exploi odifying exploits from online or purchasing them from exploi t vendors, an adversary may develop their own exploits.(Cita t vendors, an adversary may develop their own exploits.(Cita tion: NYTStuxnet) Adversaries may use information acquired v tion: NYTStuxnet) Adversaries may use information acquired v ia [Vulnerabilities](https://attack.mitre.org/techniques/T15 ia [Vulnerabilities](https://attack.mitre.org/techniques/T15 88/006) to focus exploit development efforts. As part of the 88/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploi exploit development process, adversaries may uncover exploi table vulnerabilities through methods such as fuzzing and pa table vulnerabilities through methods such as fuzzing and pa tch analysis.(Citation: Irongeek Sims BSides 2017) As with tch analysis.(Citation: Irongeek Sims BSides 2017) As with legitimate development efforts, different skill sets may be legitimate development efforts, different skill sets may be required for developing exploits. The skills needed may be l required for developing exploits. The skills needed may be l ocated in-house, or may need to be contracted out. Use of a ocated in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary' contractor may be considered an extension of that adversary' s exploit development capabilities, provided the adversary p s exploit development capabilities, provided the adversary p lays a role in shaping requirements and maintains an initial lays a role in shaping requirements and maintains an initial degree of exclusivity to the exploit. Adversaries may use degree of exclusivity to the exploit. Adversaries may use exploits during various phases of the adversary lifecycle (i exploits during various phases of the adversary lifecycle (i .e. [Exploit Public-Facing Application](https://attack.mitre .e. [Exploit Public-Facing Application](https://attack.mitre .org/techniques/T1190), [Exploitation for Client Execution]( .org/techniques/T1190), [Exploitation for Client Execution]( https://attack.mitre.org/techniques/T1203), [Exploitation fo https://attack.mitre.org/techniques/T1203), [Exploitation fo r Privilege Escalation](https://attack.mitre.org/techniques/ r Privilege Escalation](https://attack.mitre.org/techniques/ T1068), [Exploitation for Defense Evasion ](https://attack.mi T1068), [Exploitation for Stealth ](https://attack.mitre.org/ tre.org/techniques/T1211), [Exploitation for Credential Acce techniques/T1211), [Exploitation for Credential Access](http ss](https://attack.mitre.org/techniques/T1212), [Exploitatio s://attack.mitre.org/techniques/T1212), [Exploitation of Rem n of Remote Services](https://attack.mitre.org/techniques/T1 ote Services](https://attack.mitre.org/techniques/T1210), an 210), and [Application or System Exploitation](https://attac d [Application or System Exploitation](https://attack.mitre. k.mitre.org/techniques/T1499/004)). org/techniques/T1499/004)).
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value description Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)
+
+As with legitimate development efforts, different skill sets may be required for developing exploits. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's exploit development capabilities, provided the adversary plays a role in shaping requirements and maintains an initial degree of exclusivity to the exploit.
+
+Adversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)). Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)
+
+As with legitimate development efforts, different skill sets may be required for developing exploits. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's exploit development capabilities, provided the adversary plays a role in shaping requirements and maintains an initial degree of exclusivity to the exploit.
+
+Adversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Stealth](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).
[T1588.005] Obtain Capabilities: Exploits Current version : 1.0
+
+
+ t Adversaries may buy, steal, or download exploits that can be t Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipat or vulnerability in order to cause unintended or unanticipat ed behavior to occur on computer hardware or software. Rathe ed behavior to occur on computer hardware or software. Rathe r than developing their own exploits, an adversary may find/ r than developing their own exploits, an adversary may find/ modify exploits from online or purchase them from exploit ve modify exploits from online or purchase them from exploit ve ndors.(Citation: Exploit Database)(Citation: TempertonDarkHo ndors.(Citation: Exploit Database)(Citation: TempertonDarkHo tel)(Citation: NationsBuying) In addition to downloading fr tel)(Citation: NationsBuying) In addition to downloading fr ee exploits from the internet, adversaries may purchase expl ee exploits from the internet, adversaries may purchase expl oits from third-party entities. Third-party entities can inc oits from third-party entities. Third-party entities can inc lude technology companies that specialize in exploit develop lude technology companies that specialize in exploit develop ment, criminal marketplaces (including exploit kits), or fro ment, criminal marketplaces (including exploit kits), or fro m individuals.(Citation: PegasusCitizenLab)(Citation: Wired m individuals.(Citation: PegasusCitizenLab)(Citation: Wired SandCat Oct 2019) In addition to purchasing exploits, advers SandCat Oct 2019) In addition to purchasing exploits, advers aries may steal and repurpose exploits from third-party enti aries may steal and repurpose exploits from third-party enti ties (including other adversaries).(Citation: TempertonDarkH ties (including other adversaries).(Citation: TempertonDarkH otel) An adversary may monitor exploit provider forums to u otel) An adversary may monitor exploit provider forums to u nderstand the state of existing, as well as newly discovered nderstand the state of existing, as well as newly discovered , exploits. There is usually a delay between when an exploit , exploits. There is usually a delay between when an exploit is discovered and when it is made public. An adversary may is discovered and when it is made public. An adversary may target the systems of those known to conduct exploit researc target the systems of those known to conduct exploit researc h and development in order to gain that knowledge for use du h and development in order to gain that knowledge for use du ring a subsequent operation. Adversaries may use exploits d ring a subsequent operation. Adversaries may use exploits d uring various phases of the adversary lifecycle (i.e. [Explo uring various phases of the adversary lifecycle (i.e. [Explo it Public-Facing Application](https://attack.mitre.org/techn it Public-Facing Application](https://attack.mitre.org/techn iques/T1190), [Exploitation for Client Execution](https://at iques/T1190), [Exploitation for Client Execution](https://at tack.mitre.org/techniques/T1203), [Exploitation for Privileg tack.mitre.org/techniques/T1203), [Exploitation for Privileg e Escalation](https://attack.mitre.org/techniques/T1068), [E e Escalation](https://attack.mitre.org/techniques/T1068), [E xploitation for Defense Evasion ](https://attack.mitre.org/te xploitation for Stealth ](https://attack.mitre.org/techniques chniques/T1211), [Exploitation for Credential Access](https: /T1211), [Exploitation for Credential Access](https://attack //attack.mitre.org/techniques/T1212), [Exploitation of Remot .mitre.org/techniques/T1212), [Exploitation of Remote Servic e Services](https://attack.mitre.org/techniques/T1210), and es](https://attack.mitre.org/techniques/T1210), and [Applica [Application or System Exploitation](https://attack.mitre.or tion or System Exploitation](https://attack.mitre.org/techni g/techniques/T1499/004)). ques/T1499/004)).
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value description Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)
+
+In addition to downloading free exploits from the internet, adversaries may purchase exploits from third-party entities. Third-party entities can include technology companies that specialize in exploit development, criminal marketplaces (including exploit kits), or from individuals.(Citation: PegasusCitizenLab)(Citation: Wired SandCat Oct 2019) In addition to purchasing exploits, adversaries may steal and repurpose exploits from third-party entities (including other adversaries).(Citation: TempertonDarkHotel)
+
+An adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. There is usually a delay between when an exploit is discovered and when it is made public. An adversary may target the systems of those known to conduct exploit research and development in order to gain that knowledge for use during a subsequent operation.
+
+Adversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)). Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)
+
+In addition to downloading free exploits from the internet, adversaries may purchase exploits from third-party entities. Third-party entities can include technology companies that specialize in exploit development, criminal marketplaces (including exploit kits), or from individuals.(Citation: PegasusCitizenLab)(Citation: Wired SandCat Oct 2019) In addition to purchasing exploits, adversaries may steal and repurpose exploits from third-party entities (including other adversaries).(Citation: TempertonDarkHotel)
+
+An adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. There is usually a delay between when an exploit is discovered and when it is made public. An adversary may target the systems of those known to conduct exploit research and development in order to gain that knowledge for use during a subsequent operation.
+
+Adversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Stealth](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).
[T1657] Financial Theft Current version : 1.2
+
+
+ t Adversaries may steal monetary resources from targets throug t Adversaries may steal monetary resources from targets throug h extortion, social engineering, technical theft, or other m h extortion, social engineering, technical theft, or other m ethods aimed at their own financial gain at the expense of t ethods aimed at their own financial gain at the expense of t he availability of these resources for victims. Financial th he availability of these resources for victims. Financial th eft is the ultimate objective of several popular campaign ty eft is the ultimate objective of several popular campaign ty pes including extortion by ransomware,(Citation: FBI-ransomw pes including extortion by ransomware,(Citation: FBI-ransomw are) business email compromise (BEC) and fraud,(Citation: FB are) business email compromise (BEC) and fraud,(Citation: FB I-BEC) "pig butchering,"(Citation: wired-pig butchering) ban I-BEC) "pig butchering,"(Citation: wired-pig butchering) ban k hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocu k hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocu rrency networks.(Citation: BBC-Ronin) Adversaries may [Com rrency networks.(Citation: BBC-Ronin) Adversaries may [Com promise Accounts](https://attack.mitre.org/techniques/T1586) promise Accounts](https://attack.mitre.org/techniques/T1586) to conduct unauthorized transfers of funds.(Citation: Inter to conduct unauthorized transfers of funds.(Citation: Inter net crime report 2022) In the case of business email comprom net crime report 2022) In the case of business email comprom ise or email fraud, an adversary may utilize [Impersonation] ise or email fraud, an adversary may utilize [Impersonation] (https://attack.mitre.org/techniques/T1656 ) of a trusted ent (https://attack.mitre.org/techniques/T1684/001 ) of a trusted ity. Once the social engineering is successful, victims can entity. Once the social engineering is successful, victims be deceived into sending money to financial accounts control can be deceived into sending money to financial accounts con led by an adversary.(Citation: FBI-BEC) This creates the pot trolled by an adversary.(Citation: FBI-BEC) This creates the ential for multiple victims (i.e., compromised accounts as w potential for multiple victims (i.e., compromised accounts ell as the ultimate monetary loss) in incidents involving fi as well as the ultimate monetary loss) in incidents involvin nancial theft.(Citation: VEC) Extortion by ransomware may o g financial theft.(Citation: VEC) Extortion by ransomware m ccur, for example, when an adversary demands payment from a ay occur, for example, when an adversary demands payment fro victim after [Data Encrypted for Impact](https://attack.mitr m a victim after [Data Encrypted for Impact](https://attack. e.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfilt mitre.org/techniques/T1486) (Citation: NYT-Colonial) and [Ex ration](https://attack.mitre.org/tactics/TA0010) of data, fo filtration](https://attack.mitre.org/tactics/TA0010) of data llowed by threatening to leak sensitive data to the public u , followed by threatening to leak sensitive data to the publ nless payment is made to the adversary.(Citation: Mandiant-l ic unless payment is made to the adversary.(Citation: Mandia eaks) Adversaries may use dedicated leak sites to distribute nt-leaks) Adversaries may use dedicated leak sites to distri victim data.(Citation: Crowdstrike-leaks) Due to the poten bute victim data.(Citation: Crowdstrike-leaks) Due to the p tially immense business impact of financial theft, an advers otentially immense business impact of financial theft, an ad ary may abuse the possibility of financial theft and seeking versary may abuse the possibility of financial theft and see monetary gain to divert attention from their true goals suc king monetary gain to divert attention from their true goals h as [Data Destruction](https://attack.mitre.org/techniques/ such as [Data Destruction](https://attack.mitre.org/techniq T1485) and business disruption.(Citation: AP-NotPetya) ues/T1485) and business disruption.(Citation: AP-NotPetya)
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 22:36:03.465000+00:00 2026-04-17 16:12:12.496000+00:00 description Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) "pig butchering,"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin)
+
+Adversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) to conduct unauthorized transfers of funds.(Citation: Internet crime report 2022) In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://attack.mitre.org/techniques/T1656) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.(Citation: FBI-BEC) This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.(Citation: VEC)
+
+Extortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010) of data, followed by threatening to leak sensitive data to the public unless payment is made to the adversary.(Citation: Mandiant-leaks) Adversaries may use dedicated leak sites to distribute victim data.(Citation: Crowdstrike-leaks)
+
+Due to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and business disruption.(Citation: AP-NotPetya) Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) "pig butchering,"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin)
+
+Adversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) to conduct unauthorized transfers of funds.(Citation: Internet crime report 2022) In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://attack.mitre.org/techniques/T1684/001) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.(Citation: FBI-BEC) This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.(Citation: VEC)
+
+Extortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010) of data, followed by threatening to leak sensitive data to the public unless payment is made to the adversary.(Citation: Mandiant-leaks) Adversaries may use dedicated leak sites to distribute victim data.(Citation: Crowdstrike-leaks)
+
+Due to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and business disruption.(Citation: AP-NotPetya) x_mitre_attack_spec_version 3.2.0 3.3.0
[T1546.012] Event Triggered Execution: Image File Execution Options Injection Current version : 1.2
+
+
+ t Adversaries may establish persistence and/or elevate privile t Adversaries may establish persistence and/or elevate privile ges by executing malicious content triggered by Image File E ges by executing malicious content triggered by Image File E xecution Options (IFEO) debuggers. IFEOs enable a developer xecution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is cr to attach a debugger to an application. When a process is cr eated, a debugger present in an application’s IFEO will be p eated, a debugger present in an application’s IFEO will be p repended to the application’s name, effectively launching th repended to the application’s name, effectively launching th e new process under the debugger (e.g., <code>C:\dbg\ntsd.ex e new process under the debugger (e.g., <code>C:\dbg\ntsd.ex e -g notepad.exe</code>). (Citation: Microsoft Dev Blog IFE e -g notepad.exe</code>).(Citation: Microsoft Dev Blog IFEO O Mar 2010) IFEOs can be set directly via the Registry or i Mar 2010) IFEOs can be set directly via the Registry or in n Global Flags via the GFlags tool. (Citation: Microsoft GFl Global Flags via the GFlags tool.(Citation: Microsoft GFlag ags Mar 2017) IFEOs are represented as <code>Debugger</code> s Mar 2017) IFEOs are represented as <code>Debugger</code> v values in the Registry under <code>HKLM\SOFTWARE{\Wow6432No alues in the Registry under <code>HKLM\SOFTWARE{\Wow6432Node de}\Microsoft\Windows NT\CurrentVersion\Image File Execution }\Microsoft\Windows NT\CurrentVersion\Image File Execution O Options\<executable></code> where <code><executable>< ptions\<executable></code> where <code><executable></c /code> is the binary on which the debugger is attached. (Cit ode> is the binary on which the debugger is attached.(Citati ation: Microsoft Dev Blog IFEO Mar 2010) IFEOs can also ena on: Microsoft Dev Blog IFEO Mar 2010) IFEOs can also enable ble an arbitrary monitor program to be launched when a speci an arbitrary monitor program to be launched when a specifie fied program silently exits (i.e. is prematurely terminated d program silently exits (i.e. is prematurely terminated by by itself or a second, non kernel-mode process). (Citation: itself or a second, non kernel-mode process).(Citation: Micr Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Mo osoft Silent Process Exit NOV 2017)(Citation: Oddvar Moe IFE e IFEO APR 2018) Similar to debuggers, silent exit monitorin O APR 2018) Similar to debuggers, silent exit monitoring can g can be enabled through GFlags and/or by directly modifying be enabled through GFlags and/or by directly modifying IFEO IFEO and silent process exit Registry values in <code>HKEY_ and silent process exit Registry values in <code>HKEY_LOCAL LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\S _MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Silent ilentProcessExit\</code>. (Citation: Microsoft Silent Proces ProcessExit\</code>.(Citation: Microsoft Silent Process Exit s Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Simil NOV 2017)(Citation: Oddvar Moe IFEO APR 2018) Similar to [ ar to [Accessibility Features](https://attack.mitre.org/tech Accessibility Features](https://attack.mitre.org/techniques/ niques/T1546/008), on Windows Vista and later as well as Win T1546/008), on Windows Vista and later as well as Windows Se dows Server 2008 and later, a Registry key may be modified t rver 2008 and later, a Registry key may be modified that con hat configures "cmd.exe," or another program that provides b figures "cmd.exe," or another program that provides backdoor ackdoor access, as a "debugger" for an accessibility program access, as a "debugger" for an accessibility program (ex: u (ex: utilman.exe). After the Registry is modified, pressing tilman.exe). After the Registry is modified, pressing the ap the appropriate key combination at the login screen while a propriate key combination at the login screen while at the k t the keyboard or when connected with [Remote Desktop Protoc eyboard or when connected with [Remote Desktop Protocol](htt ol](https://attack.mitre.org/techniques/T1021/001) will caus ps://attack.mitre.org/techniques/T1021/001) will cause the " e the "debugger" program to be executed with SYSTEM privileg debugger" program to be executed with SYSTEM privileges.(Cit es. (Citation: Tilbury 2014) Similar to [Process Injection] ation: Tilbury 2014) Similar to [Process Injection](https:/ (https://attack.mitre.org/techniques/T1055), these values ma /attack.mitre.org/techniques/T1055), these values may also b y also be abused to obtain privilege escalation by causing a e abused to obtain privilege escalation by causing a malicio malicious executable to be loaded and run in the context of us executable to be loaded and run in the context of separat separate processes on the computer. (Citation: Elastic Proc e processes on the computer.(Citation: Elastic Process Injec ess Injection July 2017) Installing IFEO mechanisms may also tion July 2017) Installing IFEO mechanisms may also provide provide Persistence via continuous triggered invocation. M Persistence via continuous triggered invocation. Malware ma alware may also use IFEO to [Impair D efenses](https://attack y also use IFEO to impair d efenses by registering invalid de .mitre.org/techniques/T1562) by registering invalid debuggerbuggers that redirect and effectively disable various system s that redirect and effectively disable various system and s and security applications.(Citation: FSecure Hupigon)(Citat ecurity applications. (Citation: FSecure Hupigon) (Citation: ion: Symantec Ushedix June 2008) Symantec Ushedix June 2008)
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:55.526000+00:00 2026-04-16 18:54:42.949000+00:00 description Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010)
+
+IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)
+
+IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)
+
+Similar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)
+
+Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Elastic Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.
+
+Malware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008) Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe).(Citation: Microsoft Dev Blog IFEO Mar 2010)
+
+IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool.(Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ where <executable> is the binary on which the debugger is attached.(Citation: Microsoft Dev Blog IFEO Mar 2010)
+
+IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process).(Citation: Microsoft Silent Process Exit NOV 2017)(Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\.(Citation: Microsoft Silent Process Exit NOV 2017)(Citation: Oddvar Moe IFEO APR 2018)
+
+Similar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the "debugger" program to be executed with SYSTEM privileges.(Citation: Tilbury 2014)
+
+Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer.(Citation: Elastic Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.
+
+Malware may also use IFEO to impair defenses by registering invalid debuggers that redirect and effectively disable various system and security applications.(Citation: FSecure Hupigon)(Citation: Symantec Ushedix June 2008) x_mitre_attack_spec_version 3.2.0 3.3.0
[T1534] Internal Spearphishing Current version : 1.4
+
+
+ t After they already have access to accounts or systems within t After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing the environment, adversaries may use internal spearphishing to gain access to additional information or compromise othe to gain access to additional information or compromise othe r users within the same organization. Internal spearphishing r users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is init is multi-staged campaign where a legitimate account is init ially compromised either by controlling the user's device or ially compromised either by controlling the user's device or by compromising the account credentials of the user. Advers by compromising the account credentials of the user. Advers aries may then attempt to take advantage of the trusted inte aries may then attempt to take advantage of the trusted inte rnal account to increase the likelihood of tricking more vic rnal account to increase the likelihood of tricking more vic tims into falling for phish attempts, often incorporating [I tims into falling for phish attempts, often incorporating [I mpersonation](https://attack.mitre.org/techniques/T1656 ).(Ci mpersonation](https://attack.mitre.org/techniques/T1684/001 ) tation: Trend Micro - Int SP) For example, adversaries may .(Citation: Trend Micro - Int SP) For example, adversaries leverage [Spearphishing Attachment](https://attack.mitre.org may leverage [Spearphishing Attachment](https://attack.mitre /techniques/T1566/001) or [Spearphishing Link](https://attac .org/techniques/T1566/001) or [Spearphishing Link](https://a k.mitre.org/techniques/T1566/002) as part of internal spearp ttack.mitre.org/techniques/T1566/002) as part of internal sp hishing to deliver a payload or redirect to an external site earphishing to deliver a payload or redirect to an external to capture credentials through [Input Capture](https://atta site to capture credentials through [Input Capture](https:// ck.mitre.org/techniques/T1056) on sites that mimic login int attack.mitre.org/techniques/T1056) on sites that mimic login erfaces. Adversaries may also leverage internal chat apps, interfaces. Adversaries may also leverage internal chat ap such as Microsoft Teams, to spread malicious content or enga ps, such as Microsoft Teams, to spread malicious content or ge users in attempts to capture sensitive information and/or engage users in attempts to capture sensitive information an credentials.(Citation: Int SP - chat apps) d/or credentials.(Citation: Int SP - chat apps)
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:09.394000+00:00 2026-04-17 14:23:56.376000+00:00 description After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating [Impersonation](https://attack.mitre.org/techniques/T1656).(Citation: Trend Micro - Int SP)
+
+For example, adversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) or [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://attack.mitre.org/techniques/T1056) on sites that mimic login interfaces.
+
+Adversaries may also leverage internal chat apps, such as Microsoft Teams, to spread malicious content or engage users in attempts to capture sensitive information and/or credentials.(Citation: Int SP - chat apps) After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating [Impersonation](https://attack.mitre.org/techniques/T1684/001).(Citation: Trend Micro - Int SP)
+
+For example, adversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) or [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://attack.mitre.org/techniques/T1056) on sites that mimic login interfaces.
+
+Adversaries may also leverage internal chat apps, such as Microsoft Teams, to spread malicious content or engage users in attempts to capture sensitive information and/or credentials.(Citation: Int SP - chat apps) x_mitre_attack_spec_version 3.2.0 3.3.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Trend Micro When Phishing Starts from the Inside 2017', 'description': 'Chris Taylor. (2017, October 5). When Phishing Starts from the Inside. Retrieved October 8, 2019.', 'url': 'https://blog.trendmicro.com/phishing-starts-inside/'}
[T1204.004] User Execution: Malicious Copy and Paste Current version : 1.1
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-05 17:30:01.834000+00:00 2026-03-27 20:05:57.921000+00:00 x_mitre_contributors[6] SeungYoul Yoo, Ahn Lab SeungYoul Yoo, AhnLab
[T1106] Native API Current version : 2.3
+
+
+ t Adversaries may interact with the native OS application prog t Adversaries may interact with the native OS application prog ramming interface (API) to execute behaviors. Native APIs pr ramming interface (API) to execute behaviors. Native APIs pr ovide a controlled means of calling low-level OS services wi ovide a controlled means of calling low-level OS services wi thin the kernel, such as those involving hardware/devices, m thin the kernel, such as those involving hardware/devices, m emory, and processes.(Citation: NT API Windows)(Citation: Li emory, and processes.(Citation: NT API Windows)(Citation: Li nux Kernel API) These native APIs are leveraged by the OS du nux Kernel API) These native APIs are leveraged by the OS du ring system boot (when other system components are not yet i ring system boot (when other system components are not yet i nitialized) as well as carrying out tasks and requests durin nitialized) as well as carrying out tasks and requests durin g routine operations. Adversaries may abuse these OS API fu g routine operations. Adversaries may abuse these OS API fu nctions as a means of executing behaviors. Similar to [Comma nctions as a means of executing behaviors. Similar to [Comma nd and Scripting Interpreter](https://attack.mitre.org/techn nd and Scripting Interpreter](https://attack.mitre.org/techn iques/T1059), the native API and its hierarchy of interfaces iques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various com provide mechanisms to interact with and utilize various com ponents of a victimized system. Native API functions (such ponents of a victimized system. Native API functions (such as <code>NtCreateProcess</code>) may be directed invoked via as <code>NtCreateProcess</code>) may be directed invoked via system calls / syscalls, but these features are also often system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and librari exposed to user-mode applications via interfaces and librari es.(Citation: OutFlank System Calls)(Citation: CyberBit Syst es.(Citation: OutFlank System Calls)(Citation: CyberBit Syst em Calls)(Citation: MDSec System Calls) For example, functio em Calls)(Citation: MDSec System Calls) For example, functio ns such as the Windows API <code>CreateProcess()</code> or G ns such as the Windows API <code>CreateProcess()</code> or G NU <code>fork()</code> will allow programs and scripts to st NU <code>fork()</code> will allow programs and scripts to st art other processes.(Citation: Microsoft CreateProcess)(Cita art other processes.(Citation: Microsoft CreateProcess)(Cita tion: GNU Fork) This may allow API callers to execute a bina tion: GNU Fork) This may allow API callers to execute a bina ry, run a CLI command, load modules, etc. as thousands of si ry, run a CLI command, load modules, etc. as thousands of si milar API functions exist for various system operations.(Cit milar API functions exist for various system operations.(Cit ation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC) Hi ation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC) Hi gher level software frameworks, such as Microsoft .NET and m gher level software frameworks, such as Microsoft .NET and m acOS Cocoa, are also available to interact with native APIs. acOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstra These frameworks typically provide language wrappers/abstra ctions to API functionalities and are designed for ease-of-u ctions to API functionalities and are designed for ease-of-u se/portability of code.(Citation: Microsoft NET)(Citation: A se/portability of code.(Citation: Microsoft NET)(Citation: A pple Core Services)(Citation: MACOS Cocoa)(Citation: macOS F pple Core Services)(Citation: MACOS Cocoa)(Citation: macOS F oundation) Adversaries may use assembly to directly or in-d oundation) Adversaries may use assembly to directly or in-d irectly invoke syscalls in an attempt to subvert defensive s irectly invoke syscalls in an attempt to subvert defensive s ensors and detection signatures such as user mode API-hooks. ensors and detection signatures such as user mode API-hooks. (Citation: Redops Syscalls) Adversaries may also attempt to (Citation: Redops Syscalls) Adversaries may also attempt to tamper with sensors and defensive tools associated with API tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via [Disab monitoring, such as unhooking monitored functions via [Disab le or Modify Tools](https://attack.mitre.org/techniques/T156 le or Modify Tools](https://attack.mitre.org/techniques/T168 2/001 ).
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:39.785000+00:00 2026-04-16 19:16:22.540000+00:00 description Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
+
+Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system.
+
+Native API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)
+
+Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)
+
+Adversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks.(Citation: Redops Syscalls) Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001). Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
+
+Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system.
+
+Native API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)
+
+Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)
+
+Adversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks.(Citation: Redops Syscalls) Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1685).
[T1040] Network Sniffing Current version : 1.7
+
+
+ t Adversaries may passively sniff network traffic to capture i t Adversaries may passively sniff network traffic to capture i nformation about an environment, including authentication ma nformation about an environment, including authentication ma terial passed over the network. Network sniffing refers to u terial passed over the network. Network sniffing refers to u sing the network interface on a system to monitor or capture sing the network interface on a system to monitor or capture information sent over a wired or wireless connection. An ad information sent over a wired or wireless connection. An ad versary may place a network interface into promiscuous mode versary may place a network interface into promiscuous mode to passively access data in transit over the network, or use to passively access data in transit over the network, or use span ports to capture a larger amount of data. Data captur span ports to capture a larger amount of data. Data captur ed via this technique may include user credentials, especial ed via this technique may include user credentials, especial ly those sent over an insecure, unencrypted protocol. Techni ly those sent over an insecure, unencrypted protocol. Techni ques for name service resolution poisoning, such as [LLM NR/N ques for name service resolution poisoning, such as [Name Re BT-NS Poisoning and SMB Relay](https://attack.mitre.org/techsolution Poisoning and SMB Relay](https://attack.mitre.org/tniques/T1557/001), can also be used to capture credentials t echniques/T1557/001), can also be used to capture credential o websites, proxies, and internal systems by redirecting tra s to websites, proxies, and internal systems by redirecting ffic to an adversary. Network sniffing may reveal configura traffic to an adversary. Network sniffing may reveal config tion details, such as running services, version numbers, and uration details, such as running services, version numbers, other network characteristics (e.g. IP addresses, hostnames and other network characteristics (e.g. IP addresses, hostna , VLAN IDs) necessary for subsequent [Lateral Movement](http mes, VLAN IDs) necessary for subsequent [Lateral Movement](h s://attack.mitre.org/tactics/TA0008) and/or [Defense Evasion ttps://attack.mitre.org/tactics/TA0008) and/or [Stealth ](htt ps://attack.mitre.org/tactics/TA0005) activities. Adversarie saries may likely also utilize network sniffing during [Adve s may likely also utilize network sniffing during [Adversary rsary-in-the-Middle](https://attack.mitre.org/techniques/T15 -in-the-Middle](https://attack.mitre.org/techniques/T1557) ( 57) (AiTM) to passively gain additional knowledge about the AiTM) to passively gain additional knowledge about the envir environment. In cloud-based environments, adversaries may s onment. In cloud-based environments, adversaries may still till be able to use traffic mirroring services to sniff netw be able to use traffic mirroring services to sniff network t ork traffic from virtual machines. For example, AWS Traffic raffic from virtual machines. For example, AWS Traffic Mirro Mirroring, GCP Packet Mirroring, and Azure vTap allow users ring, GCP Packet Mirroring, and Azure vTap allow users to de to define specified instances to collect traffic from and sp fine specified instances to collect traffic from and specifi ecified targets to send collected traffic to.(Citation: AWS ed targets to send collected traffic to.(Citation: AWS Traff Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: ic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azur Azure Virtual Network TAP) Often, much of this traffic will e Virtual Network TAP) Often, much of this traffic will be i be in cleartext due to the use of TLS termination at the lo n cleartext due to the use of TLS termination at the load ba ad balancer level to reduce the strain of encrypting and dec lancer level to reduce the strain of encrypting and decrypti rypting traffic.(Citation: Rhino Security Labs AWS VPC Traff ng traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mi ic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) Th rroring)(Citation: SpecterOps AWS Traffic Mirroring) The adv e adversary can then use exfiltration techniques such as Tra ersary can then use exfiltration techniques such as Transfer nsfer Data to Cloud Account in order to access the sniffed t Data to Cloud Account in order to access the sniffed traffi raffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirror c.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring) ing) On network devices, adversaries may perform network ca On network devices, adversaries may perform network capture ptures using [Network Device CLI](https://attack.mitre.org/t s using [Network Device CLI](https://attack.mitre.org/techni echniques/T1059/008) commands such as `monitor capture`.(Cit ques/T1059/008) commands such as `monitor capture`.(Citation ation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_ : US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_so on_software) ftware)
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value description Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+
+Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
+
+Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or [Defense Evasion](https://attack.mitre.org/tactics/TA0005) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) (AiTM) to passively gain additional knowledge about the environment.
+
+In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)
+
+On network devices, adversaries may perform network captures using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `monitor capture`.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software) Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+
+Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [Name Resolution Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
+
+Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or [Stealth](https://attack.mitre.org/tactics/TA0005) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) (AiTM) to passively gain additional knowledge about the environment.
+
+In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)
+
+On network devices, adversaries may perform network captures using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `monitor capture`.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software)
[T1132.002] Data Encoding: Non-Standard Encoding Current version : 1.1
+
+
+ t Adversaries may encode data with a non-standard data encodin t Adversaries may encode data with a non-standard data encodin g system to make the content of command and control traffic g system to make the content of command and control traffic more difficult to detect. Command and control (C2) informati more difficult to detect. Command and control (C2) informati on can be encoded using a non-standard data encoding system on can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-sta that diverges from existing protocol specifications. Non-sta ndard data encoding schemes may be based on or related to st ndard data encoding schemes may be based on or related to st andard data encoding schemes, such as a modified Base64 enco andard data encoding schemes, such as a modified Base64 enco ding for the message body of an HTTP request.(Citation: Wiki ding for the message body of an HTTP request.(Citation: Wiki pedia Binary-to-text Encoding) (Citation: Wikipedia Characte pedia Binary-to-text Encoding)(Citation: Wikipedia Character r Encoding) Encoding)
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:27.237000+00:00 2026-04-21 18:10:25.277000+00:00 description Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.(Citation: Wikipedia Binary-to-text Encoding)(Citation: Wikipedia Character Encoding) x_mitre_attack_spec_version 3.2.0 3.3.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'University of Birmingham C2', 'description': 'Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.', 'url': 'https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf'}
[T1566] Phishing Current version : 2.7
+
+
+ t Adversaries may send phishing messages to gain access to vic t Adversaries may send phishing messages to gain access to vic tim systems. All forms of phishing are electronically delive tim systems. All forms of phishing are electronically delive red social engineering. Phishing can be targeted, known as s red social engineering. Phishing can be targeted, known as s pearphishing. In spearphishing, a specific individual, compa pearphishing. In spearphishing, a specific individual, compa ny, or industry will be targeted by the adversary. More gene ny, or industry will be targeted by the adversary. More gene rally, adversaries can conduct non-targeted phishing, such a rally, adversaries can conduct non-targeted phishing, such a s in mass malware spam campaigns. Adversaries may send vict s in mass malware spam campaigns. Adversaries may send vict ims emails containing malicious attachments or links, typica ims emails containing malicious attachments or links, typica lly to execute malicious code on victim systems. Phishing ma lly to execute malicious code on victim systems. Phishing ma y also be conducted via third-party services, like social me y also be conducted via third-party services, like social me dia platforms. Phishing may also involve social engineering dia platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as e techniques, such as posing as a trusted source, as well as e vasive techniques such as removing or manipulating emails or vasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mit send messages (e.g., [Email Hiding Rules](https://attack.mit re.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spa re.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spa m 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) An m 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) An other way to accomplish this is by [Email Spoofing](https:// other way to accomplish this is by [Email Spoofing](https:// attack.mitre.org/techniques/T167 2)(Citation: Proofpoint-spoo attack.mitre.org/techniques/T1684/00 2)(Citation: Proofpoint- f) the identity of the sender, which can be used to fool bot spoof) the identity of the sender, which can be used to fool h the human recipient as well as automated security tools,(C both the human recipient as well as automated security tool itation: cyberproof-double-bounce) or by including the inten s,(Citation: cyberproof-double-bounce) or by including the i ded target as a party to an existing email thread that inclu ntended target as a party to an existing email thread that i des malicious files or links (i.e., "thread hijacking").(Cit ncludes malicious files or links (i.e., "thread hijacking"). ation: phishing-krebs) Victims may also receive phishing me (Citation: phishing-krebs) Victims may also receive phishin ssages that instruct them to call a phone number where they g messages that instruct them to call a phone number where t are directed to visit a malicious URL, download malware,(Cit hey are directed to visit a malicious URL, download malware, ation: sygnia Luna Month)(Citation: CISA Remote Monitoring a (Citation: sygnia Luna Month)(Citation: CISA Remote Monitori nd Management Software) or install adversary-accessible remo ng and Management Software) or install adversary-accessible te management tools onto their computer (i.e., [User Executi remote management tools onto their computer (i.e., [User Exe on](https://attack.mitre.org/techniques/T1204)).(Citation: U cution](https://attack.mitre.org/techniques/T1204)).(Citatio nit42 Luna Moth) n: Unit42 Luna Moth)
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:11.351000+00:00 2026-04-17 16:14:54.713000+00:00 description Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
+
+Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by [Email Spoofing](https://attack.mitre.org/techniques/T1672)(Citation: Proofpoint-spoof) the identity of the sender, which can be used to fool both the human recipient as well as automated security tools,(Citation: cyberproof-double-bounce) or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., "thread hijacking").(Citation: phishing-krebs)
+
+Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth) Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
+
+Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by [Email Spoofing](https://attack.mitre.org/techniques/T1684/002)(Citation: Proofpoint-spoof) the identity of the sender, which can be used to fool both the human recipient as well as automated security tools,(Citation: cyberproof-double-bounce) or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., "thread hijacking").(Citation: phishing-krebs)
+
+Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth) x_mitre_attack_spec_version 3.2.0 3.3.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'ACSC Email Spoofing', 'description': 'Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.', 'url': 'https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf'} external_references {'source_name': 'Microsoft Anti Spoofing', 'description': 'Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.', 'url': 'https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide'}
[T1598] Phishing for Information Current version : 1.4
+
+
+ t Adversaries may send phishing messages to elicit sensitive i t Adversaries may send phishing messages to elicit sensitive i nformation that can be used during targeting. Phishing for i nformation that can be used during targeting. Phishing for i nformation is an attempt to trick targets into divulging inf nformation is an attempt to trick targets into divulging inf ormation, frequently credentials or other actionable informa ormation, frequently credentials or other actionable informa tion. Phishing for information is different from [Phishing]( tion. Phishing for information is different from [Phishing]( https://attack.mitre.org/techniques/T1566) in that the objec https://attack.mitre.org/techniques/T1566) in that the objec tive is gathering data from the victim rather than executing tive is gathering data from the victim rather than executing malicious code. All forms of phishing are electronically d malicious code. All forms of phishing are electronically d elivered social engineering. Phishing can be targeted, known elivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, s generally, adversaries can conduct non-targeted phishing, s uch as in mass credential harvesting campaigns. Adversaries uch as in mass credential harvesting campaigns. Adversaries may also try to obtain information directly through the exc may also try to obtain information directly through the exc hange of emails, instant messages, or other electronic conve hange of emails, instant messages, or other electronic conve rsation means.(Citation: ThreatPost Social Media Phishing)(C rsation means.(Citation: ThreatPost Social Media Phishing)(C itation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Ci itation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Ci tation: Sophos Attachment)(Citation: GitHub Phishery) Victim tation: Sophos Attachment)(Citation: GitHub Phishery) Victim s may also receive phishing messages that direct them to cal s may also receive phishing messages that direct them to cal l a phone number where the adversary attempts to collect con l a phone number where the adversary attempts to collect con fidential information.(Citation: Avertium callback phishing) fidential information.(Citation: Avertium callback phishing) Phishing for information frequently involves social engine Phishing for information frequently involves social engine ering techniques, such as posing as a source with a reason t ering techniques, such as posing as a source with a reason t o collect information (ex: [Establish Accounts](https://atta o collect information (ex: [Establish Accounts](https://atta ck.mitre.org/techniques/T1585) or [Compromise Accounts](http ck.mitre.org/techniques/T1585) or [Compromise Accounts](http s://attack.mitre.org/techniques/T1586)) and/or sending multi s://attack.mitre.org/techniques/T1586)) and/or sending multi ple, seemingly urgent messages. Another way to accomplish th ple, seemingly urgent messages. Another way to accomplish th is is by [Email Spoofing](https://attack.mitre.org/technique is is by [Email Spoofing](https://attack.mitre.org/technique s/T167 2)(Citation: Proofpoint-spoof) the identity of the sen s/T1684/00 2)(Citation: Proofpoint-spoof) the identity of the der, which can be used to fool both the human recipient as w sender, which can be used to fool both the human recipient ell as automated security tools.(Citation: cyberproof-double as well as automated security tools.(Citation: cyberproof-do -bounce) Phishing for information may also involve evasive uble-bounce) Phishing for information may also involve eva techniques, such as removing or manipulating emails or meta sive techniques, such as removing or manipulating emails or data/headers from compromised accounts being abused to send metadata/headers from compromised accounts being abused to s messages (e.g., [Email Hiding Rules](https://attack.mitre.or end messages (e.g., [Email Hiding Rules](https://attack.mitr g/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 202 e.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:24.096000+00:00 2026-04-17 16:15:21.344000+00:00 description Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code.
+
+All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.
+
+Adversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Victims may also receive phishing messages that direct them to call a phone number where the adversary attempts to collect confidential information.(Citation: Avertium callback phishing)
+
+Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. Another way to accomplish this is by [Email Spoofing](https://attack.mitre.org/techniques/T1672)(Citation: Proofpoint-spoof) the identity of the sender, which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce)
+
+Phishing for information may also involve evasive techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code.
+
+All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.
+
+Adversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Victims may also receive phishing messages that direct them to call a phone number where the adversary attempts to collect confidential information.(Citation: Avertium callback phishing)
+
+Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. Another way to accomplish this is by [Email Spoofing](https://attack.mitre.org/techniques/T1684/002)(Citation: Proofpoint-spoof) the identity of the sender, which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce)
+
+Phishing for information may also involve evasive techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) x_mitre_attack_spec_version 3.2.0 3.3.0
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'ACSC Email Spoofing', 'description': 'Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.', 'url': 'https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf'} external_references {'source_name': 'Microsoft Anti Spoofing', 'description': 'Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.', 'url': 'https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide'}
[T1565.003] Data Manipulation: Runtime Data Manipulation Current version : 1.2
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:37.277000+00:00 2025-11-13 19:21:05.132000+00:00 external_references[2]['url'] https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf https://services.google.com/fh/files/misc/apt38-un-usual-suspects.pdf x_mitre_attack_spec_version 3.2.0 3.3.0
[T1566.004] Phishing: Spearphishing Voice Current version : 1.2
+
+
+ t Adversaries may use voice communications to ultimately gain t Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms o variant of spearphishing. It is different from other forms o f spearphishing in that it employs the use of manipulating a f spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call user into providing access to systems through a phone call or other forms of voice communications. Spearphishing freque or other forms of voice communications. Spearphishing freque ntly involves social engineering techniques, such as posing ntly involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitr as a trusted source (ex: [Impersonation](https://attack.mitr e.org/techniques/T1656 )) and/or creating a sense of urgency e.org/techniques/T1684/001 )) and/or creating a sense of urge or alarm for the recipient. All forms of phishing are elect ncy or alarm for the recipient. All forms of phishing are e ronically delivered social engineering. In this scenario, ad lectronically delivered social engineering. In this scenario versaries are not directly sending malware to a victim vice , adversaries are not directly sending malware to a victim v relying on [User Execution](https://attack.mitre.org/techniq ice relying on [User Execution](https://attack.mitre.org/tec ues/T1204) for delivery and execution. For example, victims hniques/T1204) for delivery and execution. For example, vict may receive phishing messages that instruct them to call a p ims may receive phishing messages that instruct them to call hone number where they are directed to visit a malicious URL a phone number where they are directed to visit a malicious , download malware,(Citation: sygnia Luna Month)(Citation: C URL, download malware,(Citation: sygnia Luna Month)(Citatio ISA Remote Monitoring and Management Software) or install ad n: CISA Remote Monitoring and Management Software) or instal versary-accessible remote management tools ([Remote Access T l adversary-accessible remote management tools ([Remote Acce ools](https://attack.mitre.org/techniques/T1219)) onto their ss Tools](https://attack.mitre.org/techniques/T1219)) onto t computer.(Citation: Unit42 Luna Moth) Adversaries may also heir computer.(Citation: Unit42 Luna Moth) Adversaries may combine voice phishing with [Multi-Factor Authentication Re also combine voice phishing with [Multi-Factor Authenticatio quest Generation](https://attack.mitre.org/techniques/T1621) n Request Generation](https://attack.mitre.org/techniques/T1 in order to trick users into divulging MFA credentials or a 621) in order to trick users into divulging MFA credentials ccepting authentication prompts.(Citation: Proofpoint Vishin or accepting authentication prompts.(Citation: Proofpoint Vi g) shing)
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-07-02 18:06:37.932000+00:00 2026-04-17 16:04:48.737000+00:00 description Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.
+
+All forms of phishing are electronically delivered social engineering. In this scenario, adversaries are not directly sending malware to a victim vice relying on [User Execution](https://attack.mitre.org/techniques/T1204) for delivery and execution. For example, victims may receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools ([Remote Access Tools](https://attack.mitre.org/techniques/T1219)) onto their computer.(Citation: Unit42 Luna Moth)
+
+Adversaries may also combine voice phishing with [Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621) in order to trick users into divulging MFA credentials or accepting authentication prompts.(Citation: Proofpoint Vishing) Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1684/001)) and/or creating a sense of urgency or alarm for the recipient.
+
+All forms of phishing are electronically delivered social engineering. In this scenario, adversaries are not directly sending malware to a victim vice relying on [User Execution](https://attack.mitre.org/techniques/T1204) for delivery and execution. For example, victims may receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools ([Remote Access Tools](https://attack.mitre.org/techniques/T1219)) onto their computer.(Citation: Unit42 Luna Moth)
+
+Adversaries may also combine voice phishing with [Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621) in order to trick users into divulging MFA credentials or accepting authentication prompts.(Citation: Proofpoint Vishing) x_mitre_attack_spec_version 3.2.0 3.3.0
[T1598.004] Phishing for Information: Spearphishing Voice Current version : 1.0
+
+
+ t Adversaries may use voice communications to elicit sensitive t Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishin information that can be used during targeting. Spearphishin g for information is an attempt to trick targets into divulg g for information is an attempt to trick targets into divulg ing information, frequently credentials or other actionable ing information, frequently credentials or other actionable information. Spearphishing for information frequently involv information. Spearphishing for information frequently involv es social engineering techniques, such as posing as a source es social engineering techniques, such as posing as a source with a reason to collect information (ex: [Impersonation](h with a reason to collect information (ex: [Impersonation](h ttps://attack.mitre.org/techniques/T1656 )) and/or creating a ttps://attack.mitre.org/techniques/T1684/001 )) and/or creati sense of urgency or alarm for the recipient. All forms of ng a sense of urgency or alarm for the recipient. All forms phishing are electronically delivered social engineering. In of phishing are electronically delivered social engineering this scenario, adversaries use phone calls to elicit sensit . In this scenario, adversaries use phone calls to elicit se ive information from victims. Known as voice phishing (or "v nsitive information from victims. Known as voice phishing (o ishing"), these communications can be manually executed by a r "vishing"), these communications can be manually executed dversaries, hired call centers, or even automated via roboca by adversaries, hired call centers, or even automated via ro lls. Voice phishers may spoof their phone number while also bocalls. Voice phishers may spoof their phone number while a posing as a trusted entity, such as a business partner or te lso posing as a trusted entity, such as a business partner o chnical support staff.(Citation: BOA Telephone Scams) Victi r technical support staff.(Citation: BOA Telephone Scams) V ms may also receive phishing messages that direct them to ca ictims may also receive phishing messages that direct them t ll a phone number ("callback phishing") where the adversary o call a phone number ("callback phishing") where the advers attempts to collect confidential information.(Citation: Aver ary attempts to collect confidential information.(Citation: tium callback phishing) Adversaries may also use informatio Avertium callback phishing) Adversaries may also use inform n from previous reconnaissance efforts (ex: [Search Open Web ation from previous reconnaissance efforts (ex: [Search Open sites/Domains](https://attack.mitre.org/techniques/T1593) or Websites/Domains](https://attack.mitre.org/techniques/T1593 [Search Victim-Owned Websites](https://attack.mitre.org/tec ) or [Search Victim-Owned Websites](https://attack.mitre.org hniques/T1594)) to tailor pretexts to be even more persuasiv /techniques/T1594)) to tailor pretexts to be even more persu e and believable for the victim. asive and believable for the victim.
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 23:11:31.420000+00:00 2026-04-17 16:07:06.553000+00:00 description Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.
+
+All forms of phishing are electronically delivered social engineering. In this scenario, adversaries use phone calls to elicit sensitive information from victims. Known as voice phishing (or "vishing"), these communications can be manually executed by adversaries, hired call centers, or even automated via robocalls. Voice phishers may spoof their phone number while also posing as a trusted entity, such as a business partner or technical support staff.(Citation: BOA Telephone Scams)
+
+Victims may also receive phishing messages that direct them to call a phone number ("callback phishing") where the adversary attempts to collect confidential information.(Citation: Avertium callback phishing)
+
+Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to tailor pretexts to be even more persuasive and believable for the victim. Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Impersonation](https://attack.mitre.org/techniques/T1684/001)) and/or creating a sense of urgency or alarm for the recipient.
+
+All forms of phishing are electronically delivered social engineering. In this scenario, adversaries use phone calls to elicit sensitive information from victims. Known as voice phishing (or "vishing"), these communications can be manually executed by adversaries, hired call centers, or even automated via robocalls. Voice phishers may spoof their phone number while also posing as a trusted entity, such as a business partner or technical support staff.(Citation: BOA Telephone Scams)
+
+Victims may also receive phishing messages that direct them to call a phone number ("callback phishing") where the adversary attempts to collect confidential information.(Citation: Avertium callback phishing)
+
+Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to tailor pretexts to be even more persuasive and believable for the victim. x_mitre_attack_spec_version 3.2.0 3.3.0
[T1565.001] Data Manipulation: Stored Data Manipulation Current version : 1.1
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:29.225000+00:00 2025-11-13 19:21:05.131000+00:00 external_references[2]['url'] https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf https://services.google.com/fh/files/misc/apt38-un-usual-suspects.pdf x_mitre_attack_spec_version 3.2.0 3.3.0
[T1565.002] Data Manipulation: Transmitted Data Manipulation Current version : 1.1
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:25.162000+00:00 2025-11-13 19:21:05.133000+00:00 external_references[2]['url'] https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf https://services.google.com/fh/files/misc/apt38-un-usual-suspects.pdf x_mitre_attack_spec_version 3.2.0 3.3.0
[T1608.001] Stage Capabilities: Upload Malware Current version : 1.3
+
+
+ t Adversaries may upload malware to third-party or adversary c t Adversaries may upload malware to third-party or adversary c ontrolled infrastructure to make it accessible during target ontrolled infrastructure to make it accessible during target ing. Malicious software can include payloads, droppers, post ing. Malicious software can include payloads, droppers, post -compromise tools, backdoors, and a variety of other malicio -compromise tools, backdoors, and a variety of other malicio us content. Adversaries may upload malware to support their us content. Adversaries may upload malware to support their operations, such as making a payload available to a victim n operations, such as making a payload available to a victim n etwork to enable [Ingress Tool Transfer](https://attack.mitr etwork to enable [Ingress Tool Transfer](https://attack.mitr e.org/techniques/T1105) by placing it on an Internet accessi e.org/techniques/T1105) by placing it on an Internet accessi ble web server. Malware may be placed on infrastructure tha ble web server. Malware may be placed on infrastructure tha t was previously purchased/rented by the adversary ([Acquire t was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastru or was otherwise compromised by them ([Compromise Infrastru cture](https://attack.mitre.org/techniques/T1584)). Malware cture](https://attack.mitre.org/techniques/T1584)). Malware can also be staged on web services, such as GitHub or Pasteb can also be staged on web services, such as GitHub or Pasteb in; hosted on the InterPlanetary File System (IPFS), where d in; hosted on the InterPlanetary File System (IPFS), where d ecentralized content storage makes the removal of malicious ecentralized content storage makes the removal of malicious files difficult; or saved on the blockchain as smart contrac files difficult; or saved on the blockchain as smart contrac ts, which are resilient against takedowns that would affect ts, which are resilient against takedowns that would affect traditional infrastructure.(Citation: Volexity Ocean Lotus N traditional infrastructure.(Citation: Volexity Ocean Lotus N ovember 2020)(Citation: Talos IPFS 2022)(Citation: Guardio E ovember 2020)(Citation: Talos IPFS 2022)(Citation: Guardio E therhiding 2023)(Citation: Bleeping Computer Binance Smart C therhiding 2023)(Citation: Bleeping Computer Binance Smart C hain 2023) Adversaries may upload backdoored files, such as hain 2023) Adversaries may upload backdoored files, such as software packages, application binaries, virtual machine im software packages, application binaries, virtual machine im ages, or container images, to third-party software stores, p ages, or container images, to third-party software stores, p ackage libraries, extension marketplaces, or repositories (e ackage libraries, extension marketplaces, or repositories (e x: GitHub, CNET, AWS Community AMIs, Docker Hub, PyPi, NPM). x: GitHub, CNET, AWS Community AMIs, Docker Hub, PyPi, NPM). (Citation: Datadog Security Labs Malicious PyPi Packages 202 (Citation: Datadog Security Labs Malicious PyPi Packages 202 4) By chance encounter, victims may directly download/instal 4) By chance encounter, victims may directly download/instal l these backdoored files via [User Execution](https://attack l these backdoored files via [User Execution](https://attack .mitre.org/techniques/T1204). Masquerading, including typo- s .mitre.org/techniques/T1204). Masquerading, including typosq quatting legitimate software, may increase the chance of use uatting legitimate software, may increase the chance of user rs mistakenly executing these files. s mistakenly executing these files.
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:41.583000+00:00 2026-04-01 19:06:26.976000+00:00 description Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.
+
+Malware may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Malware can also be staged on web services, such as GitHub or Pastebin; hosted on the InterPlanetary File System (IPFS), where decentralized content storage makes the removal of malicious files difficult; or saved on the blockchain as smart contracts, which are resilient against takedowns that would affect traditional infrastructure.(Citation: Volexity Ocean Lotus November 2020)(Citation: Talos IPFS 2022)(Citation: Guardio Etherhiding 2023)(Citation: Bleeping Computer Binance Smart Chain 2023)
+
+Adversaries may upload backdoored files, such as software packages, application binaries, virtual machine images, or container images, to third-party software stores, package libraries, extension marketplaces, or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub, PyPi, NPM).(Citation: Datadog Security Labs Malicious PyPi Packages 2024) By chance encounter, victims may directly download/install these backdoored files via [User Execution](https://attack.mitre.org/techniques/T1204). Masquerading, including typo-squatting legitimate software, may increase the chance of users mistakenly executing these files. Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.
+
+Malware may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Malware can also be staged on web services, such as GitHub or Pastebin; hosted on the InterPlanetary File System (IPFS), where decentralized content storage makes the removal of malicious files difficult; or saved on the blockchain as smart contracts, which are resilient against takedowns that would affect traditional infrastructure.(Citation: Volexity Ocean Lotus November 2020)(Citation: Talos IPFS 2022)(Citation: Guardio Etherhiding 2023)(Citation: Bleeping Computer Binance Smart Chain 2023)
+
+Adversaries may upload backdoored files, such as software packages, application binaries, virtual machine images, or container images, to third-party software stores, package libraries, extension marketplaces, or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub, PyPi, NPM).(Citation: Datadog Security Labs Malicious PyPi Packages 2024) By chance encounter, victims may directly download/install these backdoored files via [User Execution](https://attack.mitre.org/techniques/T1204). Masquerading, including typosquatting legitimate software, may increase the chance of users mistakenly executing these files.
[T1543.003] Create or Modify System Process: Windows Service Current version : 1.6
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:33.408000+00:00 2026-04-23 18:48:07.774000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_contributors[3] Wietze Beukema, @wietze Wietze Beukema @Wietze
Revocations [T1070.002] Clear Linux or Mac System Logs Current version : 1.0
Description :
Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
+
+/var/log/messages:: General and system-related messages/var/log/secure or /var/log/auth.log: Authentication logs/var/log/utmp or /var/log/wtmp: Login records/var/log/kern.log: Kernel logs/var/log/cron.log: Crond logs/var/log/maillog: Mail server logs/var/log/httpd/: Web server access and error logs This object has been revoked by [T1685.006] Clear Linux or Mac System Logs
Description for [T1685.006] Clear Linux or Mac System Logs : Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the `/var/log/` directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
+
+* `/var/log/messages:`: General and system-related messages
+* `/var/log/secure or /var/log/auth.log`: Authentication logs
+* `/var/log/utmp or /var/log/wtmp`: Login records
+* `/var/log/kern.log`: Kernel logs
+* `/var/log/cron.log`: Crond logs
+* `/var/log/maillog`: Mail server logs
+* `/var/log/httpd/`: Web server access and error logs
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:34.441000+00:00 2026-04-14 22:54:50.786000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth revoked False True
[T1070.001] Clear Windows Event Logs Current version : 1.5
Description :
Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
+With administrator privileges, the event logs can be cleared with the following utility commands:
+
+wevtutil cl systemwevtutil cl applicationwevtutil cl security
+These logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell . For example, adversaries may use the PowerShell command Remove-EventLog -LogName Security to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)
+Adversaries may also attempt to clear logs by directly deleting the stored log files within C:\Windows\System32\winevt\logs\.
This object has been revoked by [T1685.005] Clear Windows Event Logs
Description for [T1685.005] Clear Windows Event Logs : Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
+
+With administrator privileges, the event logs can be cleared with the following utility commands:
+
+* `wevtutil cl system`
+* `wevtutil cl application`
+* `wevtutil cl security`
+
+These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command `Remove-EventLog -LogName Security` to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)
+
+Adversaries may also attempt to clear logs by directly deleting the stored log files within `C:\Windows\System32\winevt\logs\`.
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:52.287000+00:00 2026-04-14 22:54:48.496000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth revoked False True
[T1562.002] Disable Windows Event Logging Current version : 1.4
Description :
Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.
+The EventLog service maintains event logs from various system components and applications.(Citation: EventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\Local Policies\Audit Policy for basic audit policy settings or Security Settings\Advanced Audit Policy Configuration for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation: Advanced_sec_audit_policy_settings) auditpol.exe may also be used to set audit policies.(Citation: auditpol)
+Adversaries may target system-wide logging or just that of a particular application. For example, the Windows EventLog service may be disabled using the Set-Service -Name EventLog -Status Stopped or sc config eventlog start=disabled commands (followed by manually stopping the service using Stop-Service -Name EventLog).(Citation: Disable_Win_Event_Logging)(Citation: disable_win_evt_logging) Additionally, the service may be disabled by modifying the “Start” value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog then restarting the system for the change to take effect.(Citation: disable_win_evt_logging)
+There are several ways to disable the EventLog service via registry key modification. First, without Administrator privileges, adversaries may modify the "Start" value in the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Security, then reboot the system to disable the Security EventLog.(Citation: winser19_file_overwrite_bug_twitter) Second, with Administrator privilege, adversaries may modify the same values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application to disable the entire EventLog.(Citation: disable_win_evt_logging)
+Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:”Account Logon” /success:disable /failure:disable turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.(Citation: T1562.002_redcanaryco)
+By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.
This object has been revoked by [T1685.001] Disable or Modify Windows Event Log
Description for [T1685.001] Disable or Modify Windows Event Log : Adversaries may disable or modify the Windows Event Log to limit data that can be leveraged for detections and audits. Windows Event Log records user and system activity such as login attempts and process creation.(Citation: EventLog_Core_Technologies) This data is used by security tools and analysts to generate detections.
+
+The EventLog service maintains event logs from various system components and applications. By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to `Security Settings\Local Policies\Audit Policy` for basic audit policy settings or `Security Settings\Advanced Audit Policy Configuration` for advanced audit policy settings.(Citation: Microsoft Audit Policy)(Citation: Microsoft Adv Security Settings) `auditpol.exe` may also be used to set audit policies.(Citation: Microsoft auditpol)
+
+Adversaries may target system-wide logging or just that of a particular application. For example, the Windows EventLog service may be disabled using the `Set-Service -Name EventLog -Status Stopped` or `sc config eventlog start=disabled` commands (followed by manually stopping the service using `Stop-Service -Name EventLog`). Additionally, the service may be disabled by modifying the "Start" value in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog` then restarting the system for the change to take effect.(Citation: Disable_Win_Event_Logging)(Citation: disable_win_evt_logging)
+
+There are several ways to disable the EventLog service via registry key modification. Without Administrator privileges, adversaries may modify the "Start" value in the key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Security`, then reboot the system to disable the Security EventLog.(Citation: winser19_file_overwrite_bug_twitter) With Administrator privilege, adversaries may modify the same values in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System` and `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application` to disable the entire EventLog.
+
+Additionally, adversaries may use `auditpol` and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the `/success` or `/failure` parameters. For example, `auditpol /set /category:"Account Logon" /success:disable /failure:disable` turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC) To clear the audit policy, adversaries may run the following lines: `auditpol /clear /y` or `auditpol /remove /allusers`.(Citation: T1562.002_redcanaryco)
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:45.425000+00:00 2026-04-14 22:54:40.108000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth revoked False True
[T1562.007] Disable or Modify Cloud Firewall Current version : 1.3
Description :
Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in Disable or Modify System Firewall .
+Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary with appropriate permissions may introduce new firewall rules or policies to allow access into a victim cloud environment and/or move laterally from the cloud control plane to the data plane. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups (or creates new security groups entirely) to allow any TCP/IP connectivity to a cloud-hosted instance.(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022) They may also remove networking limitations to support traffic associated with malicious activity (such as cryptomining).(Citation: Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)
+Modifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. It may also be used to open up resources for Brute Force or Endpoint Denial of Service .
This object has been revoked by [T1686.001] Cloud Firewall
Description for [T1686.001] Cloud Firewall : Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources.
+
+Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary with appropriate permissions may introduce new firewall rules or policies to allow access into a victim cloud environment and/or move laterally from the cloud control plane to the data plane.
+
+For example, an adversary may use a script or utility that creates new ingress rules in existing security groups (or creates new security groups entirely) to allow any TCP/IP connectivity to a cloud-hosted instance. They may also remove networking limitations to support traffic associated with malicious activity (such as cryptomining).(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)(Citation: Expel AWS)
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:58.515000+00:00 2026-04-14 22:54:46.072000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth revoked False True
[T1562.008] Disable or Modify Cloud Logs Current version : 2.1
Description :
An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
+For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) They may alternatively tamper with logging functionality – for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Update Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)
This object has been revoked by [T1685.002] Disable or Modify Cloud Log
Description for [T1685.002] Disable or Modify Cloud Log : An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
+
+For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity. They may alternatively tamper with logging functionality, for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Cloud Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading)
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:23.308000+00:00 2026-04-14 22:54:41.829000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth revoked False True
[T1562.012] Disable or Modify Linux Audit System Current version : 1.0
Description :
Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules.
+Often referred to as auditd, this is the name of the daemon used to write events to disk and is governed by the parameters set in the audit.conf configuration file. Two primary ways to configure the log generation rules are through the command line auditctl utility and the file /etc/audit/audit.rules, containing a sequence of auditctl commands loaded at boot time.(Citation: Red Hat System Auditing)(Citation: IzyKnows auditd threat detection 2022)
+With root privileges, adversaries may be able to ensure their activity is not logged through disabling the Audit system service, editing the configuration/rule files, or by hooking the Audit system library functions. Using the command line, adversaries can disable the Audit system service through killing processes associated with auditd daemon or use systemctl to stop the Audit service. Adversaries can also hook Audit system functions to disable logging or modify the rules contained in the /etc/audit/audit.rules or audit.conf files to ignore malicious activity.(Citation: Trustwave Honeypot SkidMap 2023)(Citation: ESET Ebury Feb 2014)
This object has been revoked by [T1685.004] Disable or Modify Linux Audit System Log
Description for [T1685.004] Disable or Modify Linux Audit System Log : Adversaries may disable or modify the Linux Audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules.
+
+Often referred to as `auditd`, this is the name of the daemon used to write events to disk and is governed by the parameters set in the `audit.conf` configuration file. Two primary ways to configure the log generation rules are through the command line `auditctl` utility and the file `/etc/audit/audit.rules`, containing a sequence of `auditctl` commands loaded at boot time.(Citation: IzyKnows auditd threat detection 2022)(Citation: Red Hat Linux Disable or Mod)
+
+With root privileges, adversaries may be able to ensure their activity is not logged through disabling the Audit system service, editing the configuration/rule files, or by hooking the Audit system library functions. Using the command line, adversaries can disable the Audit system service through killing processes associated with `auditd` daemon or use `systemctl` to stop the Audit service. Adversaries can also hook Audit system functions to disable logging or modify the rules contained in the `/etc/audit/audit.rules` or `audit.conf` files to ignore malicious activity.(Citation: ESET Ebury Feb 2014)
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 22:20:10.121000+00:00 2026-04-14 22:54:44.666000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth revoked False True
[T1562.013] Disable or Modify Network Device Firewall Current version : 1.0
Description :
Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls limiting network usage.
+Modifying or disabling a network firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add new network firewall rules to allow access to all internal network subnets without restrictions.(Citation: Exposed Fortinet Fortigate firewall interface leads to LockBit Ransomware)
+Adversaries may gain access to the firewall management console via Valid Accounts or by exploiting a vulnerability. In some cases, threat actors may target firewalls that have been exposed to the internet Exploit Public-Facing Application .(Citation: CVE-2024-55591 Detail)
This object has been revoked by [T1686.002] Network Device Firewall
Description for [T1686.002] Network Device Firewall : Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls limiting network usage.
+
+Adversaries may obtain access to devices such as routers, switches, or other perimeter/network devices and change access control lists (ACLs), security zones, or policy rules to permit otherwise blocked traffic. For example, adversaries may add new network firewall rules to allow access to all internal network subnets without restrictions. Allowing access to internal network subsets may enable unrestricted inbound/outbound connectivity or open paths for command and control and lateral movement.
+
+Adversaries may obtain access to network device management interfaces via [Valid Accounts](https://attack.mitre.org/techniques/T1078) or by exploiting vulnerabilities. In some cases, threat actors may target firewalls and other network infrastructure that are exposed to the internet by leveraging weaknesses in public-facing applications ([Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).(Citation: CVE-2024-55591 Detail)
+
+Adversaries may also modify host networking configurations that indirectly manipulate system firewalls, such as adjusting interface bandwidth or network connection request thresholds.
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-22 00:01:58.079000+00:00 2026-04-14 22:54:47.142000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth revoked False True external_references[1]['url'] https://posts.inthecyber.com/exposed-fortinet-fortigate-firewall-interface-leads-to-lockbit-ransomware-cve-2024-55591-de8fcfb6c45c https://posts.inthecyber.com/exposed-fortinet-fortigate-firewall-interface-leads-to-lockbit-ransomware-cve-2024-55591-8f4b7a244041
[T1562.004] Disable or Modify System Firewall Current version : 1.3
Description :
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
+Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. Non-Standard Port ).(Citation: change_rdp_port_conti)
+Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various Remote Services may also indirectly modify firewall rules.
+In ESXi, firewall rules may be modified directly via the esxcli command line interface (e.g., via esxcli network firewall set) or via the vCenter user interface.(Citation: Trellix Rnasomhouse 2024)(Citation: Broadcom ESXi Firewall)
This object has been revoked by [T1686] Disable or Modify System Firewall
Description for [T1686] Disable or Modify System Firewall : Adversaries may disable or modify host-based or network firewalls to impair defensive mechanisms and enable further action. Once an adversary has gathered sufficient privileges, they can tamper with firewall services, policies, or rule sets to remove restrictions on inbound or outbound traffic. For example, this may include turning off firewall profiles, altering existing rules to permit previously blocked ports or protocols, or adding new rules that create covert communication paths (e.g., adding a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port.(Citation: change_rdp_port_conti)
+
+Adversaries may disable or modify firewalls using different behaviors, depending on the platform. For example, in ESXi, firewall rules may be modified directly via the esxcli (e.g., via esxcli network firewall set) or via the vCenter user interface.(Citation: Broadcom ESXi Firewall)(Citation: Trellix Rnasomhouse 2024)
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:47.755000+00:00 2026-04-14 22:54:32.535000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth revoked False True
[T1562.001] Disable or Modify Tools Current version : 1.7
Description :
Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)
+Adversaries may trigger a denial-of-service attack via legitimate system processes. It has been previously observed that the Windows Time Travel Debugging (TTD) monitor driver can be used to initiate a debugging session for a security tool (e.g., an EDR) and render the tool non-functional. By hooking the debugger into the EDR process, all child processes from the EDR will be automatically suspended. The attacker can terminate any EDR helper processes (unprotected by Windows Protected Process Light) by abusing the Process Explorer driver. In combination this will halt any attempt to restart services and cause the tool to crash.(Citation: Cocomazzi FIN7 Reboot)
+Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to Indicator Blocking , adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) For example, adversaries may abuse the Windows process mitigation policy to block certain endpoint detection and response (EDR) products from loading their user-mode code via DLLs. By spawning a process with the PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON attribute using API calls like UpdateProcThreadAttribute, adversaries may evade detection by endpoint security solutions that rely on DLLs that are not signed by Microsoft. Alternatively, they may add new directories to an EDR tool’s exclusion list, enabling them to hide malicious files via File/Path Exclusions .(Citation: BlackBerry WhisperGate 2022)(Citation: Google Cloud Threat Intelligence FIN13 2021)
+Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging)
+On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)
+In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.
+Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)
+Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. Exploitation for Privilege Escalation ), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)
This object has been revoked by [T1685] Disable or Modify Tools
Description for [T1685] Disable or Modify Tools : Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.(Citation: SCADAfence_ransomware)
+
+In addition to directly targeting tools, adversaries may block or manipulate indicators and telemetry used for detection. This includes maliciously disabling or redirecting sensors such as Event Tracing for Windows (ETW), modifying event log configurations (e.g., redirecting Security logs), or interfering with logging pipelines and forwarding mechanisms (e.g., SIEM ingestion).(Citation: Microsoft Lamin Sept 2017)(Citation: ETW Palantir)
+
+More advanced techniques include leveraging legitimate drivers or debugging mechanisms to render tools non-functional, bypassing anti-tampering protections, and targeting specific defenses such as Sysmon or cloud monitoring agents. Adversaries may also disrupt broader defensive operations, including update mechanisms, logging infrastructure (e.g., syslog), or event aggregation, further degrading an organization’s ability to detect and respond to malicious activity.(Citation: Cocomazzi FIN7 Reboot)
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:13.019000+00:00 2026-04-14 22:54:28.635000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth revoked False True
[T1562.010] Downgrade Attack Current version : 1.3
Description :
Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation.
+Adversaries may downgrade and use various less-secure versions of features of a system, such as Command and Scripting Interpreter s or even network protocols that can be abused to enable Adversary-in-the-Middle or Network Sniffing .(Citation: Praetorian TLS Downgrade Attack 2014) For example, PowerShell versions 5+ includes Script Block Logging (SBL), which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to Impair Defenses while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging)
+Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: Crowdstrike Downgrade) On Windows systems, adversaries may downgrade the boot manager to a vulnerable version that bypasses Secure Boot, granting the ability to disable various operating system security mechanisms.(Citation: SafeBreach)
This object has been revoked by [T1689] Downgrade Attack
Description for [T1689] Downgrade Attack : Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation.
+
+Adversaries may downgrade and use various less-secure versions of features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) or [Network Sniffing](https://attack.mitre.org/techniques/T1040).(Citation: Praetorian TLS Downgrade Attack 2014) For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL), which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to impair defenses while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike downgrade attack)(Citation: Google Cloud downgrade attack)(Citation: att_def_ps_logging)
+
+Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: CrowdStrike Downgrade attack 2) On Windows systems, adversaries may downgrade the boot manager to a vulnerable version that bypasses Secure Boot, granting the ability to disable various operating system security mechanisms.(Citation: SafeBreach)
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:02.550000+00:00 2026-04-14 22:54:35.297000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth revoked False True
[T1672] Email Spoofing Current version : 1.1
Description :
Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses.(Citation: Proofpoint TA427 April 2024) In addition to actual email content, email headers (such as the FROM header, which contains the email address of the sender) may also be modified. Email clients display these headers when emails appear in a victim's inbox, which may cause modified emails to appear as if they were from the spoofed entity.
+This behavior may succeed when the spoofed entity either does not enable or enforce identity authentication tools such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and/or Domain-based Message Authentication, Reporting and Conformance (DMARC).(Citation: Cloudflare DMARC, DKIM, and SPF)(Citation: DMARC-overview)(Citation: Proofpoint-DMARC) Even if SPF and DKIM are configured properly, spoofing may still succeed when a domain sets a weak DMARC policy such as v=DMARC1; p=none; fo=1;. This means that while DMARC is technically present, email servers are not instructed to take any filtering action when emails fail authentication checks.(Citation: Proofpoint TA427 April 2024)(Citation: ic3-dprk)
+Adversaries may abuse Microsoft 365’s Direct Send functionality to spoof internal users by using internal devices like printers to send emails without authentication.(Citation: Barnea DirectSend) Adversaries may also abuse absent or weakly configured SPF, SKIM, and/or DMARC policies to conceal social engineering attempts(Citation: ic3-dprk) such as Phishing . They may also leverage email spoofing for Impersonation of legitimate external individuals and organizations, such as journalists and academics.(Citation: ic3-dprk)
This object has been revoked by [T1684.002] Email Spoofing
Description for [T1684.002] Email Spoofing : Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses.(Citation: Proofpoint TA427 April 2024) In addition to actual email content, email headers (such as the FROM header, which contains the email address of the sender) may also be modified. Email clients display these headers when emails appear in a victim's inbox, which may cause modified emails to appear as if they were from the spoofed entity.
+
+Enterprise environments can use Domain-based Message Authentication, Reporting, and Conformance (DMARC) as an email authentication protocol that references results of the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) configurations. SPF and DKIM are configured separately in DNS: SPF verifies that the sending server is authorized for the domain, while DKIM uses a digital signature to verify email integrity and domain authentication. Together, they validate email authenticity and specify how receiving servers should handle authentication failures. Without enforced identity authentication, adversaries may compromise the integrity of an authentication check with altered headers that would not have otherwise passed.(Citation: Cloudflare DMARC, DKIM, and SPF)(Citation: DMARC-overview)(Citation: Proofpoint-DMARC)
+
+An example of a weak or absent DMARC policy is `v=DMARC1; p=none; fo=1;`. The `p=none`. The `p=none` indicates no action should be taken, and therefore no filtering action will take place, even if an email fails authentication checks (i.e., SPF and/or DKIM fail). When a DMARC policy indicates no action, the email will still be delivered to the victim’s inbox.(Citation: ic3-dprk)
+
+Adversaries have abused weak or absent DMARC policies to circumvent authentication checks and conceal social engineering attempts. Adversaries can alter email headers to include legitimate domain names with fake usernames or impersonate legitimate users via [Impersonation](https://attack.mitre.org/techniques/T1684/001) for [Phishing](https://attack.mitre.org/techniques/T1566). Additionally, adversaries may abuse Microsoft 365’s Direct Send functionality to spoof internal users by using internal devices like printers to send emails without authentication.(Citation: Barnea DirectSend)
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-09-24 21:03:46.869000+00:00 2026-04-14 22:54:37.081000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth revoked False True
[T1562.003] Impair Command History Logging Current version : 2.3
Description :
Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
+On Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected. The HISTFILE environment variable is also used in some ESXi systems.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)
+Adversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.
+On Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)
+Adversaries may also leverage a Network Device CLI on network devices to disable historical command logging (e.g. no logging).
This object has been revoked by [T1690] Prevent Command History Logging
Description for [T1690] Prevent Command History Logging : Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they have done.
+
+On Linux and macOS, command history is tracked in a file pointed to by the environment variable `HISTFILE`. When a user logs off a system, this information is flushed to a file in the user's home directory called `~/.bash_history`. The `HISTCONTROL` environment variable keeps track of what should be saved by the history command and eventually into the `~/.bash_history` file when a user logs out. `HISTCONTROL` does not exist by default on macOS, but can be set by the user and will be respected. The `HISTFILE` environment variable is also used in some ESXi systems.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)
+
+Adversaries may clear the history environment variable (`unset HISTFILE`) or set the command history size to zero (`export HISTFILESIZE=0`) to prevent logging of commands. Additionally, `HISTCONTROL` can be configured to ignore commands that start with a space by simply setting it to "ignorespace". `HISTCONTROL` can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that " ls" will not be saved, but "ls" would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.
+
+On Windows systems, the `PSReadLine` module tracks commands used in all PowerShell sessions and writes them to a file (`$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt` by default). Adversaries may change where these logs are saved using `Set-PSReadLineOption -HistorySavePath {File Path}`. This will cause `ConsoleHost_history.txt` to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command `Set-PSReadlineOption -HistorySaveStyle SaveNothing`.(Citation: Microsoft about_History prevent command history)(Citation: Sophos PowerShell Command History Forensics)
+
+Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to disable historical command logging (e.g. `no logging`).
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:49:05.941000+00:00 2026-04-14 22:54:31.686000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth revoked False True
[T1562] Impair Defenses Current version : 1.7
Description :
Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
+Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)
This object has been revoked by [T1685] Disable or Modify Tools
Description for [T1685] Disable or Modify Tools : Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.(Citation: SCADAfence_ransomware)
+
+In addition to directly targeting tools, adversaries may block or manipulate indicators and telemetry used for detection. This includes maliciously disabling or redirecting sensors such as Event Tracing for Windows (ETW), modifying event log configurations (e.g., redirecting Security logs), or interfering with logging pipelines and forwarding mechanisms (e.g., SIEM ingestion).(Citation: Microsoft Lamin Sept 2017)(Citation: ETW Palantir)
+
+More advanced techniques include leveraging legitimate drivers or debugging mechanisms to render tools non-functional, bypassing anti-tampering protections, and targeting specific defenses such as Sysmon or cloud monitoring agents. Adversaries may also disrupt broader defensive operations, including update mechanisms, logging infrastructure (e.g., syslog), or event aggregation, further degrading an organization’s ability to detect and respond to malicious activity.(Citation: Cocomazzi FIN7 Reboot)
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:41.123000+00:00 2026-04-14 22:54:52.137000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth revoked False True
[T1656] Impersonation Current version : 1.1
Description :
Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via Phishing for Information , Phishing , or Internal Spearphishing ) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims.
+In many cases of business email compromise or email fraud campaigns, adversaries use impersonation to defraud victims -- deceiving them into sending money or divulging information that ultimately enables Financial Theft .
+Adversaries will often also use social engineering techniques such as manipulative and persuasive language in email subject lines and body text such as payment, request, or urgent to push the victim to act quickly before malicious activity is detected. These campaigns are often specifically targeted against people who, due to job roles and/or accesses, can carry out the adversary’s goal.
+Impersonation is typically preceded by reconnaissance techniques such as Gather Victim Identity Information and Gather Victim Org Information as well as acquiring infrastructure such as email domains (i.e. Domains ) to substantiate their false identity.(Citation: CrowdStrike-BEC)
+There is the potential for multiple victims in campaigns involving impersonation. For example, an adversary may Compromise Accounts targeting one organization which can then be used to support impersonation against other entities.(Citation: VEC)
This object has been revoked by [T1684.001] Impersonation
Description for [T1684.001] Impersonation : Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims.
+
+In many cases of business email compromise or email fraud campaigns, adversaries use impersonation to defraud victims -- deceiving them into sending money or divulging information that ultimately enables [Financial Theft](https://attack.mitre.org/techniques/T1657).
+
+Adversaries will often also use social engineering techniques such as manipulative and persuasive language in email subject lines and body text such as `payment`, `request`, or `urgent` to push the victim to act quickly before malicious activity is detected. These campaigns are often specifically targeted against people who, due to job roles and/or accesses, can carry out the adversary’s goal.
+
+Impersonation is typically preceded by reconnaissance techniques such as [Gather Victim Identity Information](https://attack.mitre.org/techniques/T1589) and [Gather Victim Org Information](https://attack.mitre.org/techniques/T1591) as well as acquiring infrastructure such as email domains (i.e. [Domains](https://attack.mitre.org/techniques/T1583/001)) to substantiate their false identity.(Citation: Crowdstrike BEC)
+
+There is the potential for multiple victims in campaigns involving impersonation. For example, an adversary may Compromise Accounts targeting one organization which can then be used to support impersonation against other entities.(Citation: VEC)
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 22:41:31.140000+00:00 2026-04-14 22:54:38.372000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth revoked False True
[T1562.006] Indicator Blocking Current version : 1.5
Description :
An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting(Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW)(Citation: Microsoft About Event Tracing 2018), by tampering settings that control the collection and flow of event telemetry.(Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as PowerShell or Windows Management Instrumentation .
+For example, adversaries may modify the File value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security to hide their malicious actions in a new or different .evtx log file. This action does not require a system reboot and takes effect immediately.(Citation: disable_win_evt_logging)
+ETW interruption can be achieved multiple ways, however most directly by defining conditions using the PowerShell Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.
+In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.
+In Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors. (Citation: LemonDuck) ESXi also leverages syslog, which can be reconfigured via commands such as esxcli system syslog config set and esxcli system syslog config reload.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)(Citation: Broadcom Configuring syslog on ESXi)
This object has been revoked by [T1685] Disable or Modify Tools
Description for [T1685] Disable or Modify Tools : Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.(Citation: SCADAfence_ransomware)
+
+In addition to directly targeting tools, adversaries may block or manipulate indicators and telemetry used for detection. This includes maliciously disabling or redirecting sensors such as Event Tracing for Windows (ETW), modifying event log configurations (e.g., redirecting Security logs), or interfering with logging pipelines and forwarding mechanisms (e.g., SIEM ingestion).(Citation: Microsoft Lamin Sept 2017)(Citation: ETW Palantir)
+
+More advanced techniques include leveraging legitimate drivers or debugging mechanisms to render tools non-functional, bypassing anti-tampering protections, and targeting specific defenses such as Sysmon or cloud monitoring agents. Adversaries may also disrupt broader defensive operations, including update mechanisms, logging infrastructure (e.g., syslog), or event aggregation, further degrading an organization’s ability to detect and respond to malicious activity.(Citation: Cocomazzi FIN7 Reboot)
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:57.704000+00:00 2026-04-14 22:54:30.917000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth revoked False True
[T1562.009] Safe Mode Boot Current version : 1.1
Description :
Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)
+Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit 2021)
+Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. Modify Registry ). Malicious Component Object Model (COM) objects may also be registered and loaded in safe mode.(Citation: Sophos Snatch Ransomware 2019)(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason Nocturnus MedusaLocker 2020)(Citation: BleepingComputer REvil 2021)
This object has been revoked by [T1688] Safe Mode Boot
Description for [T1688] Safe Mode Boot : Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Windows Startup Settings)(Citation: Sophos Safe Mode Boot)
+
+Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit)
+
+Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)). Malicious [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) objects may also be registered and loaded in safe mode.(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason safe mode boot)(Citation: BleepingComputer REvil 2021)
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-10-24 17:48:33.044000+00:00 2026-04-14 22:54:34.011000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth revoked False True
[T1562.011] Spoof Security Alerting Current version : 1.0
Description :
Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.
+Rather than or in addition to Indicator Blocking , an adversary can spoof positive affirmations that security tools are continuing to function even after legitimate security tools have been disabled (e.g., Disable or Modify Tools ). An adversary can also present a “healthy” system status even after infection. This can be abused to enable further malicious activity by delaying defender responses.
+For example, adversaries may show a fake Windows Security GUI and tray icon with a “healthy” system status after Windows Defender and other system tools have been disabled.(Citation: BlackBasta)
This object has been revoked by [T1685.003] Modify or Spoof Tool UI
Description for [T1685.003] Modify or Spoof Tool UI : Adversaries may spoof or manipulate security tool user interfaces (UIs) to falsely indicate tools are functioning normally and delay detection and response.
+
+Adversaries may present misleading or falsified security tool interfaces (UIs) that display normal or healthy status indicators, even when underlying security tools have been disabled, degraded, or otherwise tampered with. Security tools typically provide visibility into system health, alerting, and operational status; by misrepresenting this information, adversaries can undermine defender trust in these signals and obscure the true security posture of the system.
+
+This behavior is often used in conjunction with efforts to disable or modify tools, where adversaries first impair the functionality of defenses (e.g., EDR, logging agents) and then replace or mimic their interfaces to conceal the loss of visibility. By maintaining the appearance of normal operations, such as showing active protection, successful updates, or absence of threats, adversaries can delay investigation and response, enabling continued malicious activity.
+
+For example, adversaries may display a fake Windows Security interface or system tray icon indicating a “protected” or “healthy” state after disabling Windows Defender or related services.(Citation: BlackBasta)
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 23:12:05.813000+00:00 2026-04-14 22:54:43.164000+00:00 kill_chain_phases[0]['phase_name'] defense-evasion stealth revoked False True
mobile-attack Minor Version Changes [T1660] Phishing Current version : 1.2
Version changed from : 1.1 → 1.2
+
+
+ t Adversaries may send malicious content to users in order to t Adversaries may send malicious content to users in order to gain access to their mobile devices. All forms of phishing a gain access to their mobile devices. All forms of phishing a re electronically delivered social engineering. Adversaries re electronically delivered social engineering. Adversaries can conduct both non-targeted phishing, such as in mass malw can conduct both non-targeted phishing, such as in mass malw are spam campaigns, as well as more targeted phishing tailor are spam campaigns, as well as more targeted phishing tailor ed for a specific individual, company, or industry, known as ed for a specific individual, company, or industry, known as “spearphishing.” Phishing often involves social engineering “spearphishing.” Phishing often involves social engineering techniques, such as posing as a trusted source, as well as techniques, such as posing as a trusted source, as well as evasion techniques, such as removing or manipulating emails evasion techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused t or metadata/headers from compromised accounts being abused t o send messages. Mobile phishing may take various forms. Fo o send messages. Mobile phishing may take various forms. Fo r example, adversaries may send emails containing malicious r example, adversaries may send emails containing malicious attachments or links, typically to deliver and then execute attachments or links, typically to deliver and then execute malicious code on victim devices. Phishing may also be condu malicious code on victim devices. Phishing may also be condu cted via third-party services, like social media platforms. cted via third-party services, like social media platforms. Adversaries may also impersonate executives of organizations Adversaries may also impersonate executives of organizations to persuade victims into performing some action on their be to persuade victims into performing some action on their be half. For example, adversaries will often use social enginee half. For example, adversaries will often use social enginee ring techniques in text messages to trick the victims into a ring techniques in text messages to trick the victims into a cting quickly, which leads to adversaries obtaining credenti cting quickly, which leads to adversaries obtaining credenti als and other information. Mobile devices are a particular als and other information. Mobile devices are a particular ly attractive target for adversaries executing phishing camp ly attractive target for adversaries executing phishing camp aigns. Due to their smaller form factor than traditional de aigns. Due to their smaller form factor than traditional de sktop endpoints, users may not be able to notice minor diffe sktop endpoints, users may not be able to notice minor diffe rences between genuine and phishing websites. Further, mobil rences between genuine and phishing websites. Further, mobil e devices have additional sensors and radios that allow adve e devices have additional sensors and radios that allow adve rsaries to execute phishing attempts over several different rsaries to execute phishing attempts over several different vectors, such as: - SMS messages: Adversaries may send SMS vectors, such as: - SMS messages: Adversaries may send SMS messages (known as “smishing”) from compromised devices to messages (known as “smishing”) from compromised devices to potential targets to convince the target to, for example, in potential targets to convince the target to, for example, in stall malware, navigate to a specific website, or enable cer stall malware, navigate to a specific website, or enable cer tain insecure configurations on their device. - Quick Respon tain insecure configurations on their device. - Quick Respon se (QR) Codes: Adversaries may use QR codes (known as “quish se (QR) Codes: Adversaries may use QR codes (known as “quish ing”) to redirect users to a phishing website. For example, ing”) to redirect users to a phishing website. For example, an adversary could replace a legitimate public QR Code with an adversary could replace a legitimate public QR Code with one that leads to a different destination, such as a phishin one that leads to a different destination, such as a phishin g website. A malicious QR code could also be delivered via o g website. A malicious QR code could also be delivered via o ther means, such as SMS or email. In the latter case, an adv ther means, such as SMS or email. In the latter case, an adv ersary could utilize a malicious QR code in an email to pivo ersary could utilize a malicious QR code in an email to pivo t from the user’s desktop computer to their mobile device. - t from the user’s desktop computer to their mobile device. - Phone Calls: Adversaries may call victims (known as “vishin Phone Calls: Adversaries may call victims (known as "vishin g” ) to persuade them to perform an action, such as providingg" ) to persuade them to perform an action, such as providing login credentials or navigating to a malicious website. Thi login credentials or navigating to malicious websites . Comm s could also be used as a technique to perform the initial a on vishing targets include employees, especially executives ccess on a mobile device, but then pivot to a computer/other of organizations, and help desks. This may also be used as a networ k by having the victim perform an action on a desktop technique to perform the initial access on a mobile device, computer. but then pivot to a des ktop computer by having the victims perform actions on a desktop computer. With the rise of arti ficial intelligence (AI), adversaries may also use AI to clo ne a person’s voice, resulting in deepfake vishing. The clon ed voice provides familiarity to the victims, increasing the likelihood of successful malicious actions performed by the victims. Additionally, adversaries may leave voicemails, wh ich may use a real person’s voice or an AI-generated voice; these scams would urgently ask victims into calling back to perform an action, e.g. sending money or providing sensitive information and credentials.
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-08-20 14:33:34.968000+00:00 2026-04-20 17:38:10.545000+00:00 description Adversaries may send malicious content to users in order to gain access to their mobile devices. All forms of phishing are electronically delivered social engineering. Adversaries can conduct both non-targeted phishing, such as in mass malware spam campaigns, as well as more targeted phishing tailored for a specific individual, company, or industry, known as “spearphishing.” Phishing often involves social engineering techniques, such as posing as a trusted source, as well as evasion techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages.
+
+Mobile phishing may take various forms. For example, adversaries may send emails containing malicious attachments or links, typically to deliver and then execute malicious code on victim devices. Phishing may also be conducted via third-party services, like social media platforms. Adversaries may also impersonate executives of organizations to persuade victims into performing some action on their behalf. For example, adversaries will often use social engineering techniques in text messages to trick the victims into acting quickly, which leads to adversaries obtaining credentials and other information.
+
+Mobile devices are a particularly attractive target for adversaries executing phishing campaigns. Due to their smaller form factor than traditional desktop endpoints, users may not be able to notice minor differences between genuine and phishing websites. Further, mobile devices have additional sensors and radios that allow adversaries to execute phishing attempts over several different vectors, such as:
+
+- SMS messages: Adversaries may send SMS messages (known as “smishing”) from compromised devices to potential targets to convince the target to, for example, install malware, navigate to a specific website, or enable certain insecure configurations on their device.
+- Quick Response (QR) Codes: Adversaries may use QR codes (known as “quishing”) to redirect users to a phishing website. For example, an adversary could replace a legitimate public QR Code with one that leads to a different destination, such as a phishing website. A malicious QR code could also be delivered via other means, such as SMS or email. In the latter case, an adversary could utilize a malicious QR code in an email to pivot from the user’s desktop computer to their mobile device.
+- Phone Calls: Adversaries may call victims (known as “vishing”) to persuade them to perform an action, such as providing login credentials or navigating to a malicious website. This could also be used as a technique to perform the initial access on a mobile device, but then pivot to a computer/other network by having the victim perform an action on a desktop computer.
+ Adversaries may send malicious content to users in order to gain access to their mobile devices. All forms of phishing are electronically delivered social engineering. Adversaries can conduct both non-targeted phishing, such as in mass malware spam campaigns, as well as more targeted phishing tailored for a specific individual, company, or industry, known as “spearphishing.” Phishing often involves social engineering techniques, such as posing as a trusted source, as well as evasion techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages.
+
+Mobile phishing may take various forms. For example, adversaries may send emails containing malicious attachments or links, typically to deliver and then execute malicious code on victim devices. Phishing may also be conducted via third-party services, like social media platforms. Adversaries may also impersonate executives of organizations to persuade victims into performing some action on their behalf. For example, adversaries will often use social engineering techniques in text messages to trick the victims into acting quickly, which leads to adversaries obtaining credentials and other information.
+
+Mobile devices are a particularly attractive target for adversaries executing phishing campaigns. Due to their smaller form factor than traditional desktop endpoints, users may not be able to notice minor differences between genuine and phishing websites. Further, mobile devices have additional sensors and radios that allow adversaries to execute phishing attempts over several different vectors, such as:
+
+- SMS messages: Adversaries may send SMS messages (known as “smishing”) from compromised devices to potential targets to convince the target to, for example, install malware, navigate to a specific website, or enable certain insecure configurations on their device.
+- Quick Response (QR) Codes: Adversaries may use QR codes (known as “quishing”) to redirect users to a phishing website. For example, an adversary could replace a legitimate public QR Code with one that leads to a different destination, such as a phishing website. A malicious QR code could also be delivered via other means, such as SMS or email. In the latter case, an adversary could utilize a malicious QR code in an email to pivot from the user’s desktop computer to their mobile device.
+- Phone Calls: Adversaries may call victims (known as "vishing") to persuade them to perform an action, such as providing login credentials or navigating to malicious websites. Common vishing targets include employees, especially executives of organizations, and help desks. This may also be used as a technique to perform the initial access on a mobile device, but then pivot to a desktop computer by having the victims perform actions on a desktop computer. With the rise of artificial intelligence (AI), adversaries may also use AI to clone a person’s voice, resulting in deepfake vishing. The cloned voice provides familiarity to the victims, increasing the likelihood of successful malicious actions performed by the victims. Additionally, adversaries may leave voicemails, which may use a real person’s voice or an AI-generated voice; these scams would urgently ask victims into calling back to perform an action, e.g. sending money or providing sensitive information and credentials.
+ x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 1.2
ics-attack New Techniques [T1695] Block Communications Current version : 1.0
Description :
Operational technology communications occur over serial COM, Ethernet, Wi-Fi, cellular (4G/5G), and satellite mediums. Adversaries may block communications to prevent reporting messages and command messages from reaching their intended target devices disrupting processes, operations, and causing cyber-physical impacts.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)
+Adversaries may block communications by either making modifications to software (System Firmware , Module Firmware , Hooking , and Rootkit ) and services (Service Stop , Denial of Service ) on systems and devices or by positioning themselves between systems and devices and intercepting and blocking the communications such as the case with an Adversary-in-the-Middle attack.
[T1691] Block Operational Technology Message Current version : 1.0
Description :
Adversaries may block messages between systems and devices in an OT/ICS environment to disrupt processes. Messages typically fall into two categories: (1) reporting messages that contain telemetry data about the current state of systems, devices, and processes and (2) command messages that contain instructions to control systems, devices, and processes. Both types of messages are critical for the proper functioning of industrial control processes and failure of the messages to reach their intended destinations could inhibit response functions or create an unsafe condition that could have physical impacts.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)(Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)
+Adversaries may block communications by either making modifications to software (System Firmware , Module Firmware , Hooking , and Rootkit ) and services (Service Stop , Denial of Service ) on systems and devices or by positioning themselves between systems and devices and intercepting and blocking the communications such as the case with an Adversary-in-the-Middle attack.
[T0846.002] Remote System Discovery: Broadcast Discovery Current version : 1.0
Description :
Adversaries may perform broadcast discovery requests to enumerate systems and devices on a network. Broadcast discovery works by one system or device sending messages to all systems and devices on a network (or subnet) and then waiting for a response. If a response is received that means the system or device that responded is live and can communicate over that protocol. Adversaries may leverage different protocols supported on the network for sending broadcast messages.
+Some common OT protocols that have broadcast discovery mechanisms are Building Automation and Control Network (BACNet) Who-Is requests, Common Industrial Protocol (CIP) List Identity User Datagram Protocol (UDP) broadcast requests, and Siemens S7 broadcast identification requests.(Citation: Broadcasting BACnet)(Citation: Cisco Active Discovery)
[T1691.001] Block Operational Technology Message: Command Message Current version : 1.0
Description :
Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)(Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)
[T1692.001] Unauthorized Message: Command Message Current version : 1.0
Description :
Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an Impact .(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)
+In the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster.(Citation: Zack Whittaker April 2017)(Citation: Benjamin Freed March 2019)
[T1694.001] Insecure Credentials: Default Credentials Current version : 1.0
Description :
Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed.(Citation: Keith Stouffer May 2015)
+Default credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.
[T0843.001] Program Download: Download All Current version : 1.0
Description :
Adversaries may execute a full program download to a PLC to overwrite the entire PLC program and configuration to deploy a new project or make major changes. This typically requires stopping the PLC and adversely impacting control processes.
+The ability to perform a full program download to the PLC typically relies on access to a workstation with the vendor-specific PLC programming software installed.
[T1695.002] Block Communications: Ethernet Current version : 1.0
Description :
Adversaries may block access to Ethernet communications to prevent instructions or configurations messages from reaching target systems and devices. Ethernet connections allow for communications between IT and OT systems and devices. Blocking Ethernet communications may also block command and reporting messages.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)
+An adversary may block Ethernet communications by disabling network interfaces, Service Stop , or conducting an Adversary-in-the-Middle attack and dropping the network traffic.
[T1694.002] Insecure Credentials: Hardcoded Credentials Current version : 1.0
Description :
Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. Examples credentials that may be hardcoded in an asset include:
+
+Username/Passwords
+Cryptographic keys/Certificates
+API tokens
+
+Unlike Default Credentials , these credentials are built into the system in a way that they either cannot be changed by the asset owner, or may be infeasible to change because of the impact it would cause to the control system operation. These credentials may be reused across whole product lines or device models and are often not published or known to the owner and operators of the asset.(Citation: ICS-ALERT-13-164-01)(Citation: OT IceFall)
+Adversaries may utilize these hardcoded credentials to move throughout the control system environment or provide reliable access for their tools to interact with industrial assets.
[T1694] Insecure Credentials Current version : 1.0
Description :
Adversaries may target insecure credentials as a means to persist on a system or device or move laterally from one system or device to another. Insecure credentials may appear as default credentials which are pre-configured credentials on a system, device, or software that are well-known in documentation or hard-coded credentials which are built into the system, device, or software that cannot be changed or not easily changed because of the impact on control processes.(Citation: NIST SP 800-82r3)(Citation: ICS-ALERT-13-164-01)(Citation: OT IceFall)
+ Adversaries often times use insecure credentials to evade detection as they are typically forgotten about by system and device owners.
[T1693] Modify Firmware Current version : 1.0
Description :
Firmware is low-level software embedded in hardware that enables systems and devices to function properly and is commonly found in ICS environments. Adversaries may modify firmware on a system or device by installing malicious or vulnerable versions that enable them to achieve objectives such as Persistence , Impair Process Control , and Inhibit Response Function .
+Adversaries may modify system and device firmware by using the built-in firmware update functionality which may support local or remote installation. The malicious or vulnerable firmware may be delivered via Replication Through Removable Media , Supply Chain Compromise , or Remote Services . Once installed, the malicious or vulnerable firmware could be used to provide Rootkit and Hooking functionality, Exploitation for Privilege Escalation , or Denial of Service .(Citation: Basnight, Zachry, et al.)
[T1693.002] Modify Firmware: Module Firmware Current version : 1.0
Description :
Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment.
+This technique is similar to System Firmware, but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices.(Citation: Daniel Peck, Dale Peterson January 2009)
+An easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following:(Citation: Daniel Peck, Dale Peterson January 2009)
+
+Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time.
+Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return.
+Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator.
+A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise.
+Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.
+ [T0846.003] Remote System Discovery: Multicast Discovery Current version : 1.0
Description :
Adversaries may perform multicast discovery requests which is when one system or device sends messages to all systems and devices in a pre-defined group on a network (or subnet) and then waits for a response. If a response is received that means the system or device that responded is live and can communicate over that protocol. Multicast discovery tends to be stealthier than broadcast discovery because every system or device on the network (or subnet) is not being messaged.
+One common OT protocol that has a multicast discovery mechanism is the Process Field Network (PROFINET) Discovery and Configuration Protocol (DCP) with its Identify All requests.(Citation: Cisco Active Discovery)
[T0843.002] Program Download: Online Edit Current version : 1.0
Description :
Adversaries may execute an online edit of a PLC to update parts of an existing program. It does not require stopping the PLC which allows it to continue running during transfer and reconfiguration without interruption to process control. Adversaries may leverage this approach to minimize downtime and evade detection.
+The ability to perform an online edit to the PLC typically relies on access to a workstation with the vendor-specific PLC programming software installed.
[T0846.001] Remote System Discovery: Port Scan Current version : 1.0
Description :
Adversaries may perform a port scan on a system, device, or network to identify live hosts, enumerate open ports and running services, identify operating systems, and map out the network.(Citation: NIST SP 800-82r3) The results of a port scan may inform adversary Discovery , Lateral Movement , and vulnerability exploitation decisions (Exploitation for Evasion , Exploitation for Privilege Escalation , Exploitation of Remote Services ).
+Some common tools for executing a port scan include nmap, netcat, and the Advanced Port Scanner.
[T0843.003] Program Download: Program Append Current version : 1.0
Description :
Adversaries may execute a program append to a PLC to update parts of an existing program. It may or may not require stopping the PLC which may allow it to continue running during transfer and reconfiguration without interruption to process control. Adversaries may leverage this approach to minimize downtime and evade detection.
+The ability to perform a program append to the PLC typically relies on access to a workstation with the vendor-specific PLC programming software installed.
[T1692.002] Unauthorized Message: Reporting Message Current version : 1.0
Description :
Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values.
+If an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)
[T1691.002] Block Operational Technology Message: Reporting Message Current version : 1.0
Description :
Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.
+Blocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)(Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)
[T1695.001] Block Communications: Serial COM Current version : 1.0
Description :
Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages.
+A serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.
[T0873.001] Project File Infection: Siemens Project File Format Current version : 1.0
Description :
Adversaries may infect Siemens PLC project files (i.e., Step 7, WinCC, etc.) to achieve Execution , Persistence , and Lateral Movement objectives. Adversaries may modify an existing project file or bring their own project files into the environment.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)
+The ability for an adversary to deploy an infected project file relies on access to a workstation with Siemens PLC programming software installed on it from which a program download can be performed.
[T1693.001] Modify Firmware: System Firmware Current version : 1.0
Description :
System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network.
+An adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers.(Citation: Basnight, Zachry, et al.)
[T1692] Unauthorized Message Current version : 1.0
Description :
Adversaries may send unauthorized messages to ICS systems and devices to evade defenses or manipulate processes. Unauthorized messages can be categorized as either reporting messages that contain telemetry data about the current state of systems, devices, and processes or as command messages which instruct systems and devices on how to operate. By injecting unauthorized messages, adversaries can make it appear as if everything is working correctly when it isn’t, trigger alarms to misdirect personnel or impact processes, and manipulate controls to disrupt processes.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)
+Adversaries may send unauthorized messages in an ICS environment using software found within the environment (living-off-the-land, vendor-specific interfaces, etc.), custom tooling leveraging OT protocols and libraries, or by positioning themselves between systems and devices and injecting messages into the communications such as the case with an Adversary-in-the-Middle attack.
[T1695.003] Block Communications: Wi-Fi Current version : 1.0
Description :
Adversaries may block access to Wi-Fi communications to prevent messages from reaching target systems and devices. Wi-Fi connections allow for communications between IT and OT systems and devices. Blocking Wi-Fi communications may also block command and reporting messages.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)
+An adversary may block Wi-Fi communications by disabling network interfaces, Service Stop , conducting an Adversary-in-the-Middle attack and dropping the network traffic, or by jamming the Wi-Fi signal.
Minor Version Changes [T0873] Project File Infection Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Adversaries may attempt to infect project files with malicio t Adversaries may attempt to infect project files with malicio us code. These project files may consist of objects, program us code. These project files may consist of objects, program organization units, variables such as tags, documentation, organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function and other configurations needed for PLC programs to function . (Citation: Beckhoff) Using built in functions of the engin .(Citation: Beckhoff) Using built in functions of the engine eering software, adversaries may be able to download an infe ering software, adversaries may be able to download an infec cted program to a PLC in the operating environment enabling ted program to a PLC in the operating environment enabling f further [Execution](https://attack.mitre.org/tactics/TA0104) urther [Execution](https://attack.mitre.org/tactics/TA0104) and [Persistence](https://attack.mitre.org/tactics/TA0110) and [Persistence](https://attack.mitre.org/tactics/TA0110) t techniques. (Citation: PLCdev) Adversaries may export thei echniques.(Citation: PLCdev) Adversaries may export their r own code into project files with conditions to execute at own code into project files with conditions to execute at sp specific intervals. (Citation: Nicolas Falliere, Liam O Murc ecific intervals.(Citation: Nicolas Falliere, Liam O Murchu, hu, Eric Chien February 2011) Malicious programs allow adver Eric Chien February 2011) Malicious programs allow adversar saries control of all aspects of the process enabled by the ies control of all aspects of the process enabled by the PLC PLC. Once the project file is downloaded to a PLC the workst . Once the project file is downloaded to a PLC the workstati ation device may be disconnected with the infected project f on device may be disconnected with the infected project file ile still executing. (Citation: PLCdev) still executing.(Citation: PLCdev)
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 19:59:17.481000+00:00 2026-04-23 19:35:14.939000+00:00 description Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. (Citation: Beckhoff) Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further [Execution](https://attack.mitre.org/tactics/TA0104) and [Persistence](https://attack.mitre.org/tactics/TA0110) techniques. (Citation: PLCdev)
+
+Adversaries may export their own code into project files with conditions to execute at specific intervals. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing. (Citation: PLCdev) Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function.(Citation: Beckhoff) Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further [Execution](https://attack.mitre.org/tactics/TA0104) and [Persistence](https://attack.mitre.org/tactics/TA0110) techniques.(Citation: PLCdev)
+
+Adversaries may export their own code into project files with conditions to execute at specific intervals.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing.(Citation: PLCdev) x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 1.1
Patches [T0846] Remote System Discovery Current version : 1.1
+
+
+ t Adversaries may attempt to get a listing of other systems by t Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a netw IP address, hostname, or other logical identifier on a netw ork that may be used for subsequent Lateral Movement or Disc ork that may be used for subsequent Lateral Movement or Disc overy techniques. Functionality could exist within adversary overy techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operat tools to enable this, but utilities available on the operat ing system or vendor software could also be used. (Citation: ing system or vendor software could also be used.(Citation: Enterprise ATT&CK January 2018) Enterprise ATT&CK January 2018)
+
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-16 21:26:18.958000+00:00 2026-04-23 19:39:03.420000+00:00 description Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used. (Citation: Enterprise ATT&CK January 2018) Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used.(Citation: Enterprise ATT&CK January 2018) x_mitre_attack_spec_version 3.2.0 3.3.0
Revocations [T0803] Block Command Message Current version : 1.1
Description :
Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)
This object has been revoked by [T1691.001] Command Message
Description for [T1691.001] Command Message : Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)(Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-15 19:58:01.218000+00:00 2026-04-20 20:58:37.791000+00:00 revoked False True
[T0804] Block Reporting Message Current version : 1.0
Description :
Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.
+Blocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)
This object has been revoked by [T1691.002] Reporting Message
Description for [T1691.002] Reporting Message : Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.
+
+Blocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)(Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-16 21:26:13.771000+00:00 2026-04-20 20:58:39.117000+00:00 revoked False True
[T0805] Block Serial COM Current version : 1.1
Description :
Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages.
+A serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.
This object has been revoked by [T1695.001] Serial COM
Description for [T1695.001] Serial COM : Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages.
+
+A serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-16 21:26:10.923000+00:00 2026-04-20 20:58:51.323000+00:00 revoked False True
[T0812] Default Credentials Current version : 1.0
Description :
Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. (Citation: Keith Stouffer May 2015)
+Default credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.
This object has been revoked by [T1694.001] Default Credentials
Description for [T1694.001] Default Credentials : Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed.(Citation: Keith Stouffer May 2015)
+
+Default credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-16 21:26:16.206000+00:00 2026-04-20 20:58:48.356000+00:00 revoked False True
[T0891] Hardcoded Credentials Current version : 1.0
Description :
Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. Examples credentials that may be hardcoded in an asset include:
+
+Username/Passwords
+Cryptographic keys/Certificates
+API tokens
+
+Unlike Default Credentials , these credentials are built into the system in a way that they either cannot be changed by the asset owner, or may be infeasible to change because of the impact it would cause to the control system operation. These credentials may be reused across whole product lines or device models and are often not published or known to the owner and operators of the asset.
+Adversaries may utilize these hardcoded credentials to move throughout the control system environment or provide reliable access for their tools to interact with industrial assets.
This object has been revoked by [T1694.002] Hardcoded Credentials
Description for [T1694.002] Hardcoded Credentials : Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. Examples credentials that may be hardcoded in an asset include:
+
+* Username/Passwords
+* Cryptographic keys/Certificates
+* API tokens
+
+Unlike [Default Credentials](https://attack.mitre.org/techniques/T0812), these credentials are built into the system in a way that they either cannot be changed by the asset owner, or may be infeasible to change because of the impact it would cause to the control system operation. These credentials may be reused across whole product lines or device models and are often not published or known to the owner and operators of the asset.(Citation: ICS-ALERT-13-164-01)(Citation: OT IceFall)
+
+Adversaries may utilize these hardcoded credentials to move throughout the control system environment or provide reliable access for their tools to interact with industrial assets.
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-16 21:26:18.583000+00:00 2026-04-20 20:58:49.917000+00:00 revoked False True
[T0839] Module Firmware Current version : 1.1
Description :
Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment.
+This technique is similar to System Firmware , but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices. (Citation: Daniel Peck, Dale Peterson January 2009)
+An easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following: (Citation: Daniel Peck, Dale Peterson January 2009)
+
+Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time.
+Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return.
+Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator.
+A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise.
+Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.
+ This object has been revoked by [T1693.002] Module Firmware
Description for [T1693.002] Module Firmware : Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment.
+
+This technique is similar to System Firmware, but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices.(Citation: Daniel Peck, Dale Peterson January 2009)
+
+An easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following:(Citation: Daniel Peck, Dale Peterson January 2009)
+
+* Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time.
+* Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return.
+* Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator.
+* A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise.
+* Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-16 21:26:20.310000+00:00 2026-04-20 20:58:46.789000+00:00 revoked False True
[T0856] Spoof Reporting Message Current version : 1.2
Description :
Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values.
+If an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)
This object has been revoked by [T1692.002] Reporting Message
Description for [T1692.002] Reporting Message : Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values.
+
+If an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-16 21:26:15.909000+00:00 2026-04-20 20:58:43.011000+00:00 revoked False True
[T0857] System Firmware Current version : 1.1
Description :
System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network.
+An adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers. (Citation: Basnight, Zachry, et al.)
This object has been revoked by [T1693.001] System Firmware
Description for [T1693.001] System Firmware : System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network.
+
+An adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers.(Citation: Basnight, Zachry, et al.)
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-16 21:26:17.862000+00:00 2026-04-20 20:58:44.575000+00:00 revoked False True
[T0855] Unauthorized Command Message Current version : 1.2
Description :
Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an Impact . (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)
+In the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster. (Citation: Zack Whittaker April 2017) (Citation: Benjamin Freed March 2019)
This object has been revoked by [T1692.001] Command Message
Description for [T1692.001] Command Message : Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105).(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)
+
+In the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster.(Citation: Zack Whittaker April 2017)(Citation: Benjamin Freed March 2019)
Details dictionary_item_removed STIX Field Old value New Value x_mitre_detection
values_changed STIX Field Old value New Value modified 2025-04-16 21:26:13.939000+00:00 2026-04-20 20:58:41.104000+00:00 revoked False True
Software enterprise-attack New Software [S9027] ANELLDR Current version : 1.0
Description :
ANELLDR , a loader that has been in use since at least 2018, was designed to decrypt and execute UPPERCUT in memory. ANELLDR can use anti-analysis techniques and is known to share code overlap with HiddenFace .(Citation: Trend Micro Earth Kasha Anel NOV 2024)(Citation: ESET MirrorFace 2025)
[S9031] AshTag Current version : 1.0
Description :
AshTag is a modular .NET backdoor with multiple features that has been used by WIRTE since at least 2025. AshTag is designed for persistence and remote command execution and can masquerade as a legitimate VisualServer utility.(Citation: Palo Alto Ashen Lepus DEC 2025)
[S9015] BRICKSTORM Current version : 1.0
Description :
BRICKSTORM is a cross-platform backdoor with variants written in Go and Rust that facilitates command and control, the ingress transfer of other malware, and the exfiltration of data.(Citation: CISA BRICKSTORM UNC5221 AR25-338A February 2026)(Citation: Picus Security BRICKSTORM UNC5221 October 2025)(Citation: Resecurity UNC5221 BRICKSTORM F5 Big-IP October 2025)(Citation: Google BRICKSTORM September 2025) BRICKSTORM has also been created from a .NET application using ahead-of-time (AOT) compilation to blend in within victim environments.(Citation: CISA BRICKSTORM UNC5221 AR25-338A February 2026) BRICKSTORM was first observed in April 2024.(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024) BRICKSTORM has previously been leveraged by People's Republic of China (PRC) state-nexus actors identified as UNC6201, UNC5221, WARP PANDA, PunyToad, and SYLVANITE.(Citation: Cloudflare 2026 Threat Report New Threat Actors March 2026)(Citation: CrowdStrike BRICKSTORM WARP PANDA UNC5221 December 2025)(Citation: CISA BRICKSTORM UNC5221 AR25-338A February 2026)(Citation: Dragos SYLVANITE MuddyWater Electrum March 2026)(Citation: NVISO BRICKSTORM April 2025)(Citation: Google BRICKSTORM GRIMBOLT UNC5221 UNC6201 February 2026)(Citation: Resecurity UNC5221 BRICKSTORM F5 Big-IP October 2025)(Citation: Google BRICKSTORM September 2025)
[S9011] BRUSHFIRE Current version : 1.0
Description :
BRUSHFIRE is a passive backdoor written in C that executes in-memory within an existing process. First reported in March 2025, BRUSHFIRE has been observed in activity attributed to People's Republic of China (PRC) state-affiliated threat actors, including UNC5221 and SYLVANITE.(Citation: Dragos SYLVANITE MuddyWater Electrum March 2026)(Citation: Google UNC5221 Ivanti April 2025)(Citation: Picus Security UNC5221 Ivanti May 2025)
[S9016] Caminho Current version : 1.0
Description :
Caminho is a downloader that has been used by threat actors since at least 2025 to deliver various strains of malware such as XWorm.(Citation: Zscaler BlindEagle DEC 2025)
[S9004] Crocodilus Current version : 1.0
Description :
Crocodilus is an Android banking Trojan that was discovered in March 2025. Crocodilus targeted users worldwide, including Turkey, Poland, Argentina, Brazil, Spain, the United States, Indonesia and India. Crocodilus has been customized based on the target location. For example, Crocodilus mimicked major Turkish and Spanish banks for users in Turkey and Spain, while users in Poland saw Facebook advertisements that promoted Crocodilus to claim bonus points.(Citation: ThreatFabric_Crocodilus_March2025)(Citation: ThreatFabric_Crocodilus_June2025)
[S9017] DCRAT Current version : 1.0
Description :
DCRAT is a variant of the open-source AsyncRAT developed in C# with additional capabilities such as patching Microsoft’s Antimalware Scan Interface (AMSI).(Citation: Zscaler BlindEagle DEC 2025)
[S9021] DOWNIISSA Current version : 1.0
Description :
DOWNIISSA is a shellcode downloader that has been used by MirrorFace since at least 2022 to deploy payloads, including the LODEINFO backdoor.(Citation: Kaspersky LODEINFO OCT 2022)
[S9013] DRYHOOK Current version : 1.0
Description :
DRYHOOK is Python script used to steal credentials. DRYHOOK was first reported in January 2025, and has previously been leveraged by People's Republic of China (PRC) state-affiliated threat actors identified as UNC5221 and SYLVANITE.(Citation: Dragos SYLVANITE MuddyWater Electrum March 2026)(Citation: Google UNC5221 Ivanti January 2025)(Citation: Picus Security UNC5221 Ivanti May 2025)
[S9002] Diskpart Current version : 1.0
Description :
Diskpart is a Windows command-line utility that is used to manage the computer’s drives, which includes disks, partitions, volumes and virtual hard disks.(Citation: Microsoft_diskpart_Feb2023)
+Adversaries may abuse Diskpart to perform discovery and destructive actions on a system’s storage. For example, adversaries have been observed using Diskpart to conduct Discovery techniques to enumerate disks and volumes to gather information about the host environment, and to execute commands such as clean all to remove partition information and overwrite data across disks, resulting in data destruction.(Citation: Trendmicro_RansomHub_Dec2024)
[S9038] DynoWiper Current version : 1.0
Description :
DynoWiper is a destructive malware associated with the 2025 Poland Wiper Attacks in December of 2025. DynoWiper is a native Windows binary that is distributed by a PowerShell script and overwrites files using data generated by the Mersenne Twister algorithm before they are deleted from the system. Multiple variants of DynoWiper have been identified, with the primary differences being that one variant shuts down the system after completing its destructive operations, and another introduces a time delay between file overwriting and deletion.(Citation: CERT Polska)(Citation: ESET DynoWiper Update JAN 2026)
[S9033] Fooder Current version : 1.0
Description :
Fooder is a custom 64-bit C/C++ loader used by MuddyWater that can decrypt and reflectively load embedded payloads such as a go-socks5 proxy utility, the open-source HackBrowserData infostealer, or the MuddyViper backdoor. Fooder has frequently masqueraded as an entertainment executable, such as the Snake game (e.g., Snake_Game.exe).(Citation: ESET_MuddyWater_Dec2025)
[S9010] GlassWorm Current version : 1.0
Description :
GlassWorm is a worm that propagated through supply chain attacks by compromising repository credentials from victim environments and having malicious payloads added to those compromised accounts for distribution to victims across the various development ecosystems.(Citation: Koi Glassworm InvisibleCode October 2025)(Citation: Aikido GlassWorm October 2025)(Citation: Socket GlassWorm January 2026) GlassWorm has numerous variants, including Rust binaries, encrypted JavaScript and a variant leveraging invisible Unicode characters that made reverse engineering difficult.(Citation: Koi Glassworm New Tricks December 2025)(Citation: Koi Glassworm InvisibleCode October 2025)(Citation: Koi GlassWorm Rust December 2025) GlassWorm has employed a unique command and control (C2) methodology using Solana blockchain.(Citation: Koi Glassworm Extensions November 2025)(Citation: Koi Glassworm InvisibleCode October 2025) GlassWorm was first reported in October 2025.(Citation: Koi Glassworm Extensions November 2025)(Citation: Koi Glassworm InvisibleCode October 2025)(Citation: Socket GlassWorm January 2026)
[S9007] HTTPTroy Current version : 1.0
Description :
HTTPTroy is a highly obfuscated backdoor that facilitates collection, command and control, defense evasion and exfiltration. HTTPTroy was first reported in October 2025. HTTPTroy has been observed in operations attributed to DPRK-affiliated threat actors, including Kimsuky . HTTPTroy has been delivered to victims through a separate loader leveraged by Kimsuky .(Citation: Gen Digital Kimsuky HTTPTroy October 2025)
[S9018] HeartCrypt Current version : 1.0
Description :
HeartCrypt is a packer-as-a-service (PaaS) used to protect malware that has been available since at least 2024. HeartCrypt has been used to pack a variety of malware including Lumma Stealer , Remcos , and Rhadamanthys. In the HeartCrypt PaaS model, customers submit malware via private messaging services and it is then packed and returned by the operator as a new binary.(Citation: Palo Alto HeartCrypt DEC 2024)
[S9023] HiddenFace Current version : 1.0
Description :
HiddenFace is a modular backdoor developed and used exclusively by MirrorFace since at least 2021. HiddenFace can communicate both actively and passively and has been used against political and academic targets.(Citation: JPCERT MirrorFace JUL 2024)(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: Trend Micro Earth Kasha Updates APR 2025)
[S9029] IronWind Current version : 1.0
Description :
IronWind is a custom loader malware that has been in use since at least 2023 by actors including WIRTE to target entities in the Middle East.(Citation: Check Point Wirte NOV 2024)
[S9035] LAMEHUG Current version : 1.0
Description :
LAMEHUG is Python-based information stealer first identified in July 2025 by Ukraine's Computer Emergency Response Team (CERT-UA) in phishing emails targeting Ukrainian government officials. LAMEHUG is the first known malware to integrate artificial intelligence (AI) directly into its attack workflow by querying large language models (LLMs) hosted on Hugging Face to dynamically generate reconnaissance, data theft, and system manipulation commands in real time. LAMEHUG has been attributed to APT28 . (Citation: Splunk LAMEHUG SEP 2025)(Citation: Nov AI Threat Tracker)(Citation: Cato LAMEHUG JUL 2025)
[S9020] LODEINFO Current version : 1.0
Description :
LODEINFO is a fileless backdoor malware first identified in 2020 that has been used by actors including MirrorFace , primarily against media, diplomatic, governmental, and public sector organizations in Japan.(Citation: Kaspersky LODEINFO OCT 2022)(Citation: ITOCHU LODEINFO JAN 2024)(Citation: ESET MirrorFace DEC 2022)
[S9036] LP-Notes Current version : 1.0
Description :
LP-Notes is a C/C++ Windows credential stealer used by MuddyWater . LP-Notes was named after the lp-notes.txt file that is used to store stolen credentials.(Citation: ESET_MuddyWater_Dec2025)
[S9039] LazyWiper Current version : 1.0
Description :
LazyWiper is a destructive malware observed targeting a manufacturing sector company during the 2025 Poland Wiper Attacks . LazyWiper is a native Windows PowerShell script that is believed to have been generated by a large language model (LLM). LazyWiper overwrites files on the system using the C# function WriteRandomBytes() and can targets multiple specific file types by their extensions.(Citation: CERT Polska)
[S9022] MirrorStealer Current version : 1.0
Description :
MirrorStealer is a credential stealer that has been used by MirrorFace since at least 2022 to steal credentials from various applications, including browsers and email clients. MirrorStealer has been delivered directly into system memory via commands issued by LODEINFO .(Citation: ESET MirrorFace DEC 2022)
[S9032] MuddyViper Current version : 1.0
Description :
MuddyViper is custom backdoor written in C and C++ used by MuddyWater for command and control (C2) communications and persistence. MuddyViper is loaded by Fooder and sends frequent messages to the C2 server.(Citation: ESET_MuddyWater_Dec2025)
[S9025] NOOPLDR Current version : 1.0
Description :
NOOPLDR is a shellcode loader with XML/C# and DLL versions that has been used by MirrorFace to load HiddenFace .(Citation: Trend Micro Earth Kasha NOV 2024)
[S9014] PHASEJAM Current version : 1.0
Description :
PHASEJAM is a dropper written as a bash shell script that modifies Ivanti Connect Secure appliance components. PHASEJAM was first reported in January 2025. PHASEJAM has previously been leveraged by People's Republic of China (PRC)- affiliated actors identified as UNC5221 and SYLVANITE.(Citation: Dragos SYLVANITE MuddyWater Electrum March 2026)(Citation: Google UNC5221 Ivanti January 2025)
[S9028] PHPsert Current version : 1.0
Description :
PHPsert is a webshell used to execute PHP code that has been in use since at least 2023 against targets in Japan, Singapore, Peru, Taiwan, Iran, Republic of Korea, and the Philippines. PHPsert is not typically deployed as a standalone but integrated into web content such as text editors and content management systems.(Citation: sentinelone operationDigitalEye Dec 2024)
[S9019] PureCrypter Current version : 1.0
Description :
PureCrypter is a fully-featured malware loader, developed by a threat actor called “PureCoder," that has been in use since at least 2021 to distribute a variety of remote access trojans and information stealers.(Citation: Zscaler PureCrypter JUN 2022)
[S9026] ROAMINGHOUSE Current version : 1.0
Description :
ROAMINGHOUSE is a dropper malware used by MirrorFace to extract and execute embedded payloads including UPPERCUT components.(Citation: Trend Micro Earth Kasha Updates APR 2025)
[S9037] RustyWater Current version : 1.0
Description :
RustyWater is a Rust-based implant used by MuddyWater . Historically, MuddyWater has used PowerShell-based tools and RustyWater reflects a shift in tooling, demonstrating better techniques for defense evasion and reverse engineering.(Citation: CloudSEK_RustyWater_Jan2026)
[S9024] SPAWNCHIMERA Current version : 1.0
Description :
SPAWNCHIMERA is a backdoor that supports command and control and can inject malicious components into native processes.(Citation: CISA SPAWNCHIMERA RESURGE February 2026)(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)(Citation: JPCERT SPAWNCHIMERA Ivanti February 2025) SPAWNCHIMERA It incorporates capabilities from multiple tools within the SPAWN malware family, including SPAWNANT, SPAWNMOLE, and SPAWNSNAIL.(Citation: Google UNC5221 Ivanti January 2025)(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)(Citation: JPCERT SPAWNCHIMERA Ivanti February 2025) SPAWNCHIMERA was first reported in April 2024.(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024) SPAWNCHIMERA has been observed in activity attributed to People's Republic of China (PRC) state-sponsored threat actors, including UNC5221..(Citation: Google UNC5221 Ivanti January 2025)(Citation: Google UNC5221 Ivanti April 2025)(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)(Citation: Picus Security UNC5221 Ivanti May 2025)
[S9030] SameCoin Current version : 1.0
Description :
SameCoin is a multi-platform wiper with Windows and Android versions that has been used by WIRTE to target entities in the Middle East including in Israel.(Citation: Check Point Wirte NOV 2024)
[S9008] Shai-Hulud Current version : 1.0
Description :
Shai-Hulud is a supply chain worm, first reported in September 2025, that spreads through code repositories, including GitHub and NPM packages. It exploits CI/CD pipeline dependencies to propagate to victims and poisons the supply chain by publishing malicious packages. Once inside a victim environment, Shai-Hulud steals credentials and access tokens from compromised repository accounts and exfiltrates them to attacker-controlled servers via encoded GitHub Actions workflows.(Citation: Palo Alto Unit 42 Shai-Hulud November 2025)(Citation: Microsoft Shai-Hulud December 2025)(Citation: Socket Shai-Hulud November 2025)(Citation: Socket Shai-Hulud Trufflehog September 2025)(Citation: Aikido Shai-Hulud September 2025)(Citation: Netskope Shai-Hulud November 2025)(Citation: Wiz Shai-Hulud September 2025)
[S9001] SystemBC Current version : 1.0
Description :
SystemBC is a malware family offered as a malware-as-a-service (MaaS) that is used to establish command and control and facilitate follow-on activity, including ransomware deployment.SystemBC executes a variety of tasks including setting up SOCKS5 proxies, maintaining persistence, ingesting malicious files, and handing C2 communication. SystemBC was first detected in 2018, and has been used by Wizard Spider since at least 2020, and by FIN7 since at least 2022.(Citation: TrumanKroll_SYSTEMBCServer_Jan2024)(Citation: SophosGnGal_SystemBC_Dec2020)(Citation: BlackBasta)(Citation: AhnLab_SystemBC_Apr2022)(Citation: Lumen_SystemBC_Sept2025)
[S9012] TRAILBLAZE Current version : 1.0
Description :
TRAILBLAZE is an in-memory dropper used to deploy the passive backdoor BRUSHFIRE . First reported in March 2025, TRAILBLAZE has been observed in operations attributed to People's Republic of China (PRC) state-sponsored affiliated actors, including UNC5221 and SYLVANITE. (Citation: Dragos SYLVANITE MuddyWater Electrum March 2026)(Citation: Google UNC5221 Ivanti April 2025)(Citation: Picus Security UNC5221 Ivanti May 2025)
[S9009] TruffleHog Current version : 1.0
Description :
TruffleHog is an open-source secrets-discovery tool that is used to search for credentials, API keys, and encryption keys across a variety of data sources and environments.(Citation: Black Hills Information Security TruffleHog January 2024)(Citation: Github TruffleSecurity Trufflehog April 2025) TruffleHog has the ability to discover credentials and secrets stored in code repositories, git history, CI/CD pipelines, among other common storage locations to include filesystems and cloud storage buckets.(Citation: Black Hills Information Security TruffleHog January 2024)(Citation: Netskope Shai-Hulud November 2025)(Citation: Github TruffleSecurity Trufflehog April 2025) TruffleHog was first released by its author in 2016.(Citation: Github TruffleSecurity Trufflehog April 2025)
[S9034] Tsundere Botnet Current version : 1.0
Description :
Tsundere Botnet is a botnet first reported in mid-2025 that is delivered via MSI installer or PowerShell script. It leverages Node.js and JavaScript for payload delivery and execution, and uses smart contracts on the blockchain to host command and control (C2) addresses. Tsundere Botnet is attributed to a likely Russian-speaking threat actor.
+A variant named DinDoor has been linked to MuddyWater operations and uses the Deno runtime for execution rather than Node.js. (Citation: Checkpoint_MOISCyberCrime_Mar2026)(Citation: SOCRadar_MuddyWaterDindoor_Mar2026)(Citation: CAL_MuddyWater_Mar2026)(Citation: SecureListUbiedo_Tsundere_Nov2025)
[S9003] evilginx2 Current version : 1.0
Description :
evilginx2 is an open-source adversary-in-the-middle (AiTM) attack framework based on the open-source nginx web server. evilginx2 can be used as a reverse proxy between victims and legitimate web services to intercept and capture credentials, authentication tokens, and session cookies.(Citation: Evilginx 2 July 2018)(Citation: Breakdev Evilginx 2.1 SEP 2018)(Citation: Sophos Evilginx MAR 2025)
Major Version Changes [S1242] Qilin Current version : 2.0
Version changed from : 1.0 → 2.0
+
+
+ t [Qilin](https://attack.mitre.org/software/S1242) ransomware t [Qilin](https://attack.mitre.org/software/S1242) is a ransom is a Ransomware-as-a-Service (RaaS) that has been active sin ware family operated as a ransomware-as-a-service (RaaS) tha ce at least 2022 with versions written in Golang and Rust th t has been active since at least 2022. It includes variants at are capable of targeting Windows or VMWare ESXi devices. written in Go and Rust capable of targeting Windows, Linux, [Qilin](https://attack.mitre.org/software/S1242) shares func and VMware ESXi environments. [Qilin](https://attack.mitre.o tionality overlaps with [Black Basta](https://attack.mitre.o rg/software/S1242) shares functionality overlaps with [Black rg/software/S1070), [REvil](https://attack.mitre.org/softwar Basta](https://attack.mitre.org/software/S1070), [REvil](ht e/S0496), and [BlackCat](https://attack.mitre.org/software/S tps://attack.mitre.org/software/S0496), and [BlackCat](https 1068) ransomware and its RaaS affiliates have been observed ://attack.mitre.org/software/S1068) ransomware. [Qilin](http targeting multiple sectors worldwide, including healthcare a s://attack.mitre.org/software/S1242) affiliates have targete nd education in Asia, Europe, and Africa. (Citation: Trend M d multiple entities worldwide with the majority of victims i icro Agenda Ransomware AUG 2022)(Citation: SentinelOne Qilin n the US, France, Canada, and the UK, primarily in the manuf NOV 2022)(Citation: BushidoToken Qilin RaaS JUN 2024)(Citat acturing, technology, financial services, and healthcare sec ion: Sophos Qilin MSP APR 2025) tors.(Citation: Trend Micro Agenda Ransomware AUG 2022)(Cita tion: SentinelOne Qilin NOV 2022)(Citation: BushidoToken Qil in RaaS JUN 2024)(Citation: Sophos Qilin MSP APR 2025)(Citat ion: Trend Micro Agenda Ransomware OCT 2025)
+
Details values_changed STIX Field Old value New Value modified 2025-10-23 21:54:13.055000+00:00 2026-04-23 03:12:30.298000+00:00 description [Qilin](https://attack.mitre.org/software/S1242) ransomware is a Ransomware-as-a-Service (RaaS) that has been active since at least 2022 with versions written in Golang and Rust that are capable of targeting Windows or VMWare ESXi devices. [Qilin](https://attack.mitre.org/software/S1242) shares functionality overlaps with [Black Basta](https://attack.mitre.org/software/S1070), [REvil](https://attack.mitre.org/software/S0496), and [BlackCat](https://attack.mitre.org/software/S1068) ransomware and its RaaS affiliates have been observed targeting multiple sectors worldwide, including healthcare and education in Asia, Europe, and Africa. (Citation: Trend Micro Agenda Ransomware AUG 2022)(Citation: SentinelOne Qilin NOV 2022)(Citation: BushidoToken Qilin RaaS JUN 2024)(Citation: Sophos Qilin MSP APR 2025) [Qilin](https://attack.mitre.org/software/S1242) is a ransomware family operated as a ransomware-as-a-service (RaaS) that has been active since at least 2022. It includes variants written in Go and Rust capable of targeting Windows, Linux, and VMware ESXi environments. [Qilin](https://attack.mitre.org/software/S1242) shares functionality overlaps with [Black Basta](https://attack.mitre.org/software/S1070), [REvil](https://attack.mitre.org/software/S0496), and [BlackCat](https://attack.mitre.org/software/S1068) ransomware. [Qilin](https://attack.mitre.org/software/S1242) affiliates have targeted multiple entities worldwide with the majority of victims in the US, France, Canada, and the UK, primarily in the manufacturing, technology, financial services, and healthcare sectors.(Citation: Trend Micro Agenda Ransomware AUG 2022)(Citation: SentinelOne Qilin NOV 2022)(Citation: BushidoToken Qilin RaaS JUN 2024)(Citation: Sophos Qilin MSP APR 2025)(Citation: Trend Micro Agenda Ransomware OCT 2025) external_references[1]['description'] (Citation: Sophos Qilin MSP APR 2025)(Citation: Trend Micro Agenda Ransomware AUG 2022)(Citation: SentinelOne Qilin NOV 2022) (Citation: Sophos Qilin MSP APR 2025)(Citation: Trend Micro Agenda Ransomware AUG 2022)(Citation: SentinelOne Qilin NOV 2022)(Citation: Trend Micro Agenda Ransomware OCT 2025) x_mitre_version 1.0 2.0
iterable_item_added STIX Field Old value New Value external_references {'source_name': 'Trend Micro Agenda Ransomware OCT 2025', 'description': 'Trend Micro. (2025, October 23). Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques. Retrieved March 26, 2026.', 'url': 'https://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html'} x_mitre_platforms Linux
[S0275] UPPERCUT Current version : 2.0
Version changed from : 1.1 → 2.0
+
+
+ t [UPPERCUT](https://attack.mitre.org/software/S0275) is a bac t [UPPERCUT](https://attack.mitre.org/software/S0275) is a 32- kdoor that has been used by [menuPass](https://attack.mitre. bit HTTP-based backdoor that has been used by [menuPass](htt org/groups/G0045). (Citation: FireEye APT10 Sept 2018) ps://attack.mitre.org/groups/G0045) since at least 2017.(Cit ation: FireEye APT10 Sept 2018) Once thought to be exclusive to [menuPass](https://attack.mitre.org/groups/G0045), [UPPE RCUT](https://attack.mitre.org/software/S0275) was also obse rved being used by [menuPass](https://attack.mitre.org/group s/G0045)-associated [MirrorFace](https://attack.mitre.org/gr oups/G1054) during [Operation AkaiRyū](https://attack.mitre. org/campaigns/C0060).(Citation: Trend Micro Earth Kasha Anel NOV 2024)
+
Details values_changed STIX Field Old value New Value modified 2025-04-25 14:45:09.125000+00:00 2026-04-22 21:04:29.621000+00:00 description [UPPERCUT](https://attack.mitre.org/software/S0275) is a backdoor that has been used by [menuPass](https://attack.mitre.org/groups/G0045). (Citation: FireEye APT10 Sept 2018) [UPPERCUT](https://attack.mitre.org/software/S0275) is a 32-bit HTTP-based backdoor that has been used by [menuPass](https://attack.mitre.org/groups/G0045) since at least 2017.(Citation: FireEye APT10 Sept 2018) Once thought to be exclusive to [menuPass](https://attack.mitre.org/groups/G0045), [UPPERCUT](https://attack.mitre.org/software/S0275) was also observed being used by [menuPass](https://attack.mitre.org/groups/G0045)-associated [MirrorFace](https://attack.mitre.org/groups/G1054) during [Operation AkaiRyū](https://attack.mitre.org/campaigns/C0060).(Citation: Trend Micro Earth Kasha Anel NOV 2024) x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
iterable_item_added STIX Field Old value New Value external_references {'source_name': 'Trend Micro Earth Kasha Anel NOV 2024', 'description': 'Hiroaki, H. (2024, November 26). Guess Who’s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024. Retrieved April 17, 2026.', 'url': 'https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html'}
Minor Version Changes [S0099] Arp Current version : 1.3
Version changed from : 1.2 → 1.3
Details values_changed STIX Field Old value New Value modified 2025-04-16 20:38:50.933000+00:00 2026-04-17 20:59:19.130000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 1.3
[S0190] BITSAdmin Current version : 1.5
Version changed from : 1.4 → 1.5
Details values_changed STIX Field Old value New Value modified 2025-04-16 20:38:52.586000+00:00 2026-04-17 14:09:31.571000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.4 1.5
[S0154] Cobalt Strike Current version : 1.14
Version changed from : 1.13 → 1.14
Details values_changed STIX Field Old value New Value modified 2024-09-25 20:32:57.099000+00:00 2026-04-23 21:14:18.712000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.13 1.14
[S1144] FRP Current version : 1.1
Version changed from : 1.0 → 1.1
Details values_changed STIX Field Old value New Value modified 2024-07-30 18:17:09.725000+00:00 2026-04-19 16:36:54.302000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 1.1
[S1229] Havoc Current version : 1.1
Version changed from : 1.0 → 1.1
Details values_changed STIX Field Old value New Value modified 2025-10-24 03:07:43.276000+00:00 2026-04-20 12:17:28.794000+00:00 x_mitre_version 1.0 1.1
[S0604] Industroyer Current version : 1.2
Version changed from : 1.1 → 1.2
Details values_changed STIX Field Old value New Value modified 2024-04-11 16:06:34.700000+00:00 2026-04-23 14:11:53.057000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 1.2
[S0372] LockerGoga Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2023-10-17 20:05:34.648000+00:00 2026-04-22 22:21:12.036000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.0 2.1
[S0002] Mimikatz Current version : 1.11
Version changed from : 1.10 → 1.11
Details values_changed STIX Field Old value New Value modified 2024-11-27 21:53:57.705000+00:00 2026-04-19 18:13:24.015000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.10 1.11
[S0039] Net Current version : 2.8
Version changed from : 2.7 → 2.8
Details values_changed STIX Field Old value New Value modified 2024-11-27 21:55:29.681000+00:00 2026-04-17 14:16:53.721000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.7 2.8
[S0359] Nltest Current version : 1.4
Version changed from : 1.3 → 1.4
Details values_changed STIX Field Old value New Value modified 2024-09-25 20:27:04.356000+00:00 2026-04-17 13:17:52.139000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.3 1.4
[S1228] PUBLOAD Current version : 1.1
Version changed from : 1.0 → 1.1
Details values_changed STIX Field Old value New Value modified 2025-10-24 02:46:58.268000+00:00 2026-04-08 13:51:05.286000+00:00 x_mitre_version 1.0 1.1
[S0097] Ping Current version : 1.5
Version changed from : 1.4 → 1.5
Details values_changed STIX Field Old value New Value modified 2025-04-16 20:38:55.518000+00:00 2026-04-17 14:17:47.775000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.4 1.5
[S0013] PlugX Current version : 3.3
Version changed from : 3.2 → 3.3
Details dictionary_item_added STIX Field Old value New Value x_mitre_contributors ['Kyaw Pyiyt Htet (@KyawPyiytHtet)']
values_changed STIX Field Old value New Value modified 2025-09-11 18:28:54.041000+00:00 2025-11-20 22:48:45.121000+00:00 x_mitre_version 3.2 3.3
[S0262] QuasarRAT Current version : 2.2
Version changed from : 2.1 → 2.2
Details values_changed STIX Field Old value New Value modified 2024-05-07 19:10:03.843000+00:00 2026-04-17 19:56:22.409000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.1 2.2
[S1040] Rclone Current version : 1.3
Version changed from : 1.2 → 1.3
Details values_changed STIX Field Old value New Value modified 2025-10-14 18:39:05.993000+00:00 2026-04-20 13:39:30.460000+00:00 x_mitre_version 1.2 1.3
[S0332] Remcos Current version : 1.4
Version changed from : 1.3 → 1.4
Details values_changed STIX Field Old value New Value modified 2025-04-16 20:38:53.082000+00:00 2026-04-23 03:33:15.712000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.3 1.4
[S1071] Rubeus Current version : 1.2
Version changed from : 1.1 → 1.2
Details values_changed STIX Field Old value New Value modified 2025-04-16 20:38:56.949000+00:00 2026-04-19 16:35:49.683000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 1.2
[S1178] ShrinkLocker Current version : 1.1
Version changed from : 1.0 → 1.1
Details values_changed STIX Field Old value New Value modified 2025-03-09 16:11:02.671000+00:00 2026-01-26 20:55:58.133000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 1.1
[S0603] Stuxnet Current version : 1.5
Version changed from : 1.4 → 1.5
+
+
+ t [Stuxnet](https://attack.mitre.org/software/S0603) was the f t [Stuxnet](https://attack.mitre.org/software/S0603) was the f irst publicly reported piece of malware to specifically targ irst publicly reported malware to specifically target indust et industrial control systems devices. [Stuxnet](https://att rial control systems devices. [Stuxnet](https://attack.mitre ack.mitre.org/software/S0603) is a large and complex piece o .org/software/S0603) is a large and complex malware that uti f malware that utilized multiple different behaviors includi lized multiple behaviors, including numerous zero-day vulner ng multiple zero-day vulnerabilities, a sophisticated Window abilities, a sophisticated Windows rootkit, and network infe s rootkit, and network infection routines.(Citation: Nicolas ction routines.(Citation: Nicolas Falliere, Liam O Murchu, E Falliere, Liam O Murchu, Eric Chien February 2011)(Citation ric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10 : CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet U -272-01)(Citation: ESET Stuxnet Under the Microscope)(Citati nder the Microscope)(Citation: Langer Stuxnet) [Stuxnet](htt on: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/softw ps://attack.mitre.org/software/S0603) was discovered in 2010 are/S0603) was discovered in 2010, with some components bein , with some components being used as early as November 2008. g used as early as November 2008.(Citation: Nicolas Falliere (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien Febru , Liam O Murchu, Eric Chien February 2011) ary 2011)
+
Details values_changed STIX Field Old value New Value modified 2025-01-02 19:40:26.678000+00:00 2026-04-24 02:36:25.135000+00:00 description [Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) [Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex malware that utilized multiple behaviors, including numerous zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.4 1.5
[S1239] TONESHELL Current version : 1.1
Version changed from : 1.0 → 1.1
Details values_changed STIX Field Old value New Value modified 2025-10-21 22:46:53.202000+00:00 2026-04-08 13:49:07.222000+00:00 x_mitre_version 1.0 1.1
[S0057] Tasklist Current version : 1.3
Version changed from : 1.2 → 1.3
Details values_changed STIX Field Old value New Value modified 2024-02-12 19:14:37.984000+00:00 2026-04-17 14:20:48.948000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 1.3
[S0183] Tor Current version : 1.5
Version changed from : 1.4 → 1.5
Details values_changed STIX Field Old value New Value modified 2025-09-29 20:22:30.453000+00:00 2026-04-22 21:19:41.095000+00:00 x_mitre_version 1.4 1.5
[S0645] Wevtutil Current version : 1.3
Version changed from : 1.2 → 1.3
Details values_changed STIX Field Old value New Value modified 2024-09-25 20:32:25.006000+00:00 2026-04-17 14:19:59.238000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.2 1.3
[S0160] certutil Current version : 1.6
Version changed from : 1.5 → 1.6
Details values_changed STIX Field Old value New Value modified 2024-11-27 21:56:15.800000+00:00 2026-04-22 21:03:22.466000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.5 1.6
[S0100] ipconfig Current version : 1.2
Version changed from : 1.1 → 1.2
Details values_changed STIX Field Old value New Value modified 2025-04-16 20:38:50.417000+00:00 2026-04-17 14:12:13.437000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 1.2
[S0385] njRAT Current version : 1.7
Version changed from : 1.6 → 1.7
Details values_changed STIX Field Old value New Value modified 2024-11-17 16:13:48.723000+00:00 2026-04-16 15:13:03.813000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.6 1.7
[S0225] sqlmap Current version : 1.1
Version changed from : 1.0 → 1.1
Details dictionary_item_added STIX Field Old value New Value x_mitre_aliases ['sqlmap']
values_changed STIX Field Old value New Value modified 2025-04-25 14:45:24.383000+00:00 2026-04-19 18:21:12.122000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 1.1
Patches [S0537] HyperStack Current version : 1.0
Details values_changed STIX Field Old value New Value modified 2025-04-25 14:42:55.977000+00:00 2026-01-20 15:11:37.735000+00:00 external_references[1]['url'] https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity https://web.archive.org/web/20201101015247/https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity x_mitre_attack_spec_version 3.2.0 3.3.0
[S0500] MCMD Current version : 1.1
+
+
+ t [MCMD](https://attack.mitre.org/software/S0500) is a remote t [MCMD](https://attack.mitre.org/software/S0500) is a remote access tool that provides remote command shell capability us access tool that provides remote command shell capability us ed by [Dragonfly 2.0 ](https://attack.mitre.org/groups/G0074 ) ed by [Dragonfly](https://attack.mitre.org/groups/G0035 ).(Ci .(Citation: Secureworks MCMD July 2019) tation: Secureworks MCMD July 2019)
+
Details values_changed STIX Field Old value New Value modified 2025-04-16 20:38:54.178000+00:00 2026-04-17 14:07:56.328000+00:00 description [MCMD](https://attack.mitre.org/software/S0500) is a remote access tool that provides remote command shell capability used by [Dragonfly 2.0](https://attack.mitre.org/groups/G0074).(Citation: Secureworks MCMD July 2019) [MCMD](https://attack.mitre.org/software/S0500) is a remote access tool that provides remote command shell capability used by [Dragonfly](https://attack.mitre.org/groups/G0035).(Citation: Secureworks MCMD July 2019) x_mitre_attack_spec_version 3.2.0 3.3.0
[S0165] OSInfo Current version : 1.1
Details values_changed STIX Field Old value New Value modified 2025-04-25 14:45:06.283000+00:00 2026-01-20 15:46:53.918000+00:00 external_references[1]['url'] http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong x_mitre_attack_spec_version 3.2.0 3.3.0
[S0166] RemoteCMD Current version : 1.1
Details values_changed STIX Field Old value New Value modified 2025-04-25 14:43:16.265000+00:00 2026-01-20 15:46:53.918000+00:00 external_references[1]['url'] http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong x_mitre_attack_spec_version 3.2.0 3.3.0
[S0461] SDBbot Current version : 2.1
Details values_changed STIX Field Old value New Value modified 2025-04-16 20:38:23.446000+00:00 2026-01-20 15:50:34.668000+00:00 external_references[1]['url'] https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/ https://web.archive.org/web/20200420201624/https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/ x_mitre_attack_spec_version 3.2.0 3.3.0
mobile-attack New Software [S9004] Crocodilus Current version : 1.0
Description :
Crocodilus is an Android banking Trojan that was discovered in March 2025. Crocodilus targeted users worldwide, including Turkey, Poland, Argentina, Brazil, Spain, the United States, Indonesia and India. Crocodilus has been customized based on the target location. For example, Crocodilus mimicked major Turkish and Spanish banks for users in Turkey and Spain, while users in Poland saw Facebook advertisements that promoted Crocodilus to claim bonus points.(Citation: ThreatFabric_Crocodilus_March2025)(Citation: ThreatFabric_Crocodilus_June2025)
[S9005] DocSwap Current version : 1.0
Description :
DocSwap is an Android malware first identified in 2025, and attributed to Kimsuky . DocSwap ’s name is a combination of its Korean name “문서열람 인증 앱” (Document Viewing Authentication App) and a phishing page masquerading as CoinSwap at the C2 address. Based on DocSwap ’s name and Korean-language strings, DocSwap potentially targets mobile device users in South Korea. Several variants of DocSwap exist; one of the latest samples indicates that the adversary added a native decryption function that decrypts an internal APK.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025)
[S9030] SameCoin Current version : 1.0
Description :
SameCoin is a multi-platform wiper with Windows and Android versions that has been used by WIRTE to target entities in the Middle East including in Israel.(Citation: Check Point Wirte NOV 2024)
[S9006] VajraSpy Current version : 1.0
Description :
VajraSpy is Android malware distributed via trojanized messaging and news applications. It has been used to target individuals in Pakistan and India since at least 2021 and has been delivered through the Google Play Store, malicious domains, and other uncontrolled distribution channels. VajraSpy is attributed with high confidence to Patchwork which has used the malware to conduct targeted espionage, primarily against devices in Pakistan. (Citation: ESET_VajraSpy_Feb2024)(Citation: ArcticWolf_DroppingElephant_July2025)(Citation: K7Dhanalakshmi_VajraSpy_April2022)
ics-attack Minor Version Changes [S1045] INCONTROLLER Current version : 1.1
Version changed from : 1.0 → 1.1
Details values_changed STIX Field Old value New Value modified 2025-04-16 21:26:25.242000+00:00 2026-04-23 14:06:34.251000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 1.1
[S0604] Industroyer Current version : 1.2
Version changed from : 1.1 → 1.2
Details values_changed STIX Field Old value New Value modified 2024-04-11 16:06:34.700000+00:00 2026-04-23 14:11:53.057000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 1.2
[S0372] LockerGoga Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2023-10-17 20:05:34.648000+00:00 2026-04-22 22:21:12.036000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.0 2.1
[S1006] PLC-Blaster Current version : 1.1
Version changed from : 1.0 → 1.1
Details values_changed STIX Field Old value New Value modified 2025-04-16 21:26:24.423000+00:00 2026-04-23 14:17:13.861000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 1.1
[S0603] Stuxnet Current version : 1.5
Version changed from : 1.4 → 1.5
+
+
+ t [Stuxnet](https://attack.mitre.org/software/S0603) was the f t [Stuxnet](https://attack.mitre.org/software/S0603) was the f irst publicly reported piece of malware to specifically targ irst publicly reported malware to specifically target indust et industrial control systems devices. [Stuxnet](https://att rial control systems devices. [Stuxnet](https://attack.mitre ack.mitre.org/software/S0603) is a large and complex piece o .org/software/S0603) is a large and complex malware that uti f malware that utilized multiple different behaviors includi lized multiple behaviors, including numerous zero-day vulner ng multiple zero-day vulnerabilities, a sophisticated Window abilities, a sophisticated Windows rootkit, and network infe s rootkit, and network infection routines.(Citation: Nicolas ction routines.(Citation: Nicolas Falliere, Liam O Murchu, E Falliere, Liam O Murchu, Eric Chien February 2011)(Citation ric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10 : CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet U -272-01)(Citation: ESET Stuxnet Under the Microscope)(Citati nder the Microscope)(Citation: Langer Stuxnet) [Stuxnet](htt on: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/softw ps://attack.mitre.org/software/S0603) was discovered in 2010 are/S0603) was discovered in 2010, with some components bein , with some components being used as early as November 2008. g used as early as November 2008.(Citation: Nicolas Falliere (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien Febru , Liam O Murchu, Eric Chien February 2011) ary 2011)
+
Details values_changed STIX Field Old value New Value modified 2025-01-02 19:40:26.678000+00:00 2026-04-24 02:36:25.135000+00:00 description [Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) [Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex malware that utilized multiple behaviors, including numerous zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.4 1.5
[S1009] Triton Current version : 1.2
Version changed from : 1.1 → 1.2
Details values_changed STIX Field Old value New Value modified 2024-04-17 16:12:43.754000+00:00 2026-04-22 20:06:22.741000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 1.2
Groups enterprise-attack New Groups [G1054] MirrorFace Current version : 1.0
Description :
MirrorFace is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the menuPass umbrella based on targeting, tools, and infrastructure overlaps. MirrorFace has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent MirrorFace operations included targets in Central Europe and featured use of LODEINFO , HiddenFace , and UPPERCUT malware.(Citation: Kaspersky LODEINFO OCT 2022)(Citation: Kaspersky LODEINFO Part II OCT 2022)(Citation: ESET MirrorFace DEC 2022)(Citation: JPCERT MirrorFace JUL 2024)(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: Trend Micro Earth Kasha Updates APR 2025)
[G1055] VOID MANTICORE Current version : 1.0
Description :
VOID MANTICORE is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).(Citation: Check Point VOID MANTICORE Handala Hack March 2026) Active since at least mid-2022, VOID MANTICORE has targeted government entities, critical infrastructure, and private sector organizations across Albania, Israel, and the United States.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)(Citation: Palo Alto VOID MANTICORE Iran Cyber Threats March 2026) VOID MANTICORE conducts destructive cyber operations, combining wiper attacks with hack-and-leak campaigns. The group has operated under multiple public-facing personas, including (LinkByld: C0038) in operations against Albania, Karma and Karma Below in campaigns targeting Israeli organizations, and Handala Hack, its current primary persona, which has claimed activity against Israeli and U.S. entities, including a March 2026 attack against Stryker Corporation.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)(Citation: DOJ FBI Handala Hack March 2026) VOID MANTICORE has been observed collaborating with Scarred Manticore, which has been linked to initial access operations preceding VOID MANTICORE’s activity.(Citation: Domain Tools Handala Hack Karma Homeland Justice MOIS April 2026)
Major Version Changes [G0099] APT-C-36 Current version : 2.0
Version changed from : 1.1 → 2.0
+
+
+ t [APT-C-36](https://attack.mitre.org/groups/G0099) is a suspe t [APT-C-36](https://attack.mitre.org/groups/G0099) is a suspe cted South America espionage group that has been active sinc cted South American threat group that has engaged in espiona e at least 2018. The group mainly targets Colombian governme ge and financially motivated operations since at least 2018. nt institutions as well as important corporations in the fin [APT-C-36](https://attack.mitre.org/groups/G0099) has targe ancial sector, petroleum industry, and professional manufact ted government institutions and entities in the financial, e uring.(Citation: QiAnXin APT-C-36 Feb2019) nergy, and professional manufacturing sectors across Colombi a and other Latin American countries.(Citation: QiAnXin APT- C-36 Feb2019)(Citation: Kaspersky BlindEagle AUG 2024)(Citat ion: Check Point Blind Eagle MAR 2025)(Citation: Recorded Fu ture TAG-144 AUG 2025)
+
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value modified 2025-04-25 14:49:32.503000+00:00 2026-04-23 03:37:06.250000+00:00 description [APT-C-36](https://attack.mitre.org/groups/G0099) is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing.(Citation: QiAnXin APT-C-36 Feb2019) [APT-C-36](https://attack.mitre.org/groups/G0099) is a suspected South American threat group that has engaged in espionage and financially motivated operations since at least 2018. [APT-C-36](https://attack.mitre.org/groups/G0099) has targeted government institutions and entities in the financial, energy, and professional manufacturing sectors across Colombia and other Latin American countries.(Citation: QiAnXin APT-C-36 Feb2019)(Citation: Kaspersky BlindEagle AUG 2024)(Citation: Check Point Blind Eagle MAR 2025)(Citation: Recorded Future TAG-144 AUG 2025) external_references[1]['description'] (Citation: QiAnXin APT-C-36 Feb2019) (Citation: QiAnXin APT-C-36 Feb2019)(Citation: Recorded Future TAG-144 AUG 2025) x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 2.0
iterable_item_added STIX Field Old value New Value aliases TAG-144 aliases AguilaCiega aliases APT-Q-98 external_references {'source_name': 'TAG-144', 'description': '(Citation: Recorded Future TAG-144 AUG 2025)'} external_references {'source_name': 'AguilaCiega', 'description': '(Citation: Recorded Future TAG-144 AUG 2025)'} external_references {'source_name': 'APT-Q-98', 'description': '(Citation: Recorded Future TAG-144 AUG 2025)'} external_references {'source_name': 'Check Point Blind Eagle MAR 2025', 'description': 'Check Point Research. (2025, March 10). Blind Eagle: …And Justice for All. Retrieved April 16, 2026.', 'url': 'https://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/'} external_references {'source_name': 'Kaspersky BlindEagle AUG 2024', 'description': 'Global Research & Analysis Team, Kaspersky. (2024, August 19). BlindEagle flying high in Latin America. Retrieved April 16, 2026.', 'url': 'https://securelist.com/blindeagle-apt/113414/'} external_references {'source_name': 'Recorded Future TAG-144 AUG 2025', 'description': 'Insikt Group. (2025, August 26). TAG-144’s Persistent Grip on South American Organizations. Retrieved April 16, 2026.', 'url': 'https://assets.recordedfuture.com/insikt-report-pdfs/2025/cta-2025-0826.pdf'}
[G0069] MuddyWater Current version : 7.0
Version changed from : 6.0 → 7.0
+
+
+ t [MuddyWater](https://attack.mitre.org/groups/G0069) is a cyb t [MuddyWater](https://attack.mitre.org/groups/G0069) is a cyb er espionage group assessed to be a subordinate element with er espionage group assessed to be a subordinate element with in Iran's Ministry of Intelligence and Security (MOIS).(Cita in Iran's Ministry of Intelligence and Security (MOIS).(Cita tion: CYBERCOM Iranian Intel Cyber January 2022) Since at le tion: CYBERCOM Iranian Intel Cyber January 2022) Since at le ast 2017, [MuddyWater](https://attack.mitre.org/groups/G0069 ast 2017, [MuddyWater](https://attack.mitre.org/groups/G0069 ) has targeted a range of government and private organizatio ) has targeted a range of government and private organizatio ns across sectors, including telecommunications, local gover ns across sectors, including telecommunications, local gover nment, defense, and oil and natural gas organizations, in th nment, finance, defense, and oil and natural gas organizatio e Middle East, Asia, Africa, Europe, and North America.(Cita ns, in the Middle East (specifically the UAE and Saudi Arabi tion: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyW a), Asia, Africa, Europe, and North America. [MuddyWater](ht ater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citat tps://attack.mitre.org/groups/G0069) has reused domains dati ion: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWa ng back to October 2025, and has a preference for NameCheap ter November 2017)(Citation: DHS CISA AA22-055A MuddyWater F and Hosterdaddy Private Limited (AS136557). In late 2025 and ebruary 2022)(Citation: Talos MuddyWater Jan 2022) early 2026, [MuddyWater](https://attack.mitre.org/groups/G0 069) used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. (Citation: FalconFe eds_Iran_Mar2026)(Citation: Huntio_IranInfra_Mar2026)(Citati on: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWat er Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citatio n: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWate r November 2017)(Citation: DHS CISA AA22-055A MuddyWater Feb ruary 2022)(Citation: Talos MuddyWater Jan 2022)(Citation: N aumaanProofpoint_GlobalClickFix_April2025)(Citation: ESET_Mu ddyWater_Dec2025)(Citation: SymantecCarbonBlack_Seedworm_Mar 2026)
+
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value modified 2025-10-22 19:08:44.552000+00:00 2026-04-23 03:26:57.416000+00:00 description [MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, [MuddyWater](https://attack.mitre.org/groups/G0069) has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022) [MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, [MuddyWater](https://attack.mitre.org/groups/G0069) has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. [MuddyWater](https://attack.mitre.org/groups/G0069) has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, [MuddyWater](https://attack.mitre.org/groups/G0069) used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. (Citation: FalconFeeds_Iran_Mar2026)(Citation: Huntio_IranInfra_Mar2026)(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)(Citation: NaumaanProofpoint_GlobalClickFix_April2025)(Citation: ESET_MuddyWater_Dec2025)(Citation: SymantecCarbonBlack_Seedworm_Mar2026) x_mitre_version 6.0 7.0
iterable_item_added STIX Field Old value New Value aliases MuddyKrill external_references {'source_name': 'Cloudflare 2026 Threat Report New Threat Actors March 2026', 'description': ' Cloudflare. (2026, March 3). Introducing the 2026 Cloudflare Threat Report. Retrieved April 18, 2026.', 'url': 'https://blog.cloudflare.com/2026-threat-report/'} external_references {'source_name': 'MuddyKrill', 'description': '(Citation: Cloudflare 2026 Threat Report New Threat Actors March 2026)'} external_references {'source_name': 'ESET_MuddyWater_Dec2025', 'description': 'ESET Research. (2025, December 2). MuddyWater: Snakes by the riverbank. Retrieved February 17, 2026.', 'url': 'https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/'} external_references {'source_name': 'FalconFeeds_Iran_Mar2026', 'description': 'FalconFeeds.io. (2026, March 5). The Digital Redoubt: Iran’s National Information Network and the Asymmetry of Modern Cyber Conflict. Retrieved March 9, 2026.', 'url': 'https://falconfeeds.io/blogs/the-digital-redoubt-irans-national-information-network-cyber-conflict'} external_references {'source_name': 'Huntio_IranInfra_Mar2026', 'description': 'Hunt.io. (2026, March 4). Iranian APT Infrastructure in Focus: Mapping State-Aligned Clusters During Geopolitical Escalation. Retrieved April 16, 2026.', 'url': 'https://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters'} external_references {'source_name': 'NaumaanProofpoint_GlobalClickFix_April2025', 'description': 'Naumaan, S., et al. (2025, April 17). Around the World in 90 Days: State-Sponsored Actors Try ClickFix . Retrieved January 21, 2026.', 'url': 'https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix'} external_references {'source_name': 'SymantecCarbonBlack_Seedworm_Mar2026', 'description': 'Threat Hunter Team. (2026, March 5). Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company. Retrieved March 5, 2026.', 'url': 'https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us'} x_mitre_contributors Dragos Threat Intelligence
[G0090] WIRTE Current version : 3.0
Version changed from : 2.0 → 3.0
+
+
+ t [WIRTE](https://attack.mitre.org/groups/G0090) is a threat g t [WIRTE](https://attack.mitre.org/groups/G0090) is a cyberesp roup that has been active since at least August 2018. [WIRTE ionage actor, believed to be a subgroup of the Hamas-affilia ](https://attack.mitre.org/groups/G0090) has targeted govern ted Gaza Cybergang, that has been active since at least Augu ment, diplomatic, financial, military, legal, and technology st 2018. [WIRTE](https://attack.mitre.org/groups/G0090) has organizations in the Middle East and Europe.(Citation: Lab5 targeted diplomatic, financial, military, legal, and technol 2 WIRTE Apr 2019)(Citation: Kaspersky WIRTE November 2021) ogy organizations across the Middle East, North Africa, and in Europe to gather intelligence. [WIRTE](https://attack.mit re.org/groups/G0090) has remained persistently active despit e the ongoing Israel-Hamas conflict and has expanded their o perations to include wiper malware attacks against Israeli t argets.(Citation: Lab52 WIRTE Apr 2019)(Citation: Kaspersky WIRTE November 2021)(Citation: Check Point Wirte NOV 2024)(C itation: Palo Alto Ashen Lepus DEC 2025)
+
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value modified 2025-04-16 20:37:32.959000+00:00 2026-04-23 02:15:29.965000+00:00 description [WIRTE](https://attack.mitre.org/groups/G0090) is a threat group that has been active since at least August 2018. [WIRTE](https://attack.mitre.org/groups/G0090) has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe.(Citation: Lab52 WIRTE Apr 2019)(Citation: Kaspersky WIRTE November 2021) [WIRTE](https://attack.mitre.org/groups/G0090) is a cyberespionage actor, believed to be a subgroup of the Hamas-affiliated Gaza Cybergang, that has been active since at least August 2018. [WIRTE](https://attack.mitre.org/groups/G0090) has targeted diplomatic, financial, military, legal, and technology organizations across the Middle East, North Africa, and in Europe to gather intelligence. [WIRTE](https://attack.mitre.org/groups/G0090) has remained persistently active despite the ongoing Israel-Hamas conflict and has expanded their operations to include wiper malware attacks against Israeli targets.(Citation: Lab52 WIRTE Apr 2019)(Citation: Kaspersky WIRTE November 2021)(Citation: Check Point Wirte NOV 2024)(Citation: Palo Alto Ashen Lepus DEC 2025) x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 2.0 3.0
iterable_item_added STIX Field Old value New Value aliases Ashen Lepus external_references {'source_name': 'Ashen Lepus', 'description': '(Citation: Palo Alto Ashen Lepus DEC 2025)'} external_references {'source_name': 'Check Point Wirte NOV 2024', 'description': 'Check Point. (2024, November 12). Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity. Retrieved April 20, 2026.', 'url': 'https://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/'} external_references {'source_name': 'Palo Alto Ashen Lepus DEC 2025', 'description': 'Unit 42. (2025, December 11). Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite. Retrieved April 20, 2026.', 'url': 'https://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/'} x_mitre_domains mobile-attack
Minor Version Changes [G0007] APT28 Current version : 5.3
Version changed from : 5.2 → 5.3
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value modified 2025-03-10 20:15:06.958000+00:00 2026-04-21 13:20:49.866000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 5.2 5.3
[G0047] Gamaredon Group Current version : 3.3
Version changed from : 3.2 → 3.3
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value modified 2025-10-24 01:05:47.958000+00:00 2026-04-19 00:11:03.898000+00:00 x_mitre_version 3.2 3.3
iterable_item_added STIX Field Old value New Value aliases NastyShrew external_references {'source_name': 'Cloudflare 2026 Threat Report New Threat Actors March 2026', 'description': ' Cloudflare. (2026, March 3). Introducing the 2026 Cloudflare Threat Report. Retrieved April 18, 2026.', 'url': 'https://blog.cloudflare.com/2026-threat-report/'} external_references {'source_name': 'NastyShrew', 'description': '(Citation: Cloudflare 2026 Threat Report New Threat Actors March 2026)'}
[G0094] Kimsuky Current version : 5.2
Version changed from : 5.1 → 5.2
+
+
+ t [Kimsuky](https://attack.mitre.org/groups/G0094) is a North t [Kimsuky](https://attack.mitre.org/groups/G0094) is a Democr Korea-based cyber espionage group that has been active since atic People's Republic of Korea (DPRK)-based cyber espionage at least 2012. The group initially targeted South Korean go group that has been active since at least 2012. The group i vernment agencies, think tanks, and subject-matter experts i nitially targeted South Korean government agencies, think ta n various fields. Its operations expanded to include the Uni nks, and subject-matter experts in various fields. Its opera ted Nations and organizations in the government, education, tions expanded to include the United Nations and organizatio business services, and manufacturing sectors across the Unit ns in the government, education, business services, and manu ed States, Japan, Russia, and Europe. [Kimsuky](https://atta facturing sectors across the United States, Japan, Russia, a ck.mitre.org/groups/G0094) has focused collection on foreign nd Europe. [Kimsuky](https://attack.mitre.org/groups/G0094) policy and national security issues tied to the Korean Peni has focused collection on foreign policy and national securi nsula, nuclear policy, and sanctions. Its operations have ov ty issues tied to the Korean Peninsula, nuclear policy, and erlapped with other DPRK actors, likely due to ad hoc collab sanctions. [Kimsuky](https://attack.mitre.org/groups/G0094) oration or limited resource sharing.(Citation: EST Kimsuky A operations have overlapped with those of other North Korean pril 2019)(Citation: Cybereason Kimsuky November 2020)(Citat state-sponsored cyber espionage actors as a result of ad hoc ion: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301 collaborations or other limited resource sharing.(Citation: A Kimsuky)(Citation: Mandiant APT43 March 2024)(Citation: Pr EST Kimsuky April 2019)(Citation: Cybereason Kimsuky Novemb oofpoint TA427 April 2024) Because of overlapping operations er 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: , some researchers group a wide range of North Korean state- CISA AA20-301A Kimsuky)(Citation: Mandiant APT43 March 2024 sponsored cyber activity under the broader [Lazarus Group](h )(Citation: Proofpoint TA427 April 2024) [Kimsuky](https:/ ttps://attack.mitre.org/groups/G0032) umbrella rather than t /attack.mitre.org/groups/G0094) was assessed to be responsib racking separate subgroup or cluster distinctions. [Kimsuky le for the 2014 Korea Hydro & Nuclear Power Co. compromise; ](https://attack.mitre.org/groups/G0094) was assessed to be other notable campaigns include Operation STOLEN PENCIL (201 responsible for the 2014 Korea Hydro & Nuclear Power Co. com 8), Operation Kabar Cobra (2019), and Operation Smoke Screen promise; other notable campaigns include Operation STOLEN PE (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation NCIL (2018), Operation Kabar Cobra (2019), and Operation Smo : EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsu ke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018) ky Kabar Cobra Feb 2019) In 2023, [Kimsuky](https://attack.m (Citation: EST Kimsuky SmokeScreen April 2019)(Citation: Ahn itre.org/groups/G0094) was observed using commercial large l Lab Kimsuky Kabar Cobra Feb 2019) In 2023, [Kimsuky](https: anguage models (LLMs) to assist with vulnerability research, //attack.mitre.org/groups/G0094) was observed using commerci scripting, social engineering and reconnaissance.(Citation: al large language models to assist with vulnerability resear MSFT-AI) DPRK threat actor cluster boundaries overlap in o ch, scripting, social engineering and reconnaissance.(Citati pen source reporting, with some security researchers consoli on: MSFT-AI) dating all attributed North Korean state-sponsored cyber act ivity under [Lazarus Group](https://attack.mitre.org/groups/ G0032), rather than tracking operationally distinct subgroup s.
+
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value modified 2025-11-12 18:55:12.319000+00:00 2026-04-23 18:46:50.938000+00:00 description [Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. [Kimsuky](https://attack.mitre.org/groups/G0094) has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Its operations have overlapped with other DPRK actors, likely due to ad hoc collaboration or limited resource sharing.(Citation: EST Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky)(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024) Because of overlapping operations, some researchers group a wide range of North Korean state-sponsored cyber activity under the broader [Lazarus Group](https://attack.mitre.org/groups/G0032) umbrella rather than tracking separate subgroup or cluster distinctions.
+
+[Kimsuky](https://attack.mitre.org/groups/G0094) was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019)
+
+In 2023, [Kimsuky](https://attack.mitre.org/groups/G0094) was observed using commercial large language models to assist with vulnerability research, scripting, social engineering and reconnaissance.(Citation: MSFT-AI) [Kimsuky](https://attack.mitre.org/groups/G0094) is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. [Kimsuky](https://attack.mitre.org/groups/G0094) has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. [Kimsuky](https://attack.mitre.org/groups/G0094) operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.(Citation: EST Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky)(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024)
+
+[Kimsuky](https://attack.mitre.org/groups/G0094) was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019) In 2023, [Kimsuky](https://attack.mitre.org/groups/G0094) was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.(Citation: MSFT-AI)
+
+DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under [Lazarus Group](https://attack.mitre.org/groups/G0032), rather than tracking operationally distinct subgroups. x_mitre_version 5.1 5.2 x_mitre_contributors[3] Wai Linn Oo @ Kernellix Wai Linn Oo, Kernellix Co.,Ltd.
iterable_item_added STIX Field Old value New Value aliases Earth Kumiho aliases PatheticSlug external_references {'source_name': 'Cloudflare 2026 Threat Report New Threat Actors March 2026', 'description': ' Cloudflare. (2026, March 3). Introducing the 2026 Cloudflare Threat Report. Retrieved April 18, 2026.', 'url': 'https://blog.cloudflare.com/2026-threat-report/'} external_references {'source_name': 'PatheticSlug', 'description': '(Citation: Cloudflare 2026 Threat Report New Threat Actors March 2026)'} external_references {'source_name': 'Earth Kumiho', 'description': '(Citation: Rapid7 Threat Landscape Actors March 2026)'} external_references {'source_name': 'Rapid7 Threat Landscape Actors March 2026', 'description': 'Rapid7. (2026, March 18). 2026 GLOBAL THREAT LANDSCAPE REPORT: Decoding the Accelerated Cyber Attack Cycle. Retrieved April 18, 2026.', 'url': 'https://www.rapid7.com/cdn/assets/bltc1ddd6561ab54a26/69ba67de50ca691edcd3f5b7/rapid7-threat-landscape-report-2026.pdf'} x_mitre_domains mobile-attack
[G0102] Wizard Spider Current version : 4.1
Version changed from : 4.0 → 4.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value modified 2025-03-12 20:33:21.597000+00:00 2026-01-20 16:26:04.859000+00:00 external_references[17]['url'] https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf https://web.archive.org/web/20220313061955/https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 4.0 4.1
iterable_item_added STIX Field Old value New Value aliases Pistachio Tempest aliases DEV-0237 external_references {'source_name': 'Pistachio Tempest', 'description': '(Citation: Microsoft_PistachioTempest_Jan2024)'} external_references {'source_name': 'DEV-0237', 'description': '(Citation: Microsoft_PistachioTempest_Jan2024)'} external_references {'source_name': 'Microsoft_PistachioTempest_Jan2024', 'description': 'Microsoft. (2024, January 25). Financially Motivated Threat Actor Pistachio Tempest. Retrieved December 15, 2025.', 'url': 'https://www.microsoft.com/en-us/security/security-insider/threat-landscape/pistachio-tempest'}
Patches [G0016] APT29 Current version : 6.2
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value modified 2025-04-04 17:07:43.344000+00:00 2026-01-20 16:22:04.140000+00:00 external_references[39]['url'] https://www.secureworks.com/research/threat-profiles/iron-ritual https://www.sophos.com/en-us/threat-profiles/iron-ritual x_mitre_attack_spec_version 3.2.0 3.3.0
[G0022] APT3 Current version : 1.4
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value modified 2024-09-16 16:18:53.978000+00:00 2026-01-20 15:46:53.916000+00:00 external_references[12]['url'] http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong x_mitre_attack_spec_version 3.2.0 3.3.0
[G0082] APT38 Current version : 3.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value modified 2025-01-22 21:54:11.727000+00:00 2025-11-13 19:21:05.133000+00:00 external_references[11]['url'] https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf https://services.google.com/fh/files/misc/apt38-un-usual-suspects.pdf x_mitre_attack_spec_version 3.2.0 3.3.0
[G1016] FIN13 Current version : 1.0
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value modified 2023-09-29 19:08:47.861000+00:00 2026-01-20 15:10:22.473000+00:00 external_references[2]['url'] https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf?__hstc=147695848.3e8f1a482c8f8d4531507747318e660b.1680005306711.1680005306711.1680005306711.1&__hssc=147695848.1.1680005306711&__hsfp=3000179024&hsCtaTracking=189ec409-ae2d-4909-8bf1-62dcdd694372%7Cca91d317-8f10-4a38-9f80-367f551ad64d https://web.archive.org/web/20220105132433/https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf x_mitre_attack_spec_version 3.2.0 3.3.0
[G0129] Mustang Panda Current version : 3.0
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value modified 2025-11-04 19:40:42.270000+00:00 2026-04-19 00:11:03.898000+00:00
iterable_item_added STIX Field Old value New Value aliases ClumsyToad external_references {'source_name': 'Cloudflare 2026 Threat Report New Threat Actors March 2026', 'description': ' Cloudflare. (2026, March 3). Introducing the 2026 Cloudflare Threat Report. Retrieved April 18, 2026.', 'url': 'https://blog.cloudflare.com/2026-threat-report/'} external_references {'source_name': 'ClumsyToad', 'description': '(Citation: Cloudflare 2026 Threat Report New Threat Actors March 2026)'}
[G0092] TA505 Current version : 3.0
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value modified 2024-04-10 22:37:02.592000+00:00 2026-01-20 15:50:34.667000+00:00 external_references[5]['url'] https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/ https://web.archive.org/web/20200420201624/https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/ x_mitre_attack_spec_version 3.2.0 3.3.0
[G0028] Threat Group-1314 Current version : 1.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value modified 2025-04-25 14:49:05.962000+00:00 2026-01-20 16:07:46.964000+00:00 external_references[3]['url'] http://www.secureworks.com/resources/blog/living-off-the-land/ https://web.archive.org/web/20150626073312/http://www.secureworks.com/resources/blog/living-off-the-land/ x_mitre_attack_spec_version 3.2.0 3.3.0
[G0010] Turla Current version : 5.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value modified 2024-06-26 18:09:33.862000+00:00 2026-01-20 15:11:37.732000+00:00 external_references[9]['url'] https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity https://web.archive.org/web/20201101015247/https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity x_mitre_attack_spec_version 3.2.0 3.3.0
[G1017] Volt Typhoon Current version : 2.0
+
+
+ t [Volt Typhoon](https://attack.mitre.org/groups/G1017) is a P t [Volt Typhoon](https://attack.mitre.org/groups/G1017) is a P eople's Republic of China (PRC) state-sponsored actor that h eople's Republic of China (PRC) state-sponsored actor that h as been active since at least 2021 primarily targeting criti as been active since at least 2021, primarily targeting crit cal infrastructure organizations in the US and its territori ical infrastructure organizations in the US and its territor es including Guam. [Volt Typhoon](https://attack.mitre.org/g ies including Guam. [Volt Typhoon](https://attack.mitre.org/ roups/G1017)'s targeting and pattern of behavior have been a groups/G1017)'s targeting and pattern of behavior have been ssessed as pre-positioning to enable lateral movement to ope assessed as pre-positioning to enable lateral movement to op rational technology (OT) assets for potential destructive or erational technology (OT) assets for potential destructive o disruptive attacks. [Volt Typhoon](https://attack.mitre.org r disruptive attacks. [Volt Typhoon](https://attack.mitre.or /groups/G1017) has emphasized stealth in operations using we g/groups/G1017) has emphasized stealth in operations using w b shells, living-off-the-land (LOTL) binaries, hands on keyb eb shells, living-off-the-land (LOTL) binaries, hands on key oard activities, and stolen credentials.(Citation: CISA AA24 board activities, and stolen credentials.(Citation: CISA AA2 -038A PRC Critical Infrastructure February 2024)(Citation: M 4-038A PRC Critical Infrastructure February 2024)(Citation: icrosoft Volt Typhoon May 2023)(Citation: Joint Cybersecurit Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecuri y Advisory Volt Typhoon June 2023)(Citation: Secureworks BRO ty Advisory Volt Typhoon June 2023)(Citation: Secureworks BR NZE SILHOUETTE May 2023) ONZE SILHOUETTE May 2023). The group has leveraged compromis ed SOHO routers to proxy command and control traffic and obs cure its infrastructure, activity associated with the KV bot net.(Citation: DOJ KVBotnet 2024). Reporting indicates a s eparate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring ac cess to [Volt Typhoon](https://attack.mitre.org/groups/G1017 ), also tracked as VOLTZITE, for follow-on operations. (Cita tion: Dragos 2025 Year in Review)
+
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value modified 2025-04-30 13:27:45.018000+00:00 2026-04-27 03:57:23.174000+00:00 description [Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and its territories including Guam. [Volt Typhoon](https://attack.mitre.org/groups/G1017)'s targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. [Volt Typhoon](https://attack.mitre.org/groups/G1017) has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023) [Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. [Volt Typhoon](https://attack.mitre.org/groups/G1017)'s targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. [Volt Typhoon](https://attack.mitre.org/groups/G1017) has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023). The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.(Citation: DOJ KVBotnet 2024).
+
+Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to [Volt Typhoon](https://attack.mitre.org/groups/G1017), also tracked as VOLTZITE, for follow-on operations. (Citation: Dragos 2025 Year in Review) external_references[8]['url'] https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations https://web.archive.org/web/20230601025540/https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations x_mitre_attack_spec_version 3.2.0 3.3.0
iterable_item_added STIX Field Old value New Value aliases DazedToad external_references {'source_name': 'Cloudflare 2026 Threat Report New Threat Actors March 2026', 'description': ' Cloudflare. (2026, March 3). Introducing the 2026 Cloudflare Threat Report. Retrieved April 18, 2026.', 'url': 'https://blog.cloudflare.com/2026-threat-report/'} external_references {'source_name': 'DazedToad', 'description': '(Citation: Cloudflare 2026 Threat Report New Threat Actors March 2026)'} external_references {'source_name': 'Dragos 2025 Year in Review', 'description': 'Dragos. (2026, February). 9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT . Retrieved April 26, 2026.', 'url': 'https://5943619.hs-sites.com/hubfs/312-Year-in-Review/2026/Dragos-2026-OT-Cybersecurity-Report-A-Year-in-Review.pdf?hsCtaAttrib=205683189348'} external_references {'source_name': 'DOJ KVBotnet 2024', 'description': 'US Department of Justice. (2024, January 31). U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure. Retrieved June 10, 2024.', 'url': 'https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical'}
mobile-attack New Groups [G0094] Kimsuky Current version : 5.2
Description :
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.(Citation: EST Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky)(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024)
+Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019) In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.(Citation: MSFT-AI)
+DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group , rather than tracking operationally distinct subgroups.
[G0042] MONSOON Current version : 1.0
[G0040] Patchwork Current version : 1.6
Description :
Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)
[G0086] Stolen Pencil Current version : 1.1
Description :
Stolen Pencil is a threat group likely originating from DPRK that has been active since at least May 2018. The group appears to have targeted academic institutions, but its motives remain unclear.(Citation: Netscout Stolen Pencil Dec 2018)
[G0090] WIRTE Current version : 3.0
Description :
WIRTE is a cyberespionage actor, believed to be a subgroup of the Hamas-affiliated Gaza Cybergang, that has been active since at least August 2018. WIRTE has targeted diplomatic, financial, military, legal, and technology organizations across the Middle East, North Africa, and in Europe to gather intelligence. WIRTE has remained persistently active despite the ongoing Israel-Hamas conflict and has expanded their operations to include wiper malware attacks against Israeli targets.(Citation: Lab52 WIRTE Apr 2019)(Citation: Kaspersky WIRTE November 2021)(Citation: Check Point Wirte NOV 2024)(Citation: Palo Alto Ashen Lepus DEC 2025)
Major Version Changes [G0069] MuddyWater Current version : 7.0
Version changed from : 6.0 → 7.0
+
+
+ t [MuddyWater](https://attack.mitre.org/groups/G0069) is a cyb t [MuddyWater](https://attack.mitre.org/groups/G0069) is a cyb er espionage group assessed to be a subordinate element with er espionage group assessed to be a subordinate element with in Iran's Ministry of Intelligence and Security (MOIS).(Cita in Iran's Ministry of Intelligence and Security (MOIS).(Cita tion: CYBERCOM Iranian Intel Cyber January 2022) Since at le tion: CYBERCOM Iranian Intel Cyber January 2022) Since at le ast 2017, [MuddyWater](https://attack.mitre.org/groups/G0069 ast 2017, [MuddyWater](https://attack.mitre.org/groups/G0069 ) has targeted a range of government and private organizatio ) has targeted a range of government and private organizatio ns across sectors, including telecommunications, local gover ns across sectors, including telecommunications, local gover nment, defense, and oil and natural gas organizations, in th nment, finance, defense, and oil and natural gas organizatio e Middle East, Asia, Africa, Europe, and North America.(Cita ns, in the Middle East (specifically the UAE and Saudi Arabi tion: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyW a), Asia, Africa, Europe, and North America. [MuddyWater](ht ater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citat tps://attack.mitre.org/groups/G0069) has reused domains dati ion: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWa ng back to October 2025, and has a preference for NameCheap ter November 2017)(Citation: DHS CISA AA22-055A MuddyWater F and Hosterdaddy Private Limited (AS136557). In late 2025 and ebruary 2022)(Citation: Talos MuddyWater Jan 2022) early 2026, [MuddyWater](https://attack.mitre.org/groups/G0 069) used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. (Citation: FalconFe eds_Iran_Mar2026)(Citation: Huntio_IranInfra_Mar2026)(Citati on: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWat er Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citatio n: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWate r November 2017)(Citation: DHS CISA AA22-055A MuddyWater Feb ruary 2022)(Citation: Talos MuddyWater Jan 2022)(Citation: N aumaanProofpoint_GlobalClickFix_April2025)(Citation: ESET_Mu ddyWater_Dec2025)(Citation: SymantecCarbonBlack_Seedworm_Mar 2026)
+
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value modified 2025-10-22 19:08:44.552000+00:00 2026-04-23 03:26:57.416000+00:00 description [MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, [MuddyWater](https://attack.mitre.org/groups/G0069) has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022) [MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, [MuddyWater](https://attack.mitre.org/groups/G0069) has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. [MuddyWater](https://attack.mitre.org/groups/G0069) has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, [MuddyWater](https://attack.mitre.org/groups/G0069) used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. (Citation: FalconFeeds_Iran_Mar2026)(Citation: Huntio_IranInfra_Mar2026)(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)(Citation: NaumaanProofpoint_GlobalClickFix_April2025)(Citation: ESET_MuddyWater_Dec2025)(Citation: SymantecCarbonBlack_Seedworm_Mar2026) x_mitre_version 6.0 7.0
iterable_item_added STIX Field Old value New Value aliases MuddyKrill external_references {'source_name': 'Cloudflare 2026 Threat Report New Threat Actors March 2026', 'description': ' Cloudflare. (2026, March 3). Introducing the 2026 Cloudflare Threat Report. Retrieved April 18, 2026.', 'url': 'https://blog.cloudflare.com/2026-threat-report/'} external_references {'source_name': 'MuddyKrill', 'description': '(Citation: Cloudflare 2026 Threat Report New Threat Actors March 2026)'} external_references {'source_name': 'ESET_MuddyWater_Dec2025', 'description': 'ESET Research. (2025, December 2). MuddyWater: Snakes by the riverbank. Retrieved February 17, 2026.', 'url': 'https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/'} external_references {'source_name': 'FalconFeeds_Iran_Mar2026', 'description': 'FalconFeeds.io. (2026, March 5). The Digital Redoubt: Iran’s National Information Network and the Asymmetry of Modern Cyber Conflict. Retrieved March 9, 2026.', 'url': 'https://falconfeeds.io/blogs/the-digital-redoubt-irans-national-information-network-cyber-conflict'} external_references {'source_name': 'Huntio_IranInfra_Mar2026', 'description': 'Hunt.io. (2026, March 4). Iranian APT Infrastructure in Focus: Mapping State-Aligned Clusters During Geopolitical Escalation. Retrieved April 16, 2026.', 'url': 'https://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters'} external_references {'source_name': 'NaumaanProofpoint_GlobalClickFix_April2025', 'description': 'Naumaan, S., et al. (2025, April 17). Around the World in 90 Days: State-Sponsored Actors Try ClickFix . Retrieved January 21, 2026.', 'url': 'https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix'} external_references {'source_name': 'SymantecCarbonBlack_Seedworm_Mar2026', 'description': 'Threat Hunter Team. (2026, March 5). Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company. Retrieved March 5, 2026.', 'url': 'https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us'} x_mitre_contributors Dragos Threat Intelligence
Minor Version Changes [G0007] APT28 Current version : 5.3
Version changed from : 5.2 → 5.3
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value modified 2025-03-10 20:15:06.958000+00:00 2026-04-21 13:20:49.866000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 5.2 5.3
ics-attack Minor Version Changes [G0102] Wizard Spider Current version : 4.1
Version changed from : 4.0 → 4.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value modified 2025-03-12 20:33:21.597000+00:00 2026-01-20 16:26:04.859000+00:00 external_references[17]['url'] https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf https://web.archive.org/web/20220313061955/https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 4.0 4.1
iterable_item_added STIX Field Old value New Value aliases Pistachio Tempest aliases DEV-0237 external_references {'source_name': 'Pistachio Tempest', 'description': '(Citation: Microsoft_PistachioTempest_Jan2024)'} external_references {'source_name': 'DEV-0237', 'description': '(Citation: Microsoft_PistachioTempest_Jan2024)'} external_references {'source_name': 'Microsoft_PistachioTempest_Jan2024', 'description': 'Microsoft. (2024, January 25). Financially Motivated Threat Actor Pistachio Tempest. Retrieved December 15, 2025.', 'url': 'https://www.microsoft.com/en-us/security/security-insider/threat-landscape/pistachio-tempest'}
Patches [G0082] APT38 Current version : 3.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value modified 2025-01-22 21:54:11.727000+00:00 2025-11-13 19:21:05.133000+00:00 external_references[11]['url'] https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf https://services.google.com/fh/files/misc/apt38-un-usual-suspects.pdf x_mitre_attack_spec_version 3.2.0 3.3.0
Campaigns enterprise-attack New Campaigns [C0063] 2025 Poland Wiper Attacks Current version : 1.0
Description :
2025 Poland Wiper Attacks is a Russian state-sponsored campaign that conducted destructive cyberattacks against Polish energy infrastructure in December 2025. Targets included more than 30 wind and photovoltaic farms, a combined heat and power (CHP) plant, and a manufacturing sector company. The attacks on the distributed energy resources (DER) disrupted communications between affected facilities and the distribution system operator, but did not impact electricity generation or heat supply. Across the campaign, threat actors deployed two previously undocumented wiper tools, DynoWiper , a Windows-based wiper and LazyWiper , a PowerShell wiper, distributed via malicious Group Policy Objects. At the CHP plant, threat actors had maintained access since at least March 2025, using that foothold to obtain credentials and move laterally before attempting wiper deployment. Some reporting has assessed the activity to be consistent with Russian Federal Security Service (FSB) threat activity group Dragonfly , also tracked as STATIC TUNDRA, while other reporting attributes the destructive wiper activities to the Russian General Staff Main Intelligence Directorate (GRU) threat activity group ELECTRUM, also tracked as Sandworm Team .(Citation: CERT Polska)(Citation: Dragos ELECTRUM JAN 2026)(Citation: ESET DynoWiper JAN 2026)(Citation: ESET DynoWiper Update JAN 2026)
[C0062] Anthropic AI-orchestrated Campaign Current version : 1.0
Description :
The Anthropic AI-orchestrated Campaign was conducted in September 2025 by a likely China nexus espionage actor identified as GTG-1002. The Anthropic AI-orchestrated Campaign was a highly coordinated operation that manipulated Claude Code to perform reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, and exfiltration operations at approximately 30 entities in the technology, financial, chemical, and government sectors. During the Anthropic AI-orchestrated Campaign , human operators used Claude Code agents and Model Context Protocol (MCP) tools to automate cyber operations. Operators broke attacks into discrete tasks, used crafted prompts, and established personas to bypass AI guardrails, enabling the agents to execute the operations with minimal human involvement.(Citation: Anthropic AI Orchestrated Campaign NOV 2025)(Citation: Anthropic Disrupting AI Espionage NOV 2025)
[C0060] Operation AkaiRyū Current version : 1.0
Description :
Operation AkaiRyū (Japanese for RedDragon) was a cyberespionage spearphishing campaign conducted by MirrorFace between June and September 2024 against entities in Japan and Central Europe. Operation AkaiRyū notably included the first reported targeting of a European entity by MirrorFace , as well as their use of UPPERCUT , which was thought to be exclusive to menuPass .(Citation: ESET MirrorFace 2025)(Citation: Trend Micro Earth Kasha Anel NOV 2024)
[C0061] Operation Digital Eye Current version : 1.0
Description :
Operation Digital Eye was conducted in June and July of 2024 by suspected People's Republic of China (PRC)-nexus threat actors targeting business-to-business IT service providers in Southern Europe. Operation Digital Eye activity included the use of Visual Studio Code tunnels for command and control (C2) and custom lateral movement capabilities. Overlaps in tooling between Digital Eye and previous China-nexus campaigns, Operation Soft Cell and Operation Tainted Love, indicate the potential use of shared vendors or digital quartermasters.(Citation: sentinelone operationDigitalEye Dec 2024)
Minor Version Changes [C0038] HomeLand Justice Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t [HomeLand Justice](https://attack.mitre.org/campaigns/C0038) t [HomeLand Justice](https://attack.mitre.org/campaigns/C0038) was a disruptive campaign involving the use of ransomware, was a disruptive cyber campaign conducted by Iranian state- wiper malware, and sensitive information leaks conducted by affiliated actors against Albanian government networks in Ju Iranian state cyber actors against Albanian government netwo ly and September 2022. The activity combined ransomware, wip rks in July and September 2022. Initial access for [HomeLand er malware, and data leak operations. Initial access for [Ho Justice](https://attack.mitre.org/campaigns/C0038) was esta meLand Justice](https://attack.mitre.org/campaigns/C0038) wa blished in May 2021 as threat actors subsequently moved late s established as early as May 2021, and threat actors moved rally, exfiltrated sensitive information, and maintained per laterally, exfiltrated sensitive information, and maintained sistence for approximately 14 months prior to the attacks. R persistence for approximately 14 months prior to the destru esponsibility was claimed by the "HomeLand Justice" front wh ctive phase of the operation. Responsibility was claimed by ose messaging indicated targeting of the Mujahedeen-e Khalq the "HomeLand Justice" front, which framed the campaign as r (MEK), an Iranian opposition group who maintain a refugee ca etaliation against the Mujahedeen-e Khalq (MEK), an Iranian mp in Albania, and were formerly designated a terrorist orga opposition group with a presence in Albania. Multiple Iran-n nization by the US State Department.(Citation: Mandiant ROAD exus groups are assessed to have participated in the campaig SWEEP August 2022)(Citation: Microsoft Albanian Government A n, including [HEXANE](https://attack.mitre.org/groups/G1001) ttacks September 2022)(Citation: CISA Iran Albanian Attacks who probed victim infrastructure.(Citation: Mandiant ROADSW September 2022) A second wave of attacks was launched in Sep EEP August 2022)(Citation: Microsoft Albanian Government Att tember 2022 using similar tactics after public attribution o acks September 2022)(Citation: CISA Iran Albanian Attacks Se f the previous activity to Iran and the severing of diplomat ptember 2022) A second wave of attacks was launched in Septe ic ties between Iran and Albania.(Citation: CISA Iran Albani mber 2022 using similar tactics following public attribution an Attacks September 2022) of the previous activity to Iran and the severing of diplom atic ties between Iran and Albania.(Citation: CISA Iran Alba nian Attacks September 2022)
+
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
dictionary_item_removed STIX Field Old value New Value x_mitre_domains ['enterprise-attack']
values_changed STIX Field Old value New Value modified 2024-10-31 16:06:50.414000+00:00 2026-04-23 02:24:58.492000+00:00 description [HomeLand Justice](https://attack.mitre.org/campaigns/C0038) was a disruptive campaign involving the use of ransomware, wiper malware, and sensitive information leaks conducted by Iranian state cyber actors against Albanian government networks in July and September 2022. Initial access for [HomeLand Justice](https://attack.mitre.org/campaigns/C0038) was established in May 2021 as threat actors subsequently moved laterally, exfiltrated sensitive information, and maintained persistence for approximately 14 months prior to the attacks. Responsibility was claimed by the "HomeLand Justice" front whose messaging indicated targeting of the Mujahedeen-e Khalq (MEK), an Iranian opposition group who maintain a refugee camp in Albania, and were formerly designated a terrorist organization by the US State Department.(Citation: Mandiant ROADSWEEP August 2022)(Citation: Microsoft Albanian Government Attacks September 2022)(Citation: CISA Iran Albanian Attacks September 2022) A second wave of attacks was launched in September 2022 using similar tactics after public attribution of the previous activity to Iran and the severing of diplomatic ties between Iran and Albania.(Citation: CISA Iran Albanian Attacks September 2022)
+
+ [HomeLand Justice](https://attack.mitre.org/campaigns/C0038) was a disruptive cyber campaign conducted by Iranian state-affiliated actors against Albanian government networks in July and September 2022. The activity combined ransomware, wiper malware, and data leak operations. Initial access for [HomeLand Justice](https://attack.mitre.org/campaigns/C0038) was established as early as May 2021, and threat actors moved laterally, exfiltrated sensitive information, and maintained persistence for approximately 14 months prior to the destructive phase of the operation. Responsibility was claimed by the "HomeLand Justice" front, which framed the campaign as retaliation against the Mujahedeen-e Khalq (MEK), an Iranian opposition group with a presence in Albania. Multiple Iran-nexus groups are assessed to have participated in the campaign, including [HEXANE](https://attack.mitre.org/groups/G1001) who probed victim infrastructure.(Citation: Mandiant ROADSWEEP August 2022)(Citation: Microsoft Albanian Government Attacks September 2022)(Citation: CISA Iran Albanian Attacks September 2022) A second wave of attacks was launched in September 2022 using similar tactics following public attribution of the previous activity to Iran and the severing of diplomatic ties between Iran and Albania.(Citation: CISA Iran Albanian Attacks September 2022)
+
+ x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 1.1
[C0030] Triton Safety Instrumented System Attack Current version : 1.1
Version changed from : 1.0 → 1.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
dictionary_item_removed STIX Field Old value New Value x_mitre_domains ['ics-attack', 'enterprise-attack']
values_changed STIX Field Old value New Value modified 2024-11-17 16:15:02.223000+00:00 2026-04-23 00:24:57.457000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 1.1
Patches [C0058] SharePoint ToolShell Exploitation Current version : 1.0
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
dictionary_item_removed STIX Field Old value New Value x_mitre_domains ['enterprise-attack']
values_changed STIX Field Old value New Value modified 2025-11-12 15:13:10.723000+00:00 2026-04-23 18:46:50.936000+00:00 x_mitre_contributors[0] Wai Linn Oo @ Kernellix Wai Linn Oo, Kernellix Co.,Ltd.
[C0037] Water Curupira Pikabot Distribution Current version : 1.0
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
dictionary_item_removed STIX Field Old value New Value x_mitre_domains ['enterprise-attack']
values_changed STIX Field Old value New Value modified 2024-10-28 19:02:30.340000+00:00 2026-04-22 18:11:30.378000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0
ics-attack New Campaigns [C0063] 2025 Poland Wiper Attacks Current version : 1.0
Description :
2025 Poland Wiper Attacks is a Russian state-sponsored campaign that conducted destructive cyberattacks against Polish energy infrastructure in December 2025. Targets included more than 30 wind and photovoltaic farms, a combined heat and power (CHP) plant, and a manufacturing sector company. The attacks on the distributed energy resources (DER) disrupted communications between affected facilities and the distribution system operator, but did not impact electricity generation or heat supply. Across the campaign, threat actors deployed two previously undocumented wiper tools, DynoWiper , a Windows-based wiper and LazyWiper , a PowerShell wiper, distributed via malicious Group Policy Objects. At the CHP plant, threat actors had maintained access since at least March 2025, using that foothold to obtain credentials and move laterally before attempting wiper deployment. Some reporting has assessed the activity to be consistent with Russian Federal Security Service (FSB) threat activity group Dragonfly , also tracked as STATIC TUNDRA, while other reporting attributes the destructive wiper activities to the Russian General Staff Main Intelligence Directorate (GRU) threat activity group ELECTRUM, also tracked as Sandworm Team .(Citation: CERT Polska)(Citation: Dragos ELECTRUM JAN 2026)(Citation: ESET DynoWiper JAN 2026)(Citation: ESET DynoWiper Update JAN 2026)
Minor Version Changes [C0030] Triton Safety Instrumented System Attack Current version : 1.1
Version changed from : 1.0 → 1.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
dictionary_item_removed STIX Field Old value New Value x_mitre_domains ['ics-attack', 'enterprise-attack']
values_changed STIX Field Old value New Value modified 2024-11-17 16:15:02.223000+00:00 2026-04-23 00:24:57.457000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 1.1
Assets ics-attack Minor Version Changes [A0008] Application Server Current version : 2.1
Version changed from : 2.0 → 2.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value created 2023-09-28 14:58:00.982000+00:00 2023-09-28T14:58:00.982Z modified 2025-10-22 15:13:16.424000+00:00 2026-04-23T01:01:24.568Z x_mitre_version 2.0 2.1
[A0007] Control Server Current version : 2.1
Version changed from : 2.0 → 2.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value created 2023-09-28 14:55:39.339000+00:00 2023-09-28T14:55:39.339Z modified 2025-10-21 19:58:01.290000+00:00 2026-04-23T01:04:14.767Z x_mitre_version 2.0 2.1
[A0009] Data Gateway Current version : 2.1
Version changed from : 2.0 → 2.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value created 2023-09-28 15:01:48.509000+00:00 2023-09-28T15:01:48.509Z modified 2025-10-21 19:43:43.474000+00:00 2026-04-27T17:47:40.077Z x_mitre_version 2.0 2.1
[A0006] Data Historian Current version : 2.1
Version changed from : 2.0 → 2.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value created 2023-09-28 14:48:36.305000+00:00 2023-09-28T14:48:36.305Z modified 2025-10-21 19:55:17.864000+00:00 2026-04-23T01:03:57.506Z x_mitre_version 2.0 2.1
[A0017] Distributed Control System (DCS) Controller Current version : 1.1
Version changed from : 1.0 → 1.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value created 2025-09-24 22:53:09.627000+00:00 2025-09-24T22:53:09.627Z modified 2025-10-21 16:17:35.766000+00:00 2026-04-23T01:01:01.668Z x_mitre_version 1.0 1.1
[A0013] Field I/O Current version : 1.1
Version changed from : 1.0 → 1.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1 x_mitre_sectors ['General']
values_changed STIX Field Old value New Value created 2023-09-28 17:57:22.946000+00:00 2023-09-28T17:57:22.946Z modified 2023-10-04 19:26:49.788000+00:00 2026-04-27T16:50:21.228Z x_mitre_version 1.0 1.1 x_mitre_attack_spec_version 3.2.0 3.3.0
[A0016] Firewall Current version : 1.1
Version changed from : 1.0 → 1.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
dictionary_item_removed STIX Field Old value New Value x_mitre_related_assets []
values_changed STIX Field Old value New Value created 2025-09-24 18:17:26.575000+00:00 2025-09-24T18:17:26.575Z modified 2025-10-21 19:34:14.912000+00:00 2026-04-27T18:02:22.344Z x_mitre_version 1.0 1.1
[A0002] Human-Machine Interface (HMI) Current version : 1.1
Version changed from : 1.0 → 1.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value created 2023-09-28 14:38:54.407000+00:00 2023-09-28T14:38:54.407Z modified 2023-10-04 17:59:11.489000+00:00 2026-04-23T00:58:37.171Z x_mitre_version 1.0 1.1 x_mitre_attack_spec_version 3.2.0 3.3.0
[A0005] Intelligent Electronic Device (IED) Current version : 1.1
Version changed from : 1.0 → 1.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value created 2023-09-28 14:46:42.566000+00:00 2023-09-28T14:46:42.566Z modified 2023-10-04 18:01:02.506000+00:00 2026-04-27T16:47:33.077Z x_mitre_version 1.0 1.1 x_mitre_attack_spec_version 3.2.0 3.3.0
iterable_item_added STIX Field Old value New Value x_mitre_related_assets General
[A0012] Jump Host Current version : 1.1
Version changed from : 1.0 → 1.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value created 2023-09-28 17:52:53.206000+00:00 2023-09-28T17:52:53.206Z modified 2023-10-04 18:03:06.811000+00:00 2026-04-23T00:58:05.830Z x_mitre_version 1.0 1.1 x_mitre_attack_spec_version 3.2.0 3.3.0
[A0018] Programmable Automation Controller (PAC) Current version : 1.1
Version changed from : 1.0 → 1.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1 x_mitre_sectors ['General']
values_changed STIX Field Old value New Value created 2025-09-29 18:56:19.712000+00:00 2025-09-29T18:56:19.712Z modified 2025-10-03 17:46:10.281000+00:00 2026-04-27T16:50:01.628Z x_mitre_version 1.0 1.1
[A0003] Programmable Logic Controller (PLC) Current version : 1.1
Version changed from : 1.0 → 1.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value created 2023-09-28 14:43:05.105000+00:00 2023-09-28T14:43:05.105Z modified 2023-10-04 18:09:21.296000+00:00 2026-04-27T16:47:46.663Z x_mitre_version 1.0 1.1 x_mitre_attack_spec_version 3.2.0 3.3.0
iterable_item_added STIX Field Old value New Value x_mitre_related_assets General
[A0004] Remote Terminal Unit (RTU) Current version : 1.1
Version changed from : 1.0 → 1.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value created 2023-09-28 14:44:54.756000+00:00 2023-09-28T14:44:54.756Z modified 2023-10-04 18:05:43.237000+00:00 2026-04-23T00:58:18.239Z x_mitre_version 1.0 1.1 x_mitre_attack_spec_version 3.2.0 3.3.0
[A0014] Routers Current version : 2.1
Version changed from : 2.0 → 2.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value created 2023-09-29 18:55:09.319000+00:00 2023-09-29T18:55:09.319Z modified 2025-10-21 19:56:56.316000+00:00 2026-04-27T17:45:55.901Z x_mitre_version 2.0 2.1
[A0010] Safety Controller Current version : 1.1
Version changed from : 1.0 → 1.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1 x_mitre_sectors ['General']
values_changed STIX Field Old value New Value created 2023-09-28 15:10:05.534000+00:00 2023-09-28T15:10:05.534Z modified 2023-10-16 18:49:08.504000+00:00 2026-04-27T17:25:50.475Z x_mitre_version 1.0 1.1 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_related_assets[0] {'name': 'Safety Instrumented System (SIS) controller', 'related_asset_sectors': [], 'description': 'SIS controllers are used to “take the process to a safe state when predetermined conditions are violated” (Citation: Guidance - NIST SP800-82) through the reading of sensor data and interaction with digital/physical control surfaces. These devices are oftentimes located on programmable embedded devices running specialized RTOS or other embedded operating systems. '} {'name': 'Safety Instrumented System (SIS) controller', 'related_asset_sectors': ['General'], 'description': 'SIS controllers are used to “take the process to a safe state when predetermined conditions are violated” (Citation: Guidance - NIST SP800-82) through the reading of sensor data and interaction with digital/physical control surfaces. These devices are oftentimes located on programmable embedded devices running specialized RTOS or other embedded operating systems. '} x_mitre_related_assets[1] {'name': 'Emergency Shutdown Systems (ESD) controller', 'related_asset_sectors': [], 'description': 'Emergency Shutdown System controllers are used to read sensor values and interact with control surfaces to return the system “to a safe static condition so that any remedial action can be taken”. (Citation: SIGTTO ESD 2021)'} {'name': 'Emergency Shutdown Systems (ESD) controller', 'related_asset_sectors': ['General'], 'description': 'Emergency Shutdown System controllers are used to read sensor values and interact with control surfaces to return the system “to a safe static condition so that any remedial action can be taken”. (Citation: SIGTTO ESD 2021)'} x_mitre_related_assets[2] {'name': 'Burner Management Systems (BMS) controller', 'related_asset_sectors': [], 'description': 'Burner Management System controllers are used to interact with sensors and control surfaces to maintain safe operating conditions for the burner. These can include safely starting-up and managing the main flame, controlling and monitoring the burning conditions, and safely initiating planned or unplanned shutdown sequences.'} {'name': 'Burner Management Systems (BMS) controller', 'related_asset_sectors': ['General'], 'description': 'Burner Management System controllers are used to interact with sensors and control surfaces to maintain safe operating conditions for the burner. These can include safely starting-up and managing the main flame, controlling and monitoring the burning conditions, and safely initiating planned or unplanned shutdown sequences.'}
[A0015] Switch Current version : 1.1
Version changed from : 1.0 → 1.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value created 2025-09-24 17:53:28.482000+00:00 2025-09-24T17:53:28.482Z modified 2025-10-21 19:34:42.547000+00:00 2026-04-27T18:01:55.383Z x_mitre_version 1.0 1.1
[A0011] Virtual Private Network (VPN) Server Current version : 1.1
Version changed from : 1.0 → 1.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value created 2023-09-28 15:13:07.950000+00:00 2023-09-28T15:13:07.950Z modified 2023-10-04 18:07:59.333000+00:00 2026-04-23T00:57:53.372Z x_mitre_version 1.0 1.1 x_mitre_attack_spec_version 3.2.0 3.3.0
[A0001] Workstation Current version : 2.1
Version changed from : 2.0 → 2.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value created 2023-09-28 14:22:49.837000+00:00 2023-09-28T14:22:49.837Z modified 2025-10-21 19:58:23.607000+00:00 2026-04-23T01:04:34.868Z x_mitre_version 2.0 2.1
Mitigations enterprise-attack Patches [M1030] Network Segmentation Current version : 1.2
Details values_changed STIX Field Old value New Value modified 2025-04-02 17:29:32.003000+00:00 2026-04-24 19:41:50.467000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0
ics-attack Minor Version Changes [M0801] Access Management Current version : 1.1
Version changed from : 1.0 → 1.1
Details values_changed STIX Field Old value New Value modified 2025-03-12 16:11:54.933000+00:00 2026-04-23 00:47:44.798000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 1.1
[M0947] Audit Current version : 1.1
Version changed from : 1.0 → 1.1
Details values_changed STIX Field Old value New Value modified 2025-04-16 21:26:31.848000+00:00 2026-04-23 00:54:39.756000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 1.1
[M0800] Authorization Enforcement Current version : 1.2
Version changed from : 1.1 → 1.2
Details values_changed STIX Field Old value New Value modified 2023-10-20 17:01:38.562000+00:00 2026-04-23 00:54:03.965000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 1.2
[M0946] Boot Integrity Current version : 1.1
Version changed from : 1.0 → 1.1
Details values_changed STIX Field Old value New Value modified 2025-04-16 21:26:29.725000+00:00 2026-04-23 00:55:57.931000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 1.1
[M0945] Code Signing Current version : 1.1
Version changed from : 1.0 → 1.1
Details values_changed STIX Field Old value New Value modified 2025-04-16 21:26:28.975000+00:00 2026-04-23 00:54:56.965000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 1.1
[M0802] Communication Authenticity Current version : 1.1
Version changed from : 1.0 → 1.1
Details values_changed STIX Field Old value New Value modified 2025-04-16 21:26:32.013000+00:00 2026-04-23 00:54:21.289000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 1.1
[M0808] Encrypt Network Traffic Current version : 1.1
Version changed from : 1.0 → 1.1
Details values_changed STIX Field Old value New Value modified 2025-04-16 21:26:29.147000+00:00 2026-04-23 00:55:38.098000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 1.1
[M0941] Encrypt Sensitive Information Current version : 1.1
Version changed from : 1.0 → 1.1
Details values_changed STIX Field Old value New Value modified 2025-04-16 21:26:31.005000+00:00 2026-04-23 00:56:16.357000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 1.1
[M0937] Filter Network Traffic Current version : 1.1
Version changed from : 1.0 → 1.1
Details values_changed STIX Field Old value New Value modified 2025-04-16 21:26:26.074000+00:00 2026-04-23 00:45:45.801000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 1.1
[M0804] Human User Authentication Current version : 1.2
Version changed from : 1.1 → 1.2
Details values_changed STIX Field Old value New Value modified 2023-10-20 17:02:00.299000+00:00 2026-04-23 00:50:55.165000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 1.2
[M0807] Network Allowlists Current version : 1.1
Version changed from : 1.0 → 1.1
Details values_changed STIX Field Old value New Value modified 2025-04-16 21:26:31.149000+00:00 2026-04-23 00:56:32.131000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 1.1
[M0931] Network Intrusion Prevention Current version : 1.1
Version changed from : 1.0 → 1.1
Details values_changed STIX Field Old value New Value modified 2025-04-16 21:26:27.092000+00:00 2026-04-23 00:47:04.457000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 1.1
[M0930] Network Segmentation Current version : 1.1
Version changed from : 1.0 → 1.1
Details values_changed STIX Field Old value New Value modified 2025-04-16 21:26:26.551000+00:00 2026-04-23 00:46:09.190000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 1.1
[M0810] Out-of-Band Communications Channel Current version : 1.1
Version changed from : 1.0 → 1.1
Details values_changed STIX Field Old value New Value modified 2025-04-16 21:26:31.696000+00:00 2026-04-23 00:56:53.267000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 1.1
[M0922] Restrict File and Directory Permissions Current version : 1.1
Version changed from : 1.0 → 1.1
Details values_changed STIX Field Old value New Value modified 2025-04-16 21:26:33.651000+00:00 2026-04-23 00:57:09.061000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.0 1.1
[M0813] Software Process and Device Authentication Current version : 1.2
Version changed from : 1.1 → 1.2
Details values_changed STIX Field Old value New Value modified 2024-10-14 20:31:04.927000+00:00 2026-04-23 00:55:20.765000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 1.2
[M0814] Static Network Configuration Current version : 1.2
Version changed from : 1.1 → 1.2
Details values_changed STIX Field Old value New Value modified 2025-04-16 21:26:28.312000+00:00 2026-04-23 00:50:32.432000+00:00 x_mitre_attack_spec_version 3.2.0 3.3.0 x_mitre_version 1.1 1.2
Data Components enterprise-attack Major Version Changes [DC0038] Application Log Content Current version : 3.0
Version changed from : 2.0 → 3.0
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-24 19:46:47.171000+00:00 x_mitre_version 2.0 3.0
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Default IME active or bound to (InputMethodManager reports imeId=)'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Default IME changed/active: imeId=, onStartInput/onFinishInput high frequency. TYPE_APPLICATION_OVERLAY|addView .* showing on top of package '} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Default IME active imeId=; frequent onStartInput/commitText calls'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'addView TYPE_APPLICATION_OVERLAY|TYPE_APPLICATION_ATTACHED_DIALOG shown over '} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Secure/Global reads of device_policy_manager, accessibility_enabled, default_vpn, always_on_vpn'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Task switch from browser/custom tab to handler immediately after OAuth return'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'ACTION_OPEN_DOCUMENT_TREE / ACTION_OPEN_DOCUMENT invoked without user gesture or repeatedly in background'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Repeated or large UIPasteboard reads; background pasteboard access shortly before packaging'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'UIPasteboard read (general/string/data) by ; repeated reads or background access'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'UIWindow/UIView events indicating secure text entry focus, editingChanged bursts, unexpected firstResponder cycling'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Secure text entry focus and editingChanged bursts not typical for the app'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Presentation of credential-like view (UIAlertController with text fields / custom modal) not backed by system auth controller; frequent editingChanged in secureTextEntry fields'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Repeated canOpenURL checks across diverse schemes (≥N within short window)'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'UIDocumentPickerViewController presented repeatedly without foreground interaction or with short dwell time'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'repeated sandbox denials related to restricted process/system interfaces consistent with process-table querying attempts'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'security-relevant kernel log messages indicating restricted system interface access attempts by app process (device-dependent visibility)'} x_mitre_log_sources {'name': 'm365:exchange', 'channel': 'External sender message followed by user action involving links or attachments'} x_mitre_log_sources {'name': 'm365:teams', 'channel': 'External chat request or new tenant communication preceding approval activity'} x_mitre_log_sources {'name': 'm365:unified', 'channel': 'MailItemsAccessed; AddedInboxRule; ConsentToApplication; SharingSet'} x_mitre_log_sources {'name': 'm365:unified', 'channel': 'Set-AdminAuditLogConfig;New-ApplicationAccessPolicy;ConsentToApplication'} x_mitre_log_sources {'name': 'saas:okta', 'channel': 'policy.rule.update;system.log.disable;admin.role.assign'} x_mitre_log_sources {'name': 'saas:slack', 'channel': 'xternal DM or workspace invite preceding credential or approval actions'} x_mitre_log_sources {'name': 'saas:zoom', 'channel': 'Unexpected contact interaction preceding follow-on admin requests'} x_mitre_domains mobile-attack
[DC0083] Cloud Service Enumeration Current version : 3.0
Version changed from : 2.0 → 3.0
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-02-23 19:38:20.657000+00:00 external_references[0]['url'] https://attack.mitre.org/datacomponents/DC0083 https://attack.mitre.org/data-components/DC0083 x_mitre_version 2.0 3.0
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'saas:MDM', 'channel': 'Device lookup, location query, or remote management operation'} x_mitre_domains mobile-attack
[DC0055] File Access Current version : 3.0
Version changed from : 2.0 → 3.0
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-23 18:39:07.536000+00:00 x_mitre_version 2.0 3.0
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'macOS:unifiedlog', 'channel': 'looking for file access to scripts with abnormal encoding patterns'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'READ or COPY operations where path matches external/shared locations of other apps (e.g., /storage/emulated/0/Android/data//files/, /storage/emulated/0/Download//*)'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'KeyChain/AndroidKeyStore read of token alias'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'READ/LIST/STAT of /sdcard|/storage/emulated/0|/Android/media|/Documents with >N distinct paths in TimeWindow'} x_mitre_log_sources {'name': 'auditd:SYSCALL', 'channel': 'attempts to read /proc/* entries at scale (openat/getdents64/readlink) or access denied for /proc traversal; correlate to app UID'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'READ operations from App Group containers (/var/mobile/Containers/Shared/AppGroup/...) or Files/Photos provider mountpoints, especially when group not owned by bundle'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'readdir/stat/read of /private/var/mobile/Containers/Shared/AppGroup|/Library/Mobile Documents|/On\\\\ My\\\\ iPhone with >N distinct paths in TimeWindow'} x_mitre_log_sources {'name': 'macos:unifiedlog', 'channel': 'Recent download opened or executed'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application reads multiple local container files, browser-history artifacts, messaging artifacts, or local records in rapid sequence during the collection phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application performs burst reads across local system paths, external storage, media directories, cache locations, or local database files within a short interval as the primary collection phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application loads executable or library from external or writable directory (e.g., /sdcard/, app cache) prior to execution'} x_mitre_domains mobile-attack
[DC0039] File Creation Current version : 3.0
Version changed from : 2.0 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_data_source_ref
values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-23 17:17:05.280000+00:00 x_mitre_version 2.0 3.0
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'android:logcat', 'channel': 'App UID writes new file with suspicious extension/location (.tmp, .dat, .enc, /data/data//files/, /sdcard/Download/) and high estimated entropy'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'NSFileHandle/NSFileManager writes creating high-entropy files within app container (/var/mobile/Containers/Data/Application//tmp|Library/Caches)'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'App UID writes edited media to container paths (e.g., /data/data//files/, .../cache/, /storage/emulated/0/Pictures//) with high delta in size vs. original and elevated estimated segment entropy '} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Create/write of high-entropy files in /data/data//(files|cache)/ or /storage/emulated/0/<...> with .dex/.so/.jar/.tmp/.bin'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Create/write of high-entropy Mach-O/bundle or generic blob in /var/mobile/Containers/Data/Application//(tmp|Library/Caches)/'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Create/write under /data/data//(files|cache)/ or /storage/emulated/0/ with extension .dex/.jar/.so/.zip/.tmp/.js and elevated entropy'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Create/write in /var/mobile/Containers/Data/Application//(tmp|Library/Caches)/ for .js/.bundle/.dylib/.zip with elevated entropy'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'CREATE/WRITE of archive or container (.zip/.gz/.7z/.db copy) that aggregates files pulled from other-package paths'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'CREATE/WRITE of archive/container (.zip/.gz/.7z/.db export) aggregating recently read items'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'CREATE/WRITE to app-writable DB/file path indicating clipboard dump (e.g., clipboard.db, clip_*.txt)'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'CREATE/WRITE of clipboard dump artifacts in container (clipboard.db, clip_*.txt, caches)'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'CREATE/WRITE paths like /data/data//files/(keys|inputs)/.*\\\\.db|\\\\.txt|\\\\.log'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'CREATE/WRITE clipboard/keylog artifacts (clipboard.db, keys_*.txt) in container'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'CREATE/WRITE to /data/data//(files|databases)/(keys|inputs|clipboard).*\\\\.(db|sqlite|txt|log)'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'CREATE/WRITE of keylog artifacts (keys_*.txt, inputs.db) within app/keyboard container'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'CREATE/WRITE to /data/data//(files|databases)/(creds|form|prompt).*\\\\.(db|sqlite|json|txt)'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'CREATE/WRITE of form cache/credential-like artifacts (forms.db, creds.json) in container'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'CREATE/WRITE /data/data//(files|databases)/(app_inventory|pkg_list).*\\\\.(json|txt|db)'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'CREATE/WRITE container paths like /Library/Caches/app_inventory.*\\\\.(json|plist|db)'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'CREATE/WRITE /data/data//(files|databases)/(security_inventory|policy_audit).*\\\\.(json|txt|db|plist)'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'CREATE/WRITE of /Library/Caches/security_inventory.*\\\\.(json|plist|db)'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Browser/WebView process creates downloaded payloads, temporary files, dropped archives, or unusual cached web artifacts shortly after visiting external content'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'File writes from removable-media or USB-associated paths into download, package staging, temp, or application-accessible storage shortly after USB connection'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'large file write originating from /mnt/usb or external mounted storage'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Recently installed or updated trusted app writes staging, cache, buffer, or export artifacts inconsistent with its approved function, especially when temporally adjacent to sensitive resource access or outbound transfer'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'App stages, buffers, caches, or exports data locally immediately before communication with legitimate external web-service endpoints in a way inconsistent with normal sync or offline workflow'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Burst write to cache, buffer, temp, staging, or export path occurred between inbound retrieval and outbound write to same public web-service class'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Burst write to media, cache, temp, export, or staging path occurred during or immediately after camera session from same app identity'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'App writes encoded/encrypted blobs (high entropy data) to local storage or memory buffers prior to transmission'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'App writes high-entropy encrypted blobs to local storage or memory buffers prior to transmission'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'App writes asymmetric-encrypted blobs or encoded ciphertext to local buffers or files prior to transmission'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application reads multiple user-data files, media objects, message stores, or app-private records in burst sequence immediately before packaging or encryption activity'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application writes archive-like container or high-entropy packaged blob to app storage, cache, temp path, or shared external path after burst collection activity'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application writes new large container, temp package, or high-entropy blob after clustered local data access and before outbound communication'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application performs burst reads across local system paths, external storage, media directories, cache locations, or local database files within a short interval as the primary collection phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application writes newly retrieved binary, archive, script-like asset, overlay content, library, or opaque payload to app-private, cache, temp, or shared external path as the primary local effect of transfer'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Managed app writes newly retrieved container-local asset, dylib-like resource, archive, or opaque payload shortly after remote retrieval as the strongest local effect'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'APK, DEX, native library, or package-associated executable content is written, expanded, or swapped in app package paths, staging paths, or installer cache immediately before or during application replacement'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application modifies protected configuration, local control files, security settings, or tool-related data immediately before security service degradation or non-reporting state'} x_mitre_domains mobile-attack
[DC0040] File Deletion Current version : 3.0
Version changed from : 2.0 → 3.0
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-23 18:19:16.114000+00:00 x_mitre_version 2.0 3.0
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application deletes, alters, renames, relocates, or suppresses local artifacts relevant to detection, including files, hidden media, compromise markers, or app-local evidence, before later continued execution or transfer'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application deletes package files, cleanup artifacts, or app-local state immediately before disappearance from installed inventory or runtime'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application deletes, truncates, or removes user, operational, or evidence-bearing files after prior access or staging and before later continued execution or communication'} x_mitre_domains mobile-attack
[DC0061] File Modification Current version : 3.0
Version changed from : 2.0 → 3.0
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-16 16:41:53.549000+00:00 x_mitre_version 2.0 3.0
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'AndroidLogs:FileSystem', 'channel': 'Modification to /system/etc/init/ or /vendor/etc/init/ boot-time scripts'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Creation or modification of LaunchDaemon or LaunchAgent plist in /System/Library/LaunchDaemons, /Library/LaunchDaemons, or /Library/LaunchAgents'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'INSERT or UPDATE of image/*, audio/*, video/* via ContentResolver with same URI re-written within short window; abnormal MIME/container change'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application inserts, updates, deletes, hides, or marks message records in SMS store or messaging database immediately after SMS receive or send event'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application inserts, updates, deletes, or rewrites call-log records immediately after call-control action to conceal, alter, or synthesize call history'} x_mitre_log_sources {'name': 'auditd:PATH', 'channel': 'odification of ~/.ssh/authorized_keys or credential files'} x_mitre_domains mobile-attack
[DC0016] Module Load Current version : 3.0
Version changed from : 2.0 → 3.0
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-01-29 17:21:27.873000+00:00 external_references[0]['url'] https://attack.mitre.org/datacomponents/DC0016 https://attack.mitre.org/data-components/DC0016 x_mitre_version 2.0 3.0
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'android:logcat', 'channel': 'DexClassLoader/PathClassLoader load attempt from non-standard path or recently created file'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Short burst of file I/O followed by JNI/dlopen of a newly created .so'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'dyld: dlopen/dyld_cache load from non-standard app-writable path'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'DexClassLoader/PathClassLoader loading from app-writable path OR reflective defineClass on byte[] payload'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'dlopen/image load from app-writable path (tmp, Caches) outside bundled resources'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'DexClassLoader|PathClassLoader load from app-writable path OR dlopen of a freshly created .so'} x_mitre_domains mobile-attack
[DC0035] Process Access Current version : 3.0
Version changed from : 2.0 → 3.0
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-02-23 18:45:08.713000+00:00 external_references[0]['url'] https://attack.mitre.org/datacomponents/DC0035 https://attack.mitre.org/data-components/DC0035 x_mitre_version 2.0 3.0
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Code signing validation events referencing newly written local Mach-O/bundle prior to exec or dlopen'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Runtime grant or manifest presence for MANAGE_EXTERNAL_STORAGE/READ_EXTERNAL_STORAGE/READ_MEDIA_*; legacy external storage mode detection'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Privacy (TCC) prompts/grants for Photos/Files or access changes indicating new visibility into user/app data'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Activity/Process state change (mFocusedApp, onResume/onPause) identifying as foreground'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Foreground/background transition for to contextualize access timing'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Grant/activation of BIND_ACCESSIBILITY_SERVICE, BIND_INPUT_METHOD, SYSTEM_ALERT_WINDOW, POST_NOTIFICATIONS for '} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Keyboard extension Full Access change; privacy grant touching input/keyboard categories for '} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Grant/enablement for BIND_ACCESSIBILITY_SERVICE or BIND_INPUT_METHOD for '} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Keyboard extension Full Access change or related privacy grant for '} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Grant/enablement of SYSTEM_ALERT_WINDOW, BIND_ACCESSIBILITY_SERVICE, POST_NOTIFICATIONS for '} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Scene/foreground transitions for to contextualize timing'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Reads/queries ops for PACKAGE_USAGE_STATS, QUERY_ALL_PACKAGES, BIND_DEVICE_ADMIN, BIND_VPN_SERVICE'} x_mitre_log_sources {'name': 'EDR:telemetry', 'channel': 'Sustained or high-frequency location sensor access, including background location usage'} x_mitre_domains mobile-attack
[DC0001] Scheduled Job Creation Current version : 3.0
Version changed from : 2.0 → 3.0
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-09 17:05:23.355000+00:00 external_references[0]['url'] https://attack.mitre.org/datacomponents/DC0001 https://attack.mitre.org/data-components/DC0001 x_mitre_version 2.0 3.0
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'MobiledEDR:telemetry', 'channel': 'Scheduled task execution creates cache, staged payload, local output, or collected data artifact immediately after wake or job trigger'} x_mitre_domains mobile-attack
[DC0002] User Account Authentication Current version : 3.0
Version changed from : 2.0 → 3.0
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-24 19:47:33.610000+00:00 x_mitre_version 2.0 3.0
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'saas:MDM', 'channel': 'Authentication events to device management or enterprise mobility management consoles'} x_mitre_log_sources {'name': 'saas:MDM', 'channel': 'Authentication events to Apple iCloud or enterprise device management services'} x_mitre_log_sources {'name': 'saas:okta', 'channel': 'user.account.reset_password; user.mfa.factor.activate; app.oauth2.authorize'} x_mitre_domains mobile-attack
Minor Version Changes [DC0064] Command Execution Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-24 19:47:16.123000+00:00 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'android:logcat', 'channel': "Command 'pm list packages' executed by app sandbox or child proc"} x_mitre_log_sources {'name': 'auditd:EXECVE', 'channel': 'execve of script/interpreter (bash, python, node) with suspicious encoded or non-printable content'} x_mitre_log_sources {'name': 'auditd:EXECVE', 'channel': 'execve of curl,wget,bash,sh,python with piped or remote content'} x_mitre_log_sources {'name': 'auditd:EXECVE', 'channel': 'execve, kill, ptrace, insmod, rmmod targeting security processes'} x_mitre_log_sources {'name': 'esxi:shell', 'channel': 'esxcli system syslog config set/reload, services.sh restart/stop'} x_mitre_log_sources {'name': 'macos:unifiedlog', 'channel': 'Execution of osascript, sh, bash, zsh, installer, open'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application spawns shell, command interpreter, or command-executing child process with arguments during command-execution phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application spawns Unix shell process or superuser binary such as sh, su, toybox, toolbox, or shell-like child process with parameters during execution phase'}
[DC0074] Driver Metadata Current version : 2.1
Version changed from : 2.0 → 2.1
Details dictionary_item_added STIX Field Old value New Value x_mitre_log_sources [{'name': 'macos:unifiedlog', 'channel': 'Extension disabled, unloaded, failed to start'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-16 17:02:15.878000+00:00 x_mitre_version 2.0 2.1
[DC0059] File Metadata Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-23 18:33:47.956000+00:00 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'auditd:SYSCALL', 'channel': 'stat and lstat syscall results on files, including inode and permission info'} x_mitre_log_sources {'name': 'AndroidLogs:Framework', 'channel': 'BroadcastReceiver registration for android.intent.action.BOOT_COMPLETED by previously unseen or recently installed apps'} x_mitre_domains mobile-attack
[DC0099] Group Enumeration Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:14:39.499000+00:00 2026-03-13 22:21:38.311000+00:00 external_references[0]['url'] https://attack.mitre.org/datacomponents/DC0099 https://attack.mitre.org/data-components/DC0099 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'WinEventLog:Security', 'channel': 'EventCode=4798, 4799'}
[DC0018] Host Status Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-20 18:17:23.974000+00:00 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'networkdevice:syslog', 'channel': 'no logging host, no aaa new-model, no snmp-server, commit'} x_mitre_log_sources {'name': 'android:appops', 'channel': 'ACCESS_FINE_LOCATION|NEARBY_DEVICES|BLUETOOTH_SCAN used in close proximity to network-context queries'} x_mitre_log_sources {'name': 'AndroidAttestation:SafetyNet', 'channel': 'SafetyNet attestation with CTSProfileMatch=false or BasicIntegrity=false'} x_mitre_log_sources {'name': 'AndroidAttestation:VerifiedBoot', 'channel': 'Verified Boot or dm-verity reports partition hash mismatch, non-green boot state, or integrity failure'} x_mitre_log_sources {'name': 'AndroidLogs:Crash', 'channel': 'Crash or abnormal restart of privileged system services (for example, system_server, mediaserver, installd) followed shortly by new privileged process activity or binder connections from a single app UID'} x_mitre_log_sources {'name': 'AndroidLogs:Crash', 'channel': 'Application or system process crash/restart patterns temporally associated with remote service communications'} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'Device risk, compliance, or security posture changes after trusted host pairing or developer-state transition'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'code signature validation failure / exec of invalidly-signed payload from sandboxed app'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Application crash logs, watchdog terminations, or abnormal execution events associated with service communication'} x_mitre_log_sources {'name': 'MDM:DeviceIntegrity', 'channel': 'jailbreak/root compromise indicators or integrity attestation failures enabling process visibility'} x_mitre_log_sources {'name': 'OEMAttestation:Knox', 'channel': 'Samsung Knox attestation shows attestation_state=COMPROMISED or warranty bit set'}
[DC0073] Instance Modification Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:14:40.223000+00:00 2026-04-16 17:07:21.897000+00:00 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'AWS:CloudTrail', 'channel': 'ModifyInstanceAttribute'}
[DC0082] Network Connection Creation Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-23 18:37:33.992000+00:00 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'log entries indicating network connection initiation on macOS'} x_mitre_log_sources {'name': 'Network', 'channel': 'None'} x_mitre_log_sources {'name': 'NSM:Connections', 'channel': 'Outbound connection after script or installer launch'}
[DC0085] Network Traffic Content Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:14:34.343000+00:00 2026-04-22 14:48:50.367000+00:00 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'Traffic', 'channel': 'None'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Per-app VPN flow logging indicating opaque/archived payload transfer preceding local decode'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Per-App VPN flow with code-like content types (application/octet-stream, application/zip, text/javascript, application/x-mach-o)'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'WKWebView navigation to domain visually similar to target brand (IDN/punycode/alike score)'} x_mitre_log_sources {'name': 'NSM:Connections', 'channel': 'Outbound connections to internal enterprise services exhibiting anomalous protocol behavior, malformed sessions, or exploit-consistent traffic patterns'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'TLS/HTTP download with atypical MIME (application/octet-stream, application/x-zip, application/x-gzip) followed by local decode/write'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'HTTP(S)/QUIC media download with opaque content types (image/*, audio/*, video/*) from non-gallery domains or CDNs not previously used by the app'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'HTTP(S)/QUIC download of executable/opaque content (application/octet-stream, application/zip, application/java-archive, application/x-dex, application/x-sharedlib, text/javascript)'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'burst of DNS queries/connection attempts to RFC1918 or local gateway immediately after scans'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'HTTPS sessions exhibiting periodic request cadence or structured payload exchanges inconsistent with application baseline'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Application-layer indicators observable via enterprise network controls (HTTP method, URI path pattern class, TLS SNI, JA3/ALPN when available, DNS qname/type) showing anomalous or low-and-slow command polling behavior'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Near-term increase in traffic to identity endpoints associated with SMS MFA, account recovery, or OTP verification (IdP, banking, crypto), correlated to SIM/service loss'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Abrupt shift from cellular egress to Wi-Fi-only egress, or new VPN/proxy session establishment following cellular service loss'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Application-layer web traffic showing suspicious redirect chains, iframe/ad-tech cascades, user-agent or environment fingerprinting requests, or staged payload retrieval after page visit'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Application initiates HTTPS connection with repeated certificate validation failure under enterprise proxy followed by direct network retry or stable opaque TLS communication to same endpoint within correlation window'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'App-destination pair shows consistent inspection bypass/refusal pattern followed by direct encrypted communication or repeated short-lived TLS sessions to same endpoint within correlation window'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Application retrieves remote content from non-baselined domain or IP and the transfer direction is inbound to device during the file acquisition phase'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Managed iOS app retrieves remote content from non-baselined domain or IP with inbound payload transfer during the acquisition phase'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Device shows correlated inbound session establishment followed by outbound connections to separate external destinations with overlapping timing and relay-like byte symmetry'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Traffic spike preceding control crash'} x_mitre_log_sources {'name': 'NSM:Inspection', 'channel': 'TLS session from mobile app fails, resets, or refuses enterprise interception while same destination/app pair repeatedly establishes direct encrypted communication pattern consistent with pinned certificate/public-key validation'} x_mitre_log_sources {'name': 'NSM:Inspection', 'channel': 'TLS handshake from iOS app repeatedly fails or is rejected only when enterprise SSL inspection certificate is presented, indicating certificate or public-key pin validation effect'} x_mitre_log_sources {'name': 'TelecomLogs:SS7Signaling', 'channel': 'Subscriber information queries, routing requests, or location update messages with anomalous node identifiers or unexpected origin patterns'} x_mitre_log_sources {'name': 'TelecomLogs:SS7Signaling', 'channel': 'Location resolution, routing, or subscriber information exchanges with anomalous signaling paths or node identities'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Supervised or newly activated device initiates outbound connections to destinations outside Apple, MDM, update, or enterprise-managed baselines while locked, with no recent user interaction, or before expected app enrollment completion'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': "Application or device component communicates with legitimate external web-service infrastructure such as cloud storage, social media, messaging, collaboration, paste, code-hosting, CDN-backed API, or generic HTTPS service in a pattern inconsistent with the app's approved network baseline, timing, or service class"} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Supervised device or managed app communicates with legitimate external web-service infrastructure such as cloud storage, messaging, collaboration, social, paste, or generic HTTPS API platforms in a pattern inconsistent with expected service baseline, managed app role, or normal background refresh behavior'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'App-attributed HTTP GET or HTTPS session to public web platform (social, paste, collaboration, cloud storage, code-hosting) returned content followed by outbound connection to a different domain or IP within TimeWindow'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'DNS query or TLS SNI for previously unseen domain occurred within TimeWindow after session to legitimate web-service domain from same app identity'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Initial session to public web-service domain transferred small response payload followed by connection to new external endpoint with different ASN or domain category'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'App-attributed session to public web-service domain included inbound content retrieval followed by outbound POST, PUT, upload, comment, message send, document update, or API write to same service class within TimeWindow'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Repeated alternating inbound and outbound sessions to same public web-service domain or API endpoint occurred from same app identity with stable recurrence interval'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Outbound write operation to public web-service domain occurred after small inbound response retrieval from same domain or service class without preceding user-visible foreground activity'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'App-attributed HTTP GET, content fetch, sync pull, or inbound-oriented HTTPS session to public web-service domain recurred within TimeWindow without app-attributed POST, PUT, PATCH, upload, comment, message send, or API write to same service class'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Repeated app-attributed retrieval from same public web-service domain or API endpoint occurred at stable recurrence interval with low outbound volume relative to inbound content'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Inbound content retrieval from public web-service domain occurred without subsequent writeback to same service class and was followed by local or downstream activity outside normal app sync profile'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'TLS handshake, HTTP method/header pattern, or WebSocket upgrade was observed on destination port outside approved port set for detected protocol during app-attributed outbound session'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Repeated app-attributed sessions to same destination or service class used non-standard destination port with stable recurrence interval or persistent connection behavior'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Destination port was not in approved protocol-to-port mapping for app identity or service class and session did not match known enterprise proxy, relay, or developer tooling exception'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Observed protocol-to-port pairing was outside approved mapping for managed bundle or service class and did not match enterprise proxy, relay, or developer tooling exception'}
[DC0078] Network Traffic Flow Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-09 17:32:30.362000+00:00 external_references[0]['url'] https://attack.mitre.org/datacomponents/DC0078 https://attack.mitre.org/data-components/DC0078 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'TelecomLogs:MobilityEvents', 'channel': 'Unexpected location resolution events or abnormal subscriber tracking requests'} x_mitre_log_sources {'name': 'TelecomLogs:MobilityEvents', 'channel': 'Unexpected subscriber tracking or abnormal mobility/location resolution activity'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Application-layer protocol traffic exhibiting beacon-like periodicity, anomalous session structure, or protocol misuse patterns'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'App-attributed traffic exhibits multi-destination fan-out, sustained session bridging, or SOCKS-like relay behavior inconsistent with normal client-only mobile communication'}
[DC0021] OS API Execution Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-23 18:22:40.476000+00:00 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'AndroidLogs:Kernel', 'channel': 'Unprivileged app process (app UID, non-system) invoking sensitive syscalls or device interfaces associated with privilege escalation (setuid, ptrace, perf_event_open, vulnerable drivers)'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'SELinux AVC for execmem/execute_no_trans/mprotect following recent writes by same UID'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'mmap/mprotect transitions to PROT_EXEC for pages associated with recently written files'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'QUERY on exported ContentProviders of other packages (content:///*) or MediaStore scoped queries immediately preceding file reads'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'ClipboardManager (addOnPrimaryClipChangedListener|getPrimaryClip|getPrimaryClipDescription) invoked by '} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'AccessibilityService connected|TYPE_VIEW_TEXT_CHANGED|TYPE_VIEW_FOCUSED events for other packages'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'TYPE_WINDOW_STATE_CHANGED / TYPE_VIEW_FOCUSED shows foreign target package in foreground'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'PackageManager getInstalledApplications|getInstalledPackages|getPackagesHoldingPermissions burst for . TYPE_WINDOW_STATE_CHANGED shows foreground app then immediate package queries by '} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'LSApplicationWorkspace or canOpenURL probe bursts for many URL schemes'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'getInstalledPackages/getPackagesHoldingPermissions with filters for known security/MDM/VPN package names. Queries to isDeviceOwnerApp/isProfileOwnerApp/getActiveAdmins/getPermissionGrantState. Requests list of enabled services or monitors TYPE_WINDOW_STATE_CHANGED to time checks'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Queries indicating MDM profile presence, supervised state, restrictions read. LSApplicationWorkspace enumeration or app proxy queries referencing security vendors'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'ACTION_VIEW redirect_uri handled by unexpected package'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'canOpenURL/LSApplicationWorkspace resolved to unexpected bundle for redirect_uri'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'query() against MediaStore/DocumentsContract URIs (Images/Video/Audio/Downloads/DocumentTree)'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'enumeratorForContainerItemIdentifier / itemForIdentifier across multiple containers/providers'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'wifiservice startScan / scanResults retrieved repeatedly or by unexpected package'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'bluetoothmanager startDiscovery / getBondedDevices / scan callback bursts by package'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'telephony cell info enumeration bursts (neighboring/all cell info) by package'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'repeated queries or dumps related to running tasks/services/process state by same package/UID (e.g., getRunningAppProcesses, running services/task inspection)'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Application accesses android.os.Build fields or device configuration APIs (MODEL, MANUFACTURER, VERSION.SDK_INT, HARDWARE)'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Application invokes UIDevice queries (model, systemVersion, name)'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Invocation of MediaRecorder.start(), AudioRecord.startRecording(), or VOICE_CALL audio source'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Invocation of AVAudioRecorder, AVCaptureSession, or related audio capture framework calls'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Application invokes LocationManager, FusedLocationProviderClient, or GPS/location sensor APIs'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Application activates CoreLocation services or CLLocationManager APIs'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Framework-based networking usage spikes or uncommon networking stacks observed by agent telemetry (e.g., repeated URLSession/OkHttp-like patterns) without corresponding foreground/user interaction'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': "Agent-observable telephony subscription/state API signals indicating SIM/eSIM subscription change (vendor-agnostic: 'telephony subscription changed')"} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Accessibility framework usage patterns such as event subscription, performAction invocation, node traversal, text change observation, or overlay/window presentation correlated to app identity'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Browser/WebView framework usage indicating external URL load, script execution enablement, file download initiation, intent handoff, or package install prompt sequence'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Observed device-service, trust-service, backup/service interaction, or other privileged framework activity associated with physical host access'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Connectivity manager, telephony, Wi-Fi, network callback, or location-provider framework reports repeated unavailable, disconnected, suspended, or degraded state transitions'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Observed network-path, reachability, DNS, transport, or location-provider framework reports repeated unavailable or failed state near active device use'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Content resolver, document provider, media store, storage access framework, bulk stream processing, or repeated crypto-adjacent framework use observed during multi-file transformation'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Known application begins first-seen or expanded use of content providers, account services, accessibility, package services, cryptographic routines, dynamic loading, or other framework interactions after update/install'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Known application begins first-seen or expanded use of protected frameworks, account services, background task APIs, crypto/network service APIs, or other runtime behaviors after update/install'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Known application begins first-seen or expanded use of account services, accessibility, content providers, dynamic loading, package services, WebView bridges, crypto/network APIs, or advertising/telemetry-adjacent framework behavior after install or update'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Privileged or OEM-context framework/API use tied to telephony, device policy, accessibility, overlay, input injection, package visibility, or protected settings modification from an identity not expected for the device model or approved image'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Invocation of Calendar.set() and Calendar.add()'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Supplemental anomaly in baseband, IOKit, accessory, security, or activation-related subsystem logging temporally adjacent to suspicious posture or network behavior'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Recently installed or updated trusted app invokes Android framework paths or special access patterns inconsistent with its role, including accessibility-like behavior, overlay behavior, package visibility expansion, protected settings access, device policy interaction, or unusual IPC/provider access'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Supplemental managed app or system subsystem anomalies near install/update, launch services, extension handling, app activation, or background execution temporally adjacent to suspicious network or lifecycle behavior'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'App uses Android framework behaviors associated with background work scheduling, network job execution, IPC/provider access, overlay or accessibility-like interaction, or unusual package visibility immediately adjacent to web-service communication'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Supplemental launch, background task, networking, or extension-handling anomalies occur temporally adjacent to suspicious web-service communication from a managed app or supervised device'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Background work scheduler, job execution, or persistent service triggered network request to public web-service followed by second outbound connection within TimeWindow'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Background task or networking subsystem event occurred immediately before resolver retrieval and pivot connection sequence'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded retrieve-then-write exchange with public web-service platform'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Background task, networking, or app-activation subsystem event occurred immediately before or during retrieve-then-write exchange with public web-service platform'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded outbound session using non-standard protocol-to-port pairing'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Invocation of CallLogs.getLastOutgoingCall()'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Invocation of ContactsContract.Contacts.getLookupUri() and/or ContactsContract.Contacts.lookupContact()'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Camera, media capture, app-activation, or background-task subsystem event occurred immediately before or during sustained camera session from same managed-app or device context'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Invocation of AccountManager.getAccounts()'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'MediaProjection-style screen capture session began from app identity while a different app was foregrounded and capture path was not mapped to approved recording workflow'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Accessibility-service activity from app identity coincided with foreground content observation and subsequent screenshot, frame buffer, or screenrecord artifact behavior within TimeWindow'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Privileged screencap, screenrecord, adb-driven capture, or root-context screen acquisition behavior occurred from app, shell, or elevated identity while foreground app context changed or sensitive app remained active'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Accessibility-enabled app invoked programmatic click or action on behalf of user while a different app was foregrounded and injected action was not mapped to approved accessibility or autofill workflow'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Accessibility-enabled app invoked global action such as back, home, recents, or navigation control while target foreground app context changed within TimeWindow'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Accessibility-enabled app inserted text into active field of different foreground app without user keyboard activity or approved autofill relationship'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'App intercepts notification content from external package (e.g., messaging/auth apps) while in background OR without recent user interaction'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'App invokes cryptographic functions (e.g., AES/RSA/KeyStore usage) on buffer data followed by encode/transform operations not tied to normal app workflows'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'App invokes symmetric encryption routines (e.g., AES/RC4 cipher initialization + encrypt operations) with repeated key usage across multiple data buffers'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Symmetric key material reused across multiple encryption operations within short interval OR derived locally without secure hardware-backed storage'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'App invokes asymmetric cryptographic operations (e.g., RSA/ECC keypair generation OR public key encryption OR signature operations) on outbound data buffers'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Keypair generation, import, or access events (public/private key usage) occurring prior to network communication'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application invokes custom TLS trust evaluation logic or pin validation routines (e.g., custom TrustManager, HostnameVerifier override, certificate/public key comparison) immediately before outbound TLS session establishment'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application invokes archive, compression, or bulk-buffer packaging routines on previously accessed local data within the same execution chain'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application encrypts newly created archive or staged data blob after collection and before storage or outbound transfer'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application performs bulk data transformation or packaging-like processing on collected records prior to file creation or upload'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': "Application queries or opens multiple local SQLite or app-associated database stores containing records unrelated to the app's declared function during the collection phase"} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application performs repeated record access, container traversal, or local data extraction processing against local stores before staging or transmission'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application calls startForegroundService() or startForeground() / ServiceCompat.startForeground() and transitions to persistent foreground-service execution at the start of the chain'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application invokes direct file retrieval, DownloadManager usage, or streaming write from network response to local storage immediately after remote session establishment'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Managed app performs post-download unpacking, dynamic resource handling, or module preparation immediately after local payload creation'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application loads or resolves native shared library (.so) or JNI bridge immediately before suspicious native execution phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application transitions from managed code into JNI/native function execution or attaches native thread to runtime during the execution phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Existing application is replaced, updated, or reinstalled and the resulting package metadata, code sections, or executable-supporting artifacts diverge from known-good baseline during the persistence-establishment phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application invokes SMS send, intercept, delete, or provider-write behavior, including handling SMS_DELIVER or interacting with SMS content provider during unauthorized message-control phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application enqueues WorkManager work request or schedules JobScheduler or AlarmManager task with delay, periodic interval, or execution constraints during the persistence/execution setup phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application creates or executes NSBackgroundActivityScheduler activity with repeating or deferred invocation semantics during the scheduling and trigger phases'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application initializes proxy-capable or raw-socket networking constructs, including SOCKS-capable Proxy API usage or direct socket listener/setup immediately before traffic relay phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application invokes call placement, answer, redirect, block, screening, or ConnectionService call-handling APIs during unauthorized call-control phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application process loads external code modules or injects into runtime (zygote/app_process) + abnormal library loading or method interception behavior'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application registers broadcast receiver, WorkManager job, JobScheduler task, or intent filter tied to system event such as BOOT_COMPLETED, SMS_RECEIVED, CONNECTIVITY_CHANGE during persistence setup phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application registers or invokes broadcast receiver via registerReceiver() or manifest-declared receiver + intent filter tied to system or app events'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application launches or executes code where loaded library or component path does not match application package path or expected signing context'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'multiple applications invoking core system APIs (e.g., sensor, permission, telephony) with abnormal or inconsistent return values across apps within short interval'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'device integrity degradation + root detected or system partition modification affecting runtime libraries (e.g., /system/lib*, /vendor/lib*)'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes privileged framework APIs (Accessibility events, UI automation, package install flows) immediately following permission grant'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes DevicePolicyManager APIs (e.g., resetPassword, lockNow, setCameraDisabled) immediately following admin activation'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application queries target-selection attributes (e.g., location, SIM/operator, locale, device state, network identity) and then conditionally invokes sensitive framework APIs only after expected value is observed'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application exhibits repeated environment-context evaluation followed by delayed privileged framework use only after target-specific match'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes geolocation or geofencing framework operations (e.g., location polling or geofence registration/evaluation) and sensitive framework activity begins only after region match or location threshold condition'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application exhibits repeated location-context evaluation followed by delayed privileged framework use or feature activation only after target region match'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes package or component state changes affecting launcher-facing activity availability and subsequently continues operational framework activity after icon suppression'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes motion-sensor or device-activity framework operations followed by conditional execution of sensitive framework activity only after inferred user absence'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes system framework operations that alter monitoring, accessibility, or execution visibility followed by reduction in expected telemetry generation'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes accessibility global actions (back/home/recents) or observes package-management UI immediately after uninstall/settings screen becomes foreground'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes lock-related or UI-denial framework operations, including DevicePolicyManager lock actions, persistent overlay behavior, or accessibility-driven navigation interference immediately before device enters locked or unusable state'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes package, settings, or privileged framework operations capable of disabling security software, altering security enforcement, or interfering with reporting before telemetry loss'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes uninstall-related package-management operations, accessibility-driven uninstall confirmation actions, or privileged file-removal operations immediately before installed-state loss'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes file-management, package, storage, or administrative wipe operations immediately before loss of expected local files or file collections'}
[DC0032] Process Creation Current version : 2.1
Version changed from : 2.0 → 2.1
Details dictionary_item_removed STIX Field Old value New Value x_mitre_data_source_ref
values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-13 15:49:16.424000+00:00 external_references[0]['url'] https://attack.mitre.org/datacomponents/DC0032 https://attack.mitre.org/data-components/DC0032 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'AndroidLogs:Kernel', 'channel': 'init or zygote process executing scripts or binaries from non-standard data or sdcard locations during early boot'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'launchd invocation of binary from non-Apple, non-AppStore, or sideloaded location during boot or shortly after unlock'} x_mitre_log_sources {'name': 'AndroidLogs:Framework', 'channel': 'Creation of a new process running as system or root UID whose executable path resides under an app container path (for example, /data/app or /data/user/0/), or whose parent process originates from an app sandbox'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Creation of a new process with elevated UID or sensitive entitlements whose binary path is associated with an app container or whose parent/caller is a low-privileged app/webcontent process'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'dlopen of a recently created .so OR short-lived child (/system/bin/sh,toybox,linker) spawned by app_process'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'startActivity on top of (launchMode/singleTop), task switch immediately after focus'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'unexpected spikes in fork/exec/app process start events for helper utilities used for enumeration (ps, toybox/toolbox variants) from same UID'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application writes audio buffer or recorded audio file into application storage directories'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Browser or WebView-hosting application brought to foreground and navigates to external content, followed by abnormal state transition, crash, restart, or process spawn behavior'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application installed from adb, sideload, or unknown USB source'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application invokes Runtime.exec, ProcessBuilder, JNI-backed command launcher, or equivalent command-execution bridge immediately before shell or command process creation'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Managed app invokes lower-level OS process-launch or command-execution behavior before file or network effects, including interpreter-like execution flow where visible to sensor'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application execution triggered with unexpected parent context or via indirect invocation (intent redirection or component hijack)'}
[DC0034] Process Metadata Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-16 17:01:33.771000+00:00 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'macos:unifiedlog', 'channel': 'Crash or abnormal termination of security agent or system extension host'}
[DC0065] Service Modification Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-20 18:21:23.994000+00:00 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'esxi:hostd', 'channel': 'service state change'}
[DC0013] User Account Metadata Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:14:38.578000+00:00 2026-03-13 22:24:06.660000+00:00 external_references[0]['url'] https://attack.mitre.org/datacomponents/DC0013 https://attack.mitre.org/data-components/DC0013 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'macos:unifiedlog', 'channel': 'DirectoryService queries retrieving account information'}
Patches [DC0041] Service Metadata Current version : 2.0
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-16 16:59:19.254000+00:00
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'auditd:DAEMON', 'channel': 'auditd stopped, config changed, logging suspended'}
[DC0063] Windows Registry Key Modification Current version : 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_data_source_ref
values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-03-13 23:12:09.029000+00:00 external_references[0]['url'] https://attack.mitre.org/datacomponents/DC0063 https://attack.mitre.org/data-components/DC0063
iterable_item_removed STIX Field Old value New Value x_mitre_log_sources {'name': 'Windows Registry', 'channel': 'None'}
mobile-attack New Data Components [DC0038] Application Log Content Current version : 3.0
Description :
Application Log Content refers to logs generated by applications or services, providing a record of their activity. These logs may include metrics, errors, performance data, and operational alerts from web, mail, or other applications. These logs are vital for monitoring application behavior and detecting malicious activities or anomalies. Examples:
+
+Web Application Logs: These logs include information about requests, responses, errors, and security events (e.g., unauthorized access attempts).
+Email Application Logs: Logs contain metadata about emails sent, received, or blocked (e.g., sender/receiver addresses, message IDs).
+SaaS Application Logs: Activity logs include user logins, configuration changes, and access to sensitive resources.
+Cloud Application Logs: Logs detail control plane activities, including API calls, instance modifications, and network changes.
+System/Application Monitoring Logs: Logs provide insights into application performance, errors, and anomalies.
+ [DC0123] Application State Current version : 1.0
Description :
Application State represents the operational status and lifecycle context of a mobile application at a given point in time. This includes whether the application is running in the foreground or background, its activity state, recent user interaction, and transitions between lifecycle states.
+Monitoring application state helps defenders identify suspicious behavior where an application performs sensitive actions while inactive, in the background, or without recent user interaction.
+Application state is particularly useful when detecting malicious activity that occurs outside normal user-driven workflows.
+Examples
+Android
+
+Application transitions from foreground to background
+Application running as a background service
+Application started via broadcast receiver
+Application launched automatically after device boot
+
+iOS
+
+Application entering active, inactive, or background state
+Background task execution
+Background fetch activity
+Application wake events triggered by push notifications or system services
+
+Data Collection Measures
+- Mobile EDR / MTD runtime monitoring
+- OS lifecycle event telemetry
+- Application runtime instrumentation
+- Mobile security platform behavioral monitoring
[DC0083] Cloud Service Enumeration Current version : 3.0
Description :
Cloud service enumeration involves listing or querying available cloud services in a cloud control plane. This activity is often performed to identify resources such as virtual machines, storage buckets, compute clusters, or other services within a cloud environment. Examples include API calls like AWS ECS ListServices, Azure ListAllResources, or Google Cloud ListInstances. Examples:
+AWS Cloud Service Enumeration: The adversary gathers details about existing ECS services to identify opportunities for privilege escalation or exfiltration.
+- Azure Resource Enumeration: The adversary collects information about virtual machines, resource groups, and other Azure assets for reconnaissance purposes.
+- Google Cloud Resource Enumeration: The attacker seeks to map the environment and find misconfigured or underutilized resources for exploitation.
+- Office 365 Service Enumeration: The attacker may look for data repositories or collaboration tools to exfiltrate sensitive information.
[DC0055] File Access Current version : 3.0
Description :
To events where a file is opened or accessed, making its contents available to the requester. This includes reading, executing, or interacting with files by authorized or unauthorized entities. Examples include logging file access events (e.g., Windows Event ID 4663), monitoring file reads, and detecting unusual file access patterns. Examples:
+
+File Read Operations: A user opens a sensitive document (e.g., financial_report.xlsx) on a shared drive.
+File Execution: A script or executable file is accessed and executed (e.g., malware.exe is run from a temporary directory).
+Unauthorized File Access: An unauthorized user attempts to access a protected configuration file (e.g., /etc/passwd on Linux or System32 files on Windows).
+File Access Patterns: Bulk access to multiple files in a short time (e.g., mass access to documents on a file server).
+File Access via Network: Files on a network share are accessed remotely (e.g., logs of SMB file access).
+ [DC0039] File Creation Current version : 3.0
Description :
A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs).
[DC0040] File Deletion Current version : 3.0
Description :
Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities.
[DC0059] File Metadata Current version : 2.1
Description :
contextual information about a file, including attributes such as the file's name, size, type, content (e.g., signatures, headers, media), user/owner, permissions, timestamps, and other related properties. File metadata provides insights into a file's characteristics and can be used to detect malicious activity, unauthorized modifications, or other anomalies. Examples:
+
+File Ownership and Permissions: Checking the owner and permissions of a critical configuration file like /etc/passwd on Linux or C:\Windows\System32\config\SAM on Windows.
+Timestamps: Analyzing the creation, modification, and access timestamps of a file.
+File Content and Signatures: Extracting the headers of an executable file to verify its signature or detect packing/obfuscation.
+File Attributes: Analyzing attributes like hidden, system, or read-only flags in Windows.
+File Hashes: Generating MD5, SHA-1, or SHA-256 hashes of files to compare against threat intelligence feeds.
+File Location: Monitoring files located in unusual directories or paths, such as temporary or user folders.
+ [DC0061] File Modification Current version : 3.0
Description :
Changes made to a file, including updates to its contents, metadata, access permissions, or attributes. These modifications may indicate legitimate activity (e.g., software updates) or unauthorized changes (e.g., tampering, ransomware, or adversarial modifications). Examples:
+
+Content Modifications: Changes to the content of a configuration file, such as modifying /etc/ssh/sshd_config on Linux or C:\Windows\System32\drivers\etc\hosts on Windows.
+Permission Changes: Altering file permissions to allow broader access, such as changing a file from 644 to 777 on Linux or modifying NTFS permissions on Windows.
+Attribute Modifications: Changing a file's attributes to hidden, read-only, or system on Windows.
+Timestamp Manipulation: Adjusting a file's creation or modification timestamp using tools like touch in Linux or timestomping tools on Windows.
+Software or System File Changes: Modifying system files such as boot.ini, kernel modules, or application binaries.
+ [DC0016] Module Load Current version : 3.0
Description :
When a process or program dynamically attaches a shared library, module, or plugin into its memory space. This action is typically performed to extend the functionality of an application, access shared system resources, or interact with kernel-mode components.
[DC0035] Process Access Current version : 3.0
Description :
Refers to an event where one process attempts to open another process, typically to inspect or manipulate its memory, access handles, or modify execution flow. Monitoring these access attempts can provide valuable insight into both benign and malicious behaviors, such as debugging, inter-process communication (IPC), or process injection.
+Data Collection Measures:
+
+Endpoint Detection and Response (EDR) Tools:
+EDR solutions that provide telemetry on inter-process access and memory manipulation.
+
+
+Sysmon (Windows):
+Event ID 10: Captures process access attempts, including:
+Source process (initiator)
+Target process (victim)
+Access rights requested
+Process ID correlation
+
+
+
+
+Windows Event Logs:
+Event ID 4656 (Audit Handle to an Object): Logs access attempts to system objects.
+Event ID 4690 (Attempted Process Modification): Can help identify unauthorized process changes.
+
+
+Linux/macOS Monitoring:
+AuditD: Monitors process access through syscall tracing (e.g., ptrace, open, read, write).
+eBPF/XDP: Used for low-level monitoring of kernel process access.
+OSQuery: Query process access behavior via structured SQL-like logging.
+
+
+Procmon (Process Monitor) and Debugging Tools:
+Windows Procmon: Captures real-time process interactions.
+Linux strace / ptrace: Useful for tracking process behavior at the system call level.
+
+
+ [DC0001] Scheduled Job Creation Current version : 3.0
Description :
The establishment of a task or job that will execute at a predefined time or based on specific triggers.
[DC0002] User Account Authentication Current version : 3.0
Description :
An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation.
Minor Version Changes [DC0112] API Calls Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-01-16 16:18:01.897000+00:00 external_references[0]['url'] https://attack.mitre.org/datacomponents/DC0112 https://attack.mitre.org/data-components/DC0112 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Repeated sandbox or policy violations by a single process or app bundle (for example, deny rules) followed by successful access to resources or APIs that normally require higher privileges'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'mmap with PROT_EXEC and PROT_WRITE by sandboxed app'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'SELinux AVC related to execute_no_trans/execmem after decode/unpack activity by the same app UID'}
[DC0119] Application Assets Current version : 2.1
Version changed from : 2.0 → 2.1
+
+
+ t Additional assets included with an application t Application Assets represent static or packaged resources bu ndled with an application that may contain executable logic, configuration data, or hidden payloads. These assets may i nclude embedded binaries, scripts, configuration files, libr aries, or other resources stored within the application pack age. Adversaries may hide malicious components within applic ation assets to evade detection during installation or initi al inspection. Examples Android: - Embedded .dex files lo aded dynamically - Hidden native libraries in APK assets - D ropped payloads stored within the app sandbox iOS: - Embed ded frameworks - Configuration files within the application bundle - Hidden scripts or secondary binaries packaged with the app Collection Methods - Mobile EDR application inspect ion - Static application analysis - Application package scan ning during install or sideload events
+
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-11 15:49:22.334000+00:00 external_references[0]['url'] https://attack.mitre.org/datacomponents/DC0119 https://attack.mitre.org/data-components/DC0119 description Additional assets included with an application Application Assets represent static or packaged resources bundled with an application that may contain executable logic, configuration data, or hidden payloads.
+
+These assets may include embedded binaries, scripts, configuration files, libraries, or other resources stored within the application package. Adversaries may hide malicious components within application assets to evade detection during installation or initial inspection.
+
+Examples
+
+Android:
+
+- Embedded .dex files loaded dynamically
+- Hidden native libraries in APK assets
+- Dropped payloads stored within the app sandbox
+
+iOS:
+
+- Embedded frameworks
+- Configuration files within the application bundle
+- Hidden scripts or secondary binaries packaged with the app
+
+Collection Methods
+- Mobile EDR application inspection
+- Static application analysis
+- Application package scanning during install or sideload events
+ x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Application gaining or using unexpected background execution entitlements or modes'}
[DC0114] Application Permission Current version : 2.1
Version changed from : 2.0 → 2.1
+
+
+ t Permissions declared in an application's manifest or propert t Represents the permissions, entitlements, or capability gran y list file ts associated with a mobile application, including both perm issions declared by the application and those granted or req uested during runtime. Monitoring permission state helps de fenders identify applications attempting to access protected device resources such as sensors, storage, communications i nterfaces, or system services. Examples include: Android - Permissions declared in AndroidManifest.xml - Runtime perm ission prompts - Special access privileges (AccessibilitySer vice, overlay, device admin) iOS - App entitlements in pro visioning profiles - Privacy permission prompts - Capability grants for device services
+
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-23 18:21:10.349000+00:00 name Permissions Requests Application Permission description Permissions declared in an application's manifest or property list file Represents the permissions, entitlements, or capability grants associated with a mobile application, including both permissions declared by the application and those granted or requested during runtime.
+
+Monitoring permission state helps defenders identify applications attempting to access protected device resources such as sensors, storage, communications interfaces, or system services.
+
+Examples include:
+
+Android
+
+- Permissions declared in AndroidManifest.xml
+- Runtime permission prompts
+- Special access privileges (AccessibilityService, overlay, device admin)
+
+iOS
+
+- App entitlements in provisioning profiles
+- Privacy permission prompts
+- Capability grants for device services
+ x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'android:logcat', 'channel': 'READ_EXTERNAL_STORAGE / MANAGE_EXTERNAL_STORAGE permission present or toggled at runtime'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Application granted or retaining RECORD_AUDIO permission or privileged CAPTURE_AUDIO_OUTPUT capability'} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'Application installed with NSMicrophoneUsageDescription entitlement indicating microphone capability'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Application granted/retaining ACCESS_FINE_LOCATION and/or ACCESS_COARSE_LOCATION; background location capability present (ACCESS_BACKGROUND_LOCATION on Android 10+)'} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'App installed with location usage declarations (WhenInUse/Always usage description) and granted authorization level via managed policy state'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Device inventory changes involving phone number/line identifier fields (when available), eSIM profile presence, or compliance signal indicating SIM profile change'} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'Managed device inventory change indicating cellular plan/eSIM profile updates (where available via supervised iOS + MDM reporting)'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'New permission prompt, package install attempt, accessibility/overlay special access request, or other post-browse capability escalation following browser/WebView activity'} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'Post-browse configuration profile prompt, managed/unmanaged app handoff anomaly, or compliance-relevant state change shortly after browser activity'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'ADB_DEBUGGING_ENABLED'} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'Compliance posture or restriction state relevant to accessory access, USB restricted mode, supervised trust policy, or backup/pairing restrictions'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Application gains or is observed with elevated interaction capability such as accessibility, overlay, device admin, notification access, or other authentication-adjacent special access'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'App with network-, telephony-, Wi-Fi-, or location-adjacent capability is impacted by abrupt repeated service loss while permissions remain unchanged'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Network- or location-dependent app capability state remains unchanged while the app experiences sustained communication failure'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application holds or is granted broad storage, document-provider, media, or file-management capability inconsistent with its expected role before or during bulk file transformation'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Known application or newly updated version declares, gains, or activates expanded storage, sensor, communications, accessibility, or device-management capability inconsistent with prior baseline or app role'} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'Known application version declares, activates, or exhibits new entitlements, privacy permissions, or capability use inconsistent with prior baseline or business role'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Known application version declares, gains, or first exercises storage, communications, accessibility, advertising, analytics, overlay, or sensor-adjacent capability inconsistent with prior version baseline or business role'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Device enrollment or compliance event shows failed or degraded verified boot, hardware-backed attestation mismatch, patch/build/baseband inconsistency, or unexpected device property drift near first contact'} x_mitre_log_sources {'name': 'android:MDMLog ', 'channel': 'Application granted or retaining the READ_CALENDAR or WRITE_CALENDAR permissions. '} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'Supervised enrollment, activation, or inventory event reveals unexpected device property relationships, anomalous managed posture, unexplained configuration drift near first contact, or identity/inventory characteristics inconsistent with approved procurement baseline'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Managed or trusted app is newly installed or updated and presents changed package identity, signing relationship, version lineage, installer source, or permission posture inconsistent with approved baseline'} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'Supervised managed app is newly installed or updated and presents unexpected version transition, inventory drift, managed-state change, or app attribute mismatch against approved procurement and release baseline'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'App communicating with legitimate web-service infrastructure is unmanaged, newly installed, recently updated, outside approved app list, or shows baseline drift in role, installer source, or expected capability profile'} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'Managed app communicating with legitimate web-service infrastructure is newly installed, recently updated, outside expected managed-app set, or displays baseline drift in app role, release path, or business justification'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'App initiating resolver→pivot sequence was unmanaged or not authorized to communicate with detected web-service class or external infrastructure'} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'Bundle performing resolver→pivot sequence not present in approved managed-app baseline or lacks expected service relationship'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'App identity performing bidirectional exchange was unmanaged, outside approved app baseline, or not permitted to use detected public web-service class for read/write operations'} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'Bundle performing bidirectional exchange was not present in approved managed-app baseline or was not permitted to use detected public web-service class for read/write operations'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'App identity performing repeated one-way retrieval was unmanaged, outside approved app baseline, or not permitted to use detected public web-service class for background content retrieval'} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'Bundle performing repeated one-way retrieval was not present in approved managed-app baseline or was not permitted to use detected public web-service class for background content retrieval'} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'App identity using non-standard protocol-to-port pairing was unmanaged, outside approved app baseline, or not permitted to communicate using detected protocol/service over observed destination port'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'App identity performing camera session was unmanaged, recently granted camera permission, or not approved to use camera for video or interval image capture'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Application granted or retaining the READ_CALL_LOG permission. '} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Application granted or retaining the READ_CONTACTS permission.'} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'Bundle performing camera session was not present in approved managed-app baseline or was not permitted to use camera for video or interval image capture'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Application granted or retaining the READ_SMS or RECEIVE_SMS permission.'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'App identity performing screen capture had unapproved accessibility posture, capture-related special access, unmanaged state, or was not approved for screen recording or assistive observation workflows'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'NotificationListenerService enabled OR notification access granted to app not in enterprise-approved list'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'App not in enterprise-approved list performing network + crypto behavior inconsistent with declared functionality'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'App not in approved cryptographic or secure communication category performing keypair + encryption + transmission behavior'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Managed app with undeclared secure transport behavior or app category mismatch initiates opaque TLS communications inconsistent with enterprise policy baseline'} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'Supervised managed app with undeclared secure transport behavior or unexpected network role communicates with non-baselined destination over opaque TLS'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Managed application with no declared backup, sync, export, or media-editing role performs bulk local packaging or encrypted archive generation'} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'Supervised managed app without expected export, backup, or sync role performs local data staging behavior followed by opaque upload activity'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Managed app granted or retaining storage-related or elevated access inconsistent with declared function prior to local data access activity'} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'Supervised managed app without expected local export, sync, or forensic role accesses or stages local records inconsistent with policy baseline'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Managed app without approved content-download, update, browser, or file-sync role performs remote payload retrieval and local tool staging'} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'Supervised managed app without approved update, browser, sync, or enterprise-content role retrieves and stages secondary content inconsistent with policy baseline'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Managed application without approved native-code role or expected high-performance/native dependency exhibits native execution behavior inconsistent with enterprise policy baseline'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Managed application package version, signer lineage, installer source, or app identity changes outside approved enterprise or store-mediated update workflow'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Managed app granted SEND_SMS or RECEIVE_SMS permission, or app role/policy indicates SMS-capable behavior inconsistent with approved enterprise function before SMS control activity'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Default SMS handler changes to non-baselined application or managed app unexpectedly becomes or remains device default SMS app during SMS control phase'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Managed app without approved VPN, enterprise tunneling, browser, or remote-access role exhibits proxy-like traffic handling inconsistent with policy baseline'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Managed app granted call-control-relevant permissions or telecom role state inconsistent with approved enterprise function before call-control activity'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Default phone or telecom-handling role changes to non-baselined application or managed app unexpectedly becomes dialer/call-handling app during call-control phase'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'device transitions to non-compliant state + root detected or integrity attestation failure (SafetyNet/Play Integrity)'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'application integrity mismatch or package signature inconsistency relative to expected deployment baseline'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'application granted high-risk permission or special access (AccessibilityService, SYSTEM_ALERT_WINDOW, DeviceAdmin) with abnormal grant pattern (e.g., no recent user interaction or rapid sequence of grants)'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'application granted Device Administrator privilege + abnormal activation pattern (e.g., rapid enablement after install or no recent user interaction)'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'application holds permissions enabling environment validation (e.g., location, phone state, nearby device/network context) and subsequently delays protected activity until qualifying values are present'} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'application has approved capabilities required for conditional execution (e.g., location/background modes) but observed behavior is deferred until target-specific state is present'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'application granted ACCESS_FINE_LOCATION and, when required for background operation, ACCESS_BACKGROUND_LOCATION + capability state sufficient for persistent geolocation monitoring before later guarded activity'} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'application authorized for when-in-use or always location access and, where relevant, background execution capability sufficient for continued geographic evaluation before later guarded behavior'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'managed app inventory or launcher-visible state changes show application remains installed but user-facing entry point or launcher component becomes disabled before later runtime activity'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'installed application remains present while launcher-visible activity or component discoverability changes to hidden, disabled, or synthesized-settings-entry state prior to later runtime activity'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'change to security-relevant device configuration or managed policy (e.g., accessibility enablement, app admin changes, security service state change) preceding telemetry degradation'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'application enabled as device administrator, device owner, profile owner, or equivalent elevated management role before uninstall attempt'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'application granted accessibility service privileges capable of screen observation or global action invocation before removal attempt'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'application enabled as device administrator, device owner, or profile owner before screen-lock or password-control activity'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'application granted accessibility service privileges capable of intercepting UI flow or sustaining user-interaction denial before lockout event'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'device posture changes to rooted, non-compliant, weakened security state, or elevated control role becomes active before security-tool degradation'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'security-relevant application package state, enabled status, administrator state, or managed protection setting changes immediately before monitoring degradation'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'device posture or compromise-state indicators change unexpectedly, including rooted or non-compliant status disappearance, after prior app or system activity suggesting persistence on device'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'managed application state changes unexpectedly through uninstall, disappearance from expected inventory, or install-state mismatch after prior suspicious activity'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'application holds device-owner, profile-owner, or delegated app-management authority capable of package removal before uninstall event'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'application has accessibility service privileges immediately before package-removal UI flow and subsequent application disappearance'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'device posture indicates rooted, compromised, or non-compliant state before package files disappear without standard managed uninstall workflow'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'application holds device administrator, device owner, or other managed authority capable of wipe or destructive device-level action before bulk file loss or wipe event'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'device posture indicates rooted, compromised, or non-compliant state before protected or atypical filesystem deletion activity'}
[DC0064] Command Execution Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-24 19:47:16.123000+00:00 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'android:logcat', 'channel': "Command 'pm list packages' executed by app sandbox or child proc"} x_mitre_log_sources {'name': 'auditd:EXECVE', 'channel': 'execve of script/interpreter (bash, python, node) with suspicious encoded or non-printable content'} x_mitre_log_sources {'name': 'auditd:EXECVE', 'channel': 'execve of curl,wget,bash,sh,python with piped or remote content'} x_mitre_log_sources {'name': 'auditd:EXECVE', 'channel': 'execve, kill, ptrace, insmod, rmmod targeting security processes'} x_mitre_log_sources {'name': 'esxi:shell', 'channel': 'esxcli system syslog config set/reload, services.sh restart/stop'} x_mitre_log_sources {'name': 'macos:unifiedlog', 'channel': 'Execution of osascript, sh, bash, zsh, installer, open'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application spawns shell, command interpreter, or command-executing child process with arguments during command-execution phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application spawns Unix shell process or superuser binary such as sh, su, toybox, toolbox, or shell-like child process with parameters during execution phase'}
[DC0018] Host Status Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-20 18:17:23.974000+00:00 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'networkdevice:syslog', 'channel': 'no logging host, no aaa new-model, no snmp-server, commit'} x_mitre_log_sources {'name': 'android:appops', 'channel': 'ACCESS_FINE_LOCATION|NEARBY_DEVICES|BLUETOOTH_SCAN used in close proximity to network-context queries'} x_mitre_log_sources {'name': 'AndroidAttestation:SafetyNet', 'channel': 'SafetyNet attestation with CTSProfileMatch=false or BasicIntegrity=false'} x_mitre_log_sources {'name': 'AndroidAttestation:VerifiedBoot', 'channel': 'Verified Boot or dm-verity reports partition hash mismatch, non-green boot state, or integrity failure'} x_mitre_log_sources {'name': 'AndroidLogs:Crash', 'channel': 'Crash or abnormal restart of privileged system services (for example, system_server, mediaserver, installd) followed shortly by new privileged process activity or binder connections from a single app UID'} x_mitre_log_sources {'name': 'AndroidLogs:Crash', 'channel': 'Application or system process crash/restart patterns temporally associated with remote service communications'} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'Device risk, compliance, or security posture changes after trusted host pairing or developer-state transition'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'code signature validation failure / exec of invalidly-signed payload from sandboxed app'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Application crash logs, watchdog terminations, or abnormal execution events associated with service communication'} x_mitre_log_sources {'name': 'MDM:DeviceIntegrity', 'channel': 'jailbreak/root compromise indicators or integrity attestation failures enabling process visibility'} x_mitre_log_sources {'name': 'OEMAttestation:Knox', 'channel': 'Samsung Knox attestation shows attestation_state=COMPROMISED or warranty bit set'}
[DC0113] Network Communication Current version : 2.1
Version changed from : 2.0 → 2.1
+
+
+ t Network requests made by an application or domains contacted t Network Communication captures outbound or inbound communica tion initiated by an application or mobile device, including the domains contacted, protocols used, and session metadata associated with the communication. Monitoring network comm unication enables defenders to identify command-and-control traffic, data exfiltration, or suspicious communication patt erns originating from mobile applications. Examples - Conn ections to previously unseen domains - Repeated communicatio n with suspicious infrastructure - Communication immediately following application installation Collection Methods - M obile VPN telemetry - Secure web gateway logs - Network dete ction and response (NDR) - Mobile EDR network monitoring
+
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-11 15:52:58.538000+00:00 external_references[0]['url'] https://attack.mitre.org/datacomponents/DC0113 https://attack.mitre.org/data-components/DC0113 description Network requests made by an application or domains contacted Network Communication captures outbound or inbound communication initiated by an application or mobile device, including the domains contacted, protocols used, and session metadata associated with the communication.
+
+Monitoring network communication enables defenders to identify command-and-control traffic, data exfiltration, or suspicious communication patterns originating from mobile applications.
+
+Examples
+
+- Connections to previously unseen domains
+- Repeated communication with suspicious infrastructure
+- Communication immediately following application installation
+
+Collection Methods
+
+- Mobile VPN telemetry
+- Secure web gateway logs
+- Network detection and response (NDR)
+- Mobile EDR network monitoring
+ x_mitre_version 2.0 2.1
[DC0082] Network Connection Creation Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-23 18:37:33.992000+00:00 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'log entries indicating network connection initiation on macOS'} x_mitre_log_sources {'name': 'Network', 'channel': 'None'} x_mitre_log_sources {'name': 'NSM:Connections', 'channel': 'Outbound connection after script or installer launch'}
[DC0085] Network Traffic Content Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:14:34.343000+00:00 2026-04-22 14:48:50.367000+00:00 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'Traffic', 'channel': 'None'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Per-app VPN flow logging indicating opaque/archived payload transfer preceding local decode'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Per-App VPN flow with code-like content types (application/octet-stream, application/zip, text/javascript, application/x-mach-o)'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'WKWebView navigation to domain visually similar to target brand (IDN/punycode/alike score)'} x_mitre_log_sources {'name': 'NSM:Connections', 'channel': 'Outbound connections to internal enterprise services exhibiting anomalous protocol behavior, malformed sessions, or exploit-consistent traffic patterns'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'TLS/HTTP download with atypical MIME (application/octet-stream, application/x-zip, application/x-gzip) followed by local decode/write'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'HTTP(S)/QUIC media download with opaque content types (image/*, audio/*, video/*) from non-gallery domains or CDNs not previously used by the app'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'HTTP(S)/QUIC download of executable/opaque content (application/octet-stream, application/zip, application/java-archive, application/x-dex, application/x-sharedlib, text/javascript)'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'burst of DNS queries/connection attempts to RFC1918 or local gateway immediately after scans'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'HTTPS sessions exhibiting periodic request cadence or structured payload exchanges inconsistent with application baseline'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Application-layer indicators observable via enterprise network controls (HTTP method, URI path pattern class, TLS SNI, JA3/ALPN when available, DNS qname/type) showing anomalous or low-and-slow command polling behavior'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Near-term increase in traffic to identity endpoints associated with SMS MFA, account recovery, or OTP verification (IdP, banking, crypto), correlated to SIM/service loss'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Abrupt shift from cellular egress to Wi-Fi-only egress, or new VPN/proxy session establishment following cellular service loss'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Application-layer web traffic showing suspicious redirect chains, iframe/ad-tech cascades, user-agent or environment fingerprinting requests, or staged payload retrieval after page visit'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Application initiates HTTPS connection with repeated certificate validation failure under enterprise proxy followed by direct network retry or stable opaque TLS communication to same endpoint within correlation window'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'App-destination pair shows consistent inspection bypass/refusal pattern followed by direct encrypted communication or repeated short-lived TLS sessions to same endpoint within correlation window'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Application retrieves remote content from non-baselined domain or IP and the transfer direction is inbound to device during the file acquisition phase'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Managed iOS app retrieves remote content from non-baselined domain or IP with inbound payload transfer during the acquisition phase'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Device shows correlated inbound session establishment followed by outbound connections to separate external destinations with overlapping timing and relay-like byte symmetry'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Traffic spike preceding control crash'} x_mitre_log_sources {'name': 'NSM:Inspection', 'channel': 'TLS session from mobile app fails, resets, or refuses enterprise interception while same destination/app pair repeatedly establishes direct encrypted communication pattern consistent with pinned certificate/public-key validation'} x_mitre_log_sources {'name': 'NSM:Inspection', 'channel': 'TLS handshake from iOS app repeatedly fails or is rejected only when enterprise SSL inspection certificate is presented, indicating certificate or public-key pin validation effect'} x_mitre_log_sources {'name': 'TelecomLogs:SS7Signaling', 'channel': 'Subscriber information queries, routing requests, or location update messages with anomalous node identifiers or unexpected origin patterns'} x_mitre_log_sources {'name': 'TelecomLogs:SS7Signaling', 'channel': 'Location resolution, routing, or subscriber information exchanges with anomalous signaling paths or node identities'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Supervised or newly activated device initiates outbound connections to destinations outside Apple, MDM, update, or enterprise-managed baselines while locked, with no recent user interaction, or before expected app enrollment completion'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': "Application or device component communicates with legitimate external web-service infrastructure such as cloud storage, social media, messaging, collaboration, paste, code-hosting, CDN-backed API, or generic HTTPS service in a pattern inconsistent with the app's approved network baseline, timing, or service class"} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Supervised device or managed app communicates with legitimate external web-service infrastructure such as cloud storage, messaging, collaboration, social, paste, or generic HTTPS API platforms in a pattern inconsistent with expected service baseline, managed app role, or normal background refresh behavior'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'App-attributed HTTP GET or HTTPS session to public web platform (social, paste, collaboration, cloud storage, code-hosting) returned content followed by outbound connection to a different domain or IP within TimeWindow'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'DNS query or TLS SNI for previously unseen domain occurred within TimeWindow after session to legitimate web-service domain from same app identity'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Initial session to public web-service domain transferred small response payload followed by connection to new external endpoint with different ASN or domain category'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'App-attributed session to public web-service domain included inbound content retrieval followed by outbound POST, PUT, upload, comment, message send, document update, or API write to same service class within TimeWindow'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Repeated alternating inbound and outbound sessions to same public web-service domain or API endpoint occurred from same app identity with stable recurrence interval'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Outbound write operation to public web-service domain occurred after small inbound response retrieval from same domain or service class without preceding user-visible foreground activity'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'App-attributed HTTP GET, content fetch, sync pull, or inbound-oriented HTTPS session to public web-service domain recurred within TimeWindow without app-attributed POST, PUT, PATCH, upload, comment, message send, or API write to same service class'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Repeated app-attributed retrieval from same public web-service domain or API endpoint occurred at stable recurrence interval with low outbound volume relative to inbound content'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Inbound content retrieval from public web-service domain occurred without subsequent writeback to same service class and was followed by local or downstream activity outside normal app sync profile'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'TLS handshake, HTTP method/header pattern, or WebSocket upgrade was observed on destination port outside approved port set for detected protocol during app-attributed outbound session'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Repeated app-attributed sessions to same destination or service class used non-standard destination port with stable recurrence interval or persistent connection behavior'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Destination port was not in approved protocol-to-port mapping for app identity or service class and session did not match known enterprise proxy, relay, or developer tooling exception'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Observed protocol-to-port pairing was outside approved mapping for managed bundle or service class and did not match enterprise proxy, relay, or developer tooling exception'}
[DC0078] Network Traffic Flow Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-09 17:32:30.362000+00:00 external_references[0]['url'] https://attack.mitre.org/datacomponents/DC0078 https://attack.mitre.org/data-components/DC0078 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'TelecomLogs:MobilityEvents', 'channel': 'Unexpected location resolution events or abnormal subscriber tracking requests'} x_mitre_log_sources {'name': 'TelecomLogs:MobilityEvents', 'channel': 'Unexpected subscriber tracking or abnormal mobility/location resolution activity'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Application-layer protocol traffic exhibiting beacon-like periodicity, anomalous session structure, or protocol misuse patterns'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'App-attributed traffic exhibits multi-destination fan-out, sustained session bridging, or SOCKS-like relay behavior inconsistent with normal client-only mobile communication'}
[DC0021] OS API Execution Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-23 18:22:40.476000+00:00 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'AndroidLogs:Kernel', 'channel': 'Unprivileged app process (app UID, non-system) invoking sensitive syscalls or device interfaces associated with privilege escalation (setuid, ptrace, perf_event_open, vulnerable drivers)'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'SELinux AVC for execmem/execute_no_trans/mprotect following recent writes by same UID'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'mmap/mprotect transitions to PROT_EXEC for pages associated with recently written files'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'QUERY on exported ContentProviders of other packages (content:///*) or MediaStore scoped queries immediately preceding file reads'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'ClipboardManager (addOnPrimaryClipChangedListener|getPrimaryClip|getPrimaryClipDescription) invoked by '} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'AccessibilityService connected|TYPE_VIEW_TEXT_CHANGED|TYPE_VIEW_FOCUSED events for other packages'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'TYPE_WINDOW_STATE_CHANGED / TYPE_VIEW_FOCUSED shows foreign target package in foreground'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'PackageManager getInstalledApplications|getInstalledPackages|getPackagesHoldingPermissions burst for . TYPE_WINDOW_STATE_CHANGED shows foreground app then immediate package queries by '} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'LSApplicationWorkspace or canOpenURL probe bursts for many URL schemes'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'getInstalledPackages/getPackagesHoldingPermissions with filters for known security/MDM/VPN package names. Queries to isDeviceOwnerApp/isProfileOwnerApp/getActiveAdmins/getPermissionGrantState. Requests list of enabled services or monitors TYPE_WINDOW_STATE_CHANGED to time checks'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Queries indicating MDM profile presence, supervised state, restrictions read. LSApplicationWorkspace enumeration or app proxy queries referencing security vendors'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'ACTION_VIEW redirect_uri handled by unexpected package'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'canOpenURL/LSApplicationWorkspace resolved to unexpected bundle for redirect_uri'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'query() against MediaStore/DocumentsContract URIs (Images/Video/Audio/Downloads/DocumentTree)'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'enumeratorForContainerItemIdentifier / itemForIdentifier across multiple containers/providers'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'wifiservice startScan / scanResults retrieved repeatedly or by unexpected package'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'bluetoothmanager startDiscovery / getBondedDevices / scan callback bursts by package'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'telephony cell info enumeration bursts (neighboring/all cell info) by package'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'repeated queries or dumps related to running tasks/services/process state by same package/UID (e.g., getRunningAppProcesses, running services/task inspection)'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Application accesses android.os.Build fields or device configuration APIs (MODEL, MANUFACTURER, VERSION.SDK_INT, HARDWARE)'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Application invokes UIDevice queries (model, systemVersion, name)'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Invocation of MediaRecorder.start(), AudioRecord.startRecording(), or VOICE_CALL audio source'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Invocation of AVAudioRecorder, AVCaptureSession, or related audio capture framework calls'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Application invokes LocationManager, FusedLocationProviderClient, or GPS/location sensor APIs'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Application activates CoreLocation services or CLLocationManager APIs'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Framework-based networking usage spikes or uncommon networking stacks observed by agent telemetry (e.g., repeated URLSession/OkHttp-like patterns) without corresponding foreground/user interaction'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': "Agent-observable telephony subscription/state API signals indicating SIM/eSIM subscription change (vendor-agnostic: 'telephony subscription changed')"} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Accessibility framework usage patterns such as event subscription, performAction invocation, node traversal, text change observation, or overlay/window presentation correlated to app identity'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Browser/WebView framework usage indicating external URL load, script execution enablement, file download initiation, intent handoff, or package install prompt sequence'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Observed device-service, trust-service, backup/service interaction, or other privileged framework activity associated with physical host access'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Connectivity manager, telephony, Wi-Fi, network callback, or location-provider framework reports repeated unavailable, disconnected, suspended, or degraded state transitions'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Observed network-path, reachability, DNS, transport, or location-provider framework reports repeated unavailable or failed state near active device use'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Content resolver, document provider, media store, storage access framework, bulk stream processing, or repeated crypto-adjacent framework use observed during multi-file transformation'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Known application begins first-seen or expanded use of content providers, account services, accessibility, package services, cryptographic routines, dynamic loading, or other framework interactions after update/install'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Known application begins first-seen or expanded use of protected frameworks, account services, background task APIs, crypto/network service APIs, or other runtime behaviors after update/install'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Known application begins first-seen or expanded use of account services, accessibility, content providers, dynamic loading, package services, WebView bridges, crypto/network APIs, or advertising/telemetry-adjacent framework behavior after install or update'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Privileged or OEM-context framework/API use tied to telephony, device policy, accessibility, overlay, input injection, package visibility, or protected settings modification from an identity not expected for the device model or approved image'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Invocation of Calendar.set() and Calendar.add()'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Supplemental anomaly in baseband, IOKit, accessory, security, or activation-related subsystem logging temporally adjacent to suspicious posture or network behavior'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Recently installed or updated trusted app invokes Android framework paths or special access patterns inconsistent with its role, including accessibility-like behavior, overlay behavior, package visibility expansion, protected settings access, device policy interaction, or unusual IPC/provider access'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Supplemental managed app or system subsystem anomalies near install/update, launch services, extension handling, app activation, or background execution temporally adjacent to suspicious network or lifecycle behavior'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'App uses Android framework behaviors associated with background work scheduling, network job execution, IPC/provider access, overlay or accessibility-like interaction, or unusual package visibility immediately adjacent to web-service communication'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Supplemental launch, background task, networking, or extension-handling anomalies occur temporally adjacent to suspicious web-service communication from a managed app or supervised device'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Background work scheduler, job execution, or persistent service triggered network request to public web-service followed by second outbound connection within TimeWindow'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Background task or networking subsystem event occurred immediately before resolver retrieval and pivot connection sequence'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded retrieve-then-write exchange with public web-service platform'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Background task, networking, or app-activation subsystem event occurred immediately before or during retrieve-then-write exchange with public web-service platform'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded outbound session using non-standard protocol-to-port pairing'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Invocation of CallLogs.getLastOutgoingCall()'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Invocation of ContactsContract.Contacts.getLookupUri() and/or ContactsContract.Contacts.lookupContact()'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Camera, media capture, app-activation, or background-task subsystem event occurred immediately before or during sustained camera session from same managed-app or device context'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Invocation of AccountManager.getAccounts()'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'MediaProjection-style screen capture session began from app identity while a different app was foregrounded and capture path was not mapped to approved recording workflow'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Accessibility-service activity from app identity coincided with foreground content observation and subsequent screenshot, frame buffer, or screenrecord artifact behavior within TimeWindow'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Privileged screencap, screenrecord, adb-driven capture, or root-context screen acquisition behavior occurred from app, shell, or elevated identity while foreground app context changed or sensitive app remained active'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Accessibility-enabled app invoked programmatic click or action on behalf of user while a different app was foregrounded and injected action was not mapped to approved accessibility or autofill workflow'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Accessibility-enabled app invoked global action such as back, home, recents, or navigation control while target foreground app context changed within TimeWindow'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Accessibility-enabled app inserted text into active field of different foreground app without user keyboard activity or approved autofill relationship'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'App intercepts notification content from external package (e.g., messaging/auth apps) while in background OR without recent user interaction'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'App invokes cryptographic functions (e.g., AES/RSA/KeyStore usage) on buffer data followed by encode/transform operations not tied to normal app workflows'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'App invokes symmetric encryption routines (e.g., AES/RC4 cipher initialization + encrypt operations) with repeated key usage across multiple data buffers'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Symmetric key material reused across multiple encryption operations within short interval OR derived locally without secure hardware-backed storage'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'App invokes asymmetric cryptographic operations (e.g., RSA/ECC keypair generation OR public key encryption OR signature operations) on outbound data buffers'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Keypair generation, import, or access events (public/private key usage) occurring prior to network communication'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application invokes custom TLS trust evaluation logic or pin validation routines (e.g., custom TrustManager, HostnameVerifier override, certificate/public key comparison) immediately before outbound TLS session establishment'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application invokes archive, compression, or bulk-buffer packaging routines on previously accessed local data within the same execution chain'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application encrypts newly created archive or staged data blob after collection and before storage or outbound transfer'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application performs bulk data transformation or packaging-like processing on collected records prior to file creation or upload'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': "Application queries or opens multiple local SQLite or app-associated database stores containing records unrelated to the app's declared function during the collection phase"} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application performs repeated record access, container traversal, or local data extraction processing against local stores before staging or transmission'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application calls startForegroundService() or startForeground() / ServiceCompat.startForeground() and transitions to persistent foreground-service execution at the start of the chain'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application invokes direct file retrieval, DownloadManager usage, or streaming write from network response to local storage immediately after remote session establishment'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Managed app performs post-download unpacking, dynamic resource handling, or module preparation immediately after local payload creation'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application loads or resolves native shared library (.so) or JNI bridge immediately before suspicious native execution phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application transitions from managed code into JNI/native function execution or attaches native thread to runtime during the execution phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Existing application is replaced, updated, or reinstalled and the resulting package metadata, code sections, or executable-supporting artifacts diverge from known-good baseline during the persistence-establishment phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application invokes SMS send, intercept, delete, or provider-write behavior, including handling SMS_DELIVER or interacting with SMS content provider during unauthorized message-control phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application enqueues WorkManager work request or schedules JobScheduler or AlarmManager task with delay, periodic interval, or execution constraints during the persistence/execution setup phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application creates or executes NSBackgroundActivityScheduler activity with repeating or deferred invocation semantics during the scheduling and trigger phases'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application initializes proxy-capable or raw-socket networking constructs, including SOCKS-capable Proxy API usage or direct socket listener/setup immediately before traffic relay phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application invokes call placement, answer, redirect, block, screening, or ConnectionService call-handling APIs during unauthorized call-control phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application process loads external code modules or injects into runtime (zygote/app_process) + abnormal library loading or method interception behavior'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application registers broadcast receiver, WorkManager job, JobScheduler task, or intent filter tied to system event such as BOOT_COMPLETED, SMS_RECEIVED, CONNECTIVITY_CHANGE during persistence setup phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application registers or invokes broadcast receiver via registerReceiver() or manifest-declared receiver + intent filter tied to system or app events'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application launches or executes code where loaded library or component path does not match application package path or expected signing context'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'multiple applications invoking core system APIs (e.g., sensor, permission, telephony) with abnormal or inconsistent return values across apps within short interval'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'device integrity degradation + root detected or system partition modification affecting runtime libraries (e.g., /system/lib*, /vendor/lib*)'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes privileged framework APIs (Accessibility events, UI automation, package install flows) immediately following permission grant'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes DevicePolicyManager APIs (e.g., resetPassword, lockNow, setCameraDisabled) immediately following admin activation'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application queries target-selection attributes (e.g., location, SIM/operator, locale, device state, network identity) and then conditionally invokes sensitive framework APIs only after expected value is observed'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application exhibits repeated environment-context evaluation followed by delayed privileged framework use only after target-specific match'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes geolocation or geofencing framework operations (e.g., location polling or geofence registration/evaluation) and sensitive framework activity begins only after region match or location threshold condition'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application exhibits repeated location-context evaluation followed by delayed privileged framework use or feature activation only after target region match'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes package or component state changes affecting launcher-facing activity availability and subsequently continues operational framework activity after icon suppression'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes motion-sensor or device-activity framework operations followed by conditional execution of sensitive framework activity only after inferred user absence'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes system framework operations that alter monitoring, accessibility, or execution visibility followed by reduction in expected telemetry generation'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes accessibility global actions (back/home/recents) or observes package-management UI immediately after uninstall/settings screen becomes foreground'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes lock-related or UI-denial framework operations, including DevicePolicyManager lock actions, persistent overlay behavior, or accessibility-driven navigation interference immediately before device enters locked or unusable state'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes package, settings, or privileged framework operations capable of disabling security software, altering security enforcement, or interfering with reporting before telemetry loss'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes uninstall-related package-management operations, accessibility-driven uninstall confirmation actions, or privileged file-removal operations immediately before installed-state loss'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes file-management, package, storage, or administrative wipe operations immediately before loss of expected local files or file collections'}
[DC0032] Process Creation Current version : 2.1
Version changed from : 2.0 → 2.1
Details dictionary_item_removed STIX Field Old value New Value x_mitre_data_source_ref
values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-13 15:49:16.424000+00:00 external_references[0]['url'] https://attack.mitre.org/datacomponents/DC0032 https://attack.mitre.org/data-components/DC0032 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'AndroidLogs:Kernel', 'channel': 'init or zygote process executing scripts or binaries from non-standard data or sdcard locations during early boot'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'launchd invocation of binary from non-Apple, non-AppStore, or sideloaded location during boot or shortly after unlock'} x_mitre_log_sources {'name': 'AndroidLogs:Framework', 'channel': 'Creation of a new process running as system or root UID whose executable path resides under an app container path (for example, /data/app or /data/user/0/), or whose parent process originates from an app sandbox'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Creation of a new process with elevated UID or sensitive entitlements whose binary path is associated with an app container or whose parent/caller is a low-privileged app/webcontent process'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'dlopen of a recently created .so OR short-lived child (/system/bin/sh,toybox,linker) spawned by app_process'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'startActivity on top of (launchMode/singleTop), task switch immediately after focus'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'unexpected spikes in fork/exec/app process start events for helper utilities used for enumeration (ps, toybox/toolbox variants) from same UID'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application writes audio buffer or recorded audio file into application storage directories'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Browser or WebView-hosting application brought to foreground and navigates to external content, followed by abnormal state transition, crash, restart, or process spawn behavior'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application installed from adb, sideload, or unknown USB source'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application invokes Runtime.exec, ProcessBuilder, JNI-backed command launcher, or equivalent command-execution bridge immediately before shell or command process creation'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Managed app invokes lower-level OS process-launch or command-execution behavior before file or network effects, including interpreter-like execution flow where visible to sensor'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application execution triggered with unexpected parent context or via indirect invocation (intent redirection or component hijack)'}
[DC0034] Process Metadata Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-16 17:01:33.771000+00:00 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'macos:unifiedlog', 'channel': 'Crash or abnormal termination of security agent or system extension host'}
[DC0115] Protected Configuration Current version : 2.1
Version changed from : 2.0 → 2.1
+
+
+ t Device configuration options that are not typically utilized t Protected Configuration represents security-sensitive device by benign applications settings, security policies, or operating system configurat ions that are normally restricted to administrators, system services, or device management platforms. Monitoring these c onfigurations enables detection of adversaries attempting to weaken device security controls or alter trusted device rel ationships. Examples Android: - USB debugging enabled - Un known app installation allowed - Developer options enabled iOS: - Developer mode enabled - Device pairing trust relati onships established - Configuration profile restrictions mod ified
+
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-13 23:45:27.570000+00:00 external_references[0]['url'] https://attack.mitre.org/datacomponents/DC0115 https://attack.mitre.org/data-components/DC0115 description Device configuration options that are not typically utilized by benign applications Protected Configuration represents security-sensitive device settings, security policies, or operating system configurations that are normally restricted to administrators, system services, or device management platforms.
+Monitoring these configurations enables detection of adversaries attempting to weaken device security controls or alter trusted device relationships.
+
+Examples
+Android:
+
+- USB debugging enabled
+- Unknown app installation allowed
+- Developer options enabled
+
+iOS:
+
+- Developer mode enabled
+- Device pairing trust relationships established
+- Configuration profile restrictions modified
+ x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'Developer Mode enabled, supervised-device restriction changed, or trust-related protected device posture changed'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Biometric, credential, lockscreen, trust-agent, Smart Lock, or device-admin-related protected device configuration changed'} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'Passcode, biometrics, attention-aware authentication, or supervised-device lock policy changed in a way that weakens or alters the authentication boundary'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Managed Wi-Fi, VPN, cellular, or location-related policy state remains unchanged while network capability degrades'} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'Managed Wi-Fi, VPN, cellular, or location-service policy remains unchanged while device connectivity repeatedly degrades'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Managed storage, backup, enterprise file access, or device policy state remains unchanged while bulk destructive file transformation occurs'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Managed app catalog, enterprise update policy, or trusted distribution posture remains unchanged while a known app exhibits materially different post-update behavior'} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'Managed app distribution, supervised install posture, or provisioning trust context remains expected while a known app exhibits materially different behavior after version change'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Managed app distribution, enterprise catalog trust, and update policy remain expected while a known package exhibits materially different post-install or post-update behavior'}
[DC0117] System Notifications Current version : 2.1
Version changed from : 2.0 → 2.1
+
+
+ t Notifications generated by the OS t System Notifications represent operating system alerts, warn ings, or status messages generated in response to applicatio n actions, system state changes, or security events. These n otifications may indicate potentially malicious activity or abnormal application behavior. Examples - Application requ esting sensitive permissions - USB device connected notifica tions - Security warnings triggered by device configuration changes Collection Methods - Mobile OS notification monito ring - Mobile EDR sensors - Device management telemetry
+
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-10 15:59:54.007000+00:00 external_references[0]['url'] https://attack.mitre.org/datacomponents/DC0117 https://attack.mitre.org/data-components/DC0117 description Notifications generated by the OS System Notifications represent operating system alerts, warnings, or status messages generated in response to application actions, system state changes, or security events. These notifications may indicate potentially malicious activity or abnormal application behavior.
+
+Examples
+
+- Application requesting sensitive permissions
+- USB device connected notifications
+- Security warnings triggered by device configuration changes
+
+Collection Methods
+
+- Mobile OS notification monitoring
+- Mobile EDR sensors
+- Device management telemetry
+ x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': '\\"has pasted from\\" cross-app paste notification text containing source app name'}
[DC0118] System Settings Current version : 2.1
Version changed from : 2.0 → 2.1
+
+
+ t Settings visible to the user on the device t System Settings represent user-visible or OS-level configura tion settings that influence device behavior, application pe rmissions, connectivity, or system features. Monitoring sys tem settings changes allows defenders to detect abnormal mod ifications that may indicate malicious activity or device co mpromise. Collection Methods - MDM device telemetry - Mob ile EDR monitoring - OS configuration monitoring
+
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-08 20:14:04.248000+00:00 external_references[0]['url'] https://attack.mitre.org/datacomponents/DC0118 https://attack.mitre.org/data-components/DC0118 description Settings visible to the user on the device System Settings represent user-visible or OS-level configuration settings that influence device behavior, application permissions, connectivity, or system features.
+
+Monitoring system settings changes allows defenders to detect abnormal modifications that may indicate malicious activity or device compromise.
+
+
+Collection Methods
+
+- MDM device telemetry
+- Mobile EDR monitoring
+- OS configuration monitoring
+ x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Microphone sensor activation or audio recording session initiated by application process'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application transitions to background or executes while screen locked during microphone session'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Cellular service state transitions (in-service→no-service), SIM state change, carrier/operator identifier change, or baseband/telephony stack state change observed by agent telemetry'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application remains backgrounded while accessibility service continues to receive events or perform actions across other foreground apps'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'device USB mode change (charging to file transfer / debugging / accessory)'} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'Trusted computer / host relationship established or relevant device trust setting changed'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'Application or service remains active, foregrounds, or overlays during device locked state or immediately at unlock transition with weak recent user interaction context'} x_mitre_log_sources {'name': 'android:MDMLog', 'channel': 'No user-initiated airplane mode, radio disablement, or managed network setting change occurred during repeated connectivity degradation'} x_mitre_log_sources {'name': 'iOS:MDMLog', 'channel': 'No user-initiated airplane mode or radio-related setting change occurred while applications experience repeated network unavailability'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Camera sensor access began from app identity and remained active for sustained capture interval in app context not mapped to approved video recording workflow'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Camera sensor access occurred while AppState=background, foreground service active without visible user action, or DeviceLockState=locked during capture interval'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Foreground service continues accessing camera, microphone, location, or other while-in-use sensors after service promotion and outside recent user interaction'}
ics-attack Major Version Changes [DC0038] Application Log Content Current version : 3.0
Version changed from : 2.0 → 3.0
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-24 19:46:47.171000+00:00 x_mitre_version 2.0 3.0
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Default IME active or bound to (InputMethodManager reports imeId=)'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Default IME changed/active: imeId=, onStartInput/onFinishInput high frequency. TYPE_APPLICATION_OVERLAY|addView .* showing on top of package '} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Default IME active imeId=; frequent onStartInput/commitText calls'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'addView TYPE_APPLICATION_OVERLAY|TYPE_APPLICATION_ATTACHED_DIALOG shown over '} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Secure/Global reads of device_policy_manager, accessibility_enabled, default_vpn, always_on_vpn'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Task switch from browser/custom tab to handler immediately after OAuth return'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'ACTION_OPEN_DOCUMENT_TREE / ACTION_OPEN_DOCUMENT invoked without user gesture or repeatedly in background'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Repeated or large UIPasteboard reads; background pasteboard access shortly before packaging'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'UIPasteboard read (general/string/data) by ; repeated reads or background access'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'UIWindow/UIView events indicating secure text entry focus, editingChanged bursts, unexpected firstResponder cycling'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Secure text entry focus and editingChanged bursts not typical for the app'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Presentation of credential-like view (UIAlertController with text fields / custom modal) not backed by system auth controller; frequent editingChanged in secureTextEntry fields'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Repeated canOpenURL checks across diverse schemes (≥N within short window)'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'UIDocumentPickerViewController presented repeatedly without foreground interaction or with short dwell time'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'repeated sandbox denials related to restricted process/system interfaces consistent with process-table querying attempts'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'security-relevant kernel log messages indicating restricted system interface access attempts by app process (device-dependent visibility)'} x_mitre_log_sources {'name': 'm365:exchange', 'channel': 'External sender message followed by user action involving links or attachments'} x_mitre_log_sources {'name': 'm365:teams', 'channel': 'External chat request or new tenant communication preceding approval activity'} x_mitre_log_sources {'name': 'm365:unified', 'channel': 'MailItemsAccessed; AddedInboxRule; ConsentToApplication; SharingSet'} x_mitre_log_sources {'name': 'm365:unified', 'channel': 'Set-AdminAuditLogConfig;New-ApplicationAccessPolicy;ConsentToApplication'} x_mitre_log_sources {'name': 'saas:okta', 'channel': 'policy.rule.update;system.log.disable;admin.role.assign'} x_mitre_log_sources {'name': 'saas:slack', 'channel': 'xternal DM or workspace invite preceding credential or approval actions'} x_mitre_log_sources {'name': 'saas:zoom', 'channel': 'Unexpected contact interaction preceding follow-on admin requests'} x_mitre_domains mobile-attack
[DC0055] File Access Current version : 3.0
Version changed from : 2.0 → 3.0
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-23 18:39:07.536000+00:00 x_mitre_version 2.0 3.0
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'macOS:unifiedlog', 'channel': 'looking for file access to scripts with abnormal encoding patterns'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'READ or COPY operations where path matches external/shared locations of other apps (e.g., /storage/emulated/0/Android/data//files/, /storage/emulated/0/Download//*)'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'KeyChain/AndroidKeyStore read of token alias'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'READ/LIST/STAT of /sdcard|/storage/emulated/0|/Android/media|/Documents with >N distinct paths in TimeWindow'} x_mitre_log_sources {'name': 'auditd:SYSCALL', 'channel': 'attempts to read /proc/* entries at scale (openat/getdents64/readlink) or access denied for /proc traversal; correlate to app UID'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'READ operations from App Group containers (/var/mobile/Containers/Shared/AppGroup/...) or Files/Photos provider mountpoints, especially when group not owned by bundle'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'readdir/stat/read of /private/var/mobile/Containers/Shared/AppGroup|/Library/Mobile Documents|/On\\\\ My\\\\ iPhone with >N distinct paths in TimeWindow'} x_mitre_log_sources {'name': 'macos:unifiedlog', 'channel': 'Recent download opened or executed'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application reads multiple local container files, browser-history artifacts, messaging artifacts, or local records in rapid sequence during the collection phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application performs burst reads across local system paths, external storage, media directories, cache locations, or local database files within a short interval as the primary collection phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application loads executable or library from external or writable directory (e.g., /sdcard/, app cache) prior to execution'} x_mitre_domains mobile-attack
[DC0039] File Creation Current version : 3.0
Version changed from : 2.0 → 3.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_data_source_ref
values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-23 17:17:05.280000+00:00 x_mitre_version 2.0 3.0
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'android:logcat', 'channel': 'App UID writes new file with suspicious extension/location (.tmp, .dat, .enc, /data/data//files/, /sdcard/Download/) and high estimated entropy'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'NSFileHandle/NSFileManager writes creating high-entropy files within app container (/var/mobile/Containers/Data/Application//tmp|Library/Caches)'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'App UID writes edited media to container paths (e.g., /data/data//files/, .../cache/, /storage/emulated/0/Pictures//) with high delta in size vs. original and elevated estimated segment entropy '} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Create/write of high-entropy files in /data/data//(files|cache)/ or /storage/emulated/0/<...> with .dex/.so/.jar/.tmp/.bin'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Create/write of high-entropy Mach-O/bundle or generic blob in /var/mobile/Containers/Data/Application//(tmp|Library/Caches)/'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Create/write under /data/data//(files|cache)/ or /storage/emulated/0/ with extension .dex/.jar/.so/.zip/.tmp/.js and elevated entropy'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Create/write in /var/mobile/Containers/Data/Application//(tmp|Library/Caches)/ for .js/.bundle/.dylib/.zip with elevated entropy'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'CREATE/WRITE of archive or container (.zip/.gz/.7z/.db copy) that aggregates files pulled from other-package paths'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'CREATE/WRITE of archive/container (.zip/.gz/.7z/.db export) aggregating recently read items'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'CREATE/WRITE to app-writable DB/file path indicating clipboard dump (e.g., clipboard.db, clip_*.txt)'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'CREATE/WRITE of clipboard dump artifacts in container (clipboard.db, clip_*.txt, caches)'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'CREATE/WRITE paths like /data/data//files/(keys|inputs)/.*\\\\.db|\\\\.txt|\\\\.log'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'CREATE/WRITE clipboard/keylog artifacts (clipboard.db, keys_*.txt) in container'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'CREATE/WRITE to /data/data//(files|databases)/(keys|inputs|clipboard).*\\\\.(db|sqlite|txt|log)'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'CREATE/WRITE of keylog artifacts (keys_*.txt, inputs.db) within app/keyboard container'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'CREATE/WRITE to /data/data//(files|databases)/(creds|form|prompt).*\\\\.(db|sqlite|json|txt)'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'CREATE/WRITE of form cache/credential-like artifacts (forms.db, creds.json) in container'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'CREATE/WRITE /data/data//(files|databases)/(app_inventory|pkg_list).*\\\\.(json|txt|db)'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'CREATE/WRITE container paths like /Library/Caches/app_inventory.*\\\\.(json|plist|db)'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'CREATE/WRITE /data/data//(files|databases)/(security_inventory|policy_audit).*\\\\.(json|txt|db|plist)'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'CREATE/WRITE of /Library/Caches/security_inventory.*\\\\.(json|plist|db)'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Browser/WebView process creates downloaded payloads, temporary files, dropped archives, or unusual cached web artifacts shortly after visiting external content'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'File writes from removable-media or USB-associated paths into download, package staging, temp, or application-accessible storage shortly after USB connection'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'large file write originating from /mnt/usb or external mounted storage'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Recently installed or updated trusted app writes staging, cache, buffer, or export artifacts inconsistent with its approved function, especially when temporally adjacent to sensitive resource access or outbound transfer'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'App stages, buffers, caches, or exports data locally immediately before communication with legitimate external web-service endpoints in a way inconsistent with normal sync or offline workflow'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Burst write to cache, buffer, temp, staging, or export path occurred between inbound retrieval and outbound write to same public web-service class'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Burst write to media, cache, temp, export, or staging path occurred during or immediately after camera session from same app identity'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'App writes encoded/encrypted blobs (high entropy data) to local storage or memory buffers prior to transmission'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'App writes high-entropy encrypted blobs to local storage or memory buffers prior to transmission'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'App writes asymmetric-encrypted blobs or encoded ciphertext to local buffers or files prior to transmission'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application reads multiple user-data files, media objects, message stores, or app-private records in burst sequence immediately before packaging or encryption activity'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application writes archive-like container or high-entropy packaged blob to app storage, cache, temp path, or shared external path after burst collection activity'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application writes new large container, temp package, or high-entropy blob after clustered local data access and before outbound communication'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application performs burst reads across local system paths, external storage, media directories, cache locations, or local database files within a short interval as the primary collection phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application writes newly retrieved binary, archive, script-like asset, overlay content, library, or opaque payload to app-private, cache, temp, or shared external path as the primary local effect of transfer'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Managed app writes newly retrieved container-local asset, dylib-like resource, archive, or opaque payload shortly after remote retrieval as the strongest local effect'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'APK, DEX, native library, or package-associated executable content is written, expanded, or swapped in app package paths, staging paths, or installer cache immediately before or during application replacement'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application modifies protected configuration, local control files, security settings, or tool-related data immediately before security service degradation or non-reporting state'} x_mitre_domains mobile-attack
[DC0040] File Deletion Current version : 3.0
Version changed from : 2.0 → 3.0
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-23 18:19:16.114000+00:00 x_mitre_version 2.0 3.0
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application deletes, alters, renames, relocates, or suppresses local artifacts relevant to detection, including files, hidden media, compromise markers, or app-local evidence, before later continued execution or transfer'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application deletes package files, cleanup artifacts, or app-local state immediately before disappearance from installed inventory or runtime'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application deletes, truncates, or removes user, operational, or evidence-bearing files after prior access or staging and before later continued execution or communication'} x_mitre_domains mobile-attack
[DC0061] File Modification Current version : 3.0
Version changed from : 2.0 → 3.0
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-16 16:41:53.549000+00:00 x_mitre_version 2.0 3.0
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'AndroidLogs:FileSystem', 'channel': 'Modification to /system/etc/init/ or /vendor/etc/init/ boot-time scripts'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Creation or modification of LaunchDaemon or LaunchAgent plist in /System/Library/LaunchDaemons, /Library/LaunchDaemons, or /Library/LaunchAgents'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'INSERT or UPDATE of image/*, audio/*, video/* via ContentResolver with same URI re-written within short window; abnormal MIME/container change'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application inserts, updates, deletes, hides, or marks message records in SMS store or messaging database immediately after SMS receive or send event'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application inserts, updates, deletes, or rewrites call-log records immediately after call-control action to conceal, alter, or synthesize call history'} x_mitre_log_sources {'name': 'auditd:PATH', 'channel': 'odification of ~/.ssh/authorized_keys or credential files'} x_mitre_domains mobile-attack
[DC0016] Module Load Current version : 3.0
Version changed from : 2.0 → 3.0
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-01-29 17:21:27.873000+00:00 external_references[0]['url'] https://attack.mitre.org/datacomponents/DC0016 https://attack.mitre.org/data-components/DC0016 x_mitre_version 2.0 3.0
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'android:logcat', 'channel': 'DexClassLoader/PathClassLoader load attempt from non-standard path or recently created file'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Short burst of file I/O followed by JNI/dlopen of a newly created .so'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'dyld: dlopen/dyld_cache load from non-standard app-writable path'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'DexClassLoader/PathClassLoader loading from app-writable path OR reflective defineClass on byte[] payload'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'dlopen/image load from app-writable path (tmp, Caches) outside bundled resources'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'DexClassLoader|PathClassLoader load from app-writable path OR dlopen of a freshly created .so'} x_mitre_domains mobile-attack
[DC0001] Scheduled Job Creation Current version : 3.0
Version changed from : 2.0 → 3.0
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-09 17:05:23.355000+00:00 external_references[0]['url'] https://attack.mitre.org/datacomponents/DC0001 https://attack.mitre.org/data-components/DC0001 x_mitre_version 2.0 3.0
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'MobiledEDR:telemetry', 'channel': 'Scheduled task execution creates cache, staged payload, local output, or collected data artifact immediately after wake or job trigger'} x_mitre_domains mobile-attack
[DC0002] User Account Authentication Current version : 3.0
Version changed from : 2.0 → 3.0
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-24 19:47:33.610000+00:00 x_mitre_version 2.0 3.0
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'saas:MDM', 'channel': 'Authentication events to device management or enterprise mobility management consoles'} x_mitre_log_sources {'name': 'saas:MDM', 'channel': 'Authentication events to Apple iCloud or enterprise device management services'} x_mitre_log_sources {'name': 'saas:okta', 'channel': 'user.account.reset_password; user.mfa.factor.activate; app.oauth2.authorize'} x_mitre_domains mobile-attack
Minor Version Changes [DC0064] Command Execution Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-24 19:47:16.123000+00:00 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'android:logcat', 'channel': "Command 'pm list packages' executed by app sandbox or child proc"} x_mitre_log_sources {'name': 'auditd:EXECVE', 'channel': 'execve of script/interpreter (bash, python, node) with suspicious encoded or non-printable content'} x_mitre_log_sources {'name': 'auditd:EXECVE', 'channel': 'execve of curl,wget,bash,sh,python with piped or remote content'} x_mitre_log_sources {'name': 'auditd:EXECVE', 'channel': 'execve, kill, ptrace, insmod, rmmod targeting security processes'} x_mitre_log_sources {'name': 'esxi:shell', 'channel': 'esxcli system syslog config set/reload, services.sh restart/stop'} x_mitre_log_sources {'name': 'macos:unifiedlog', 'channel': 'Execution of osascript, sh, bash, zsh, installer, open'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application spawns shell, command interpreter, or command-executing child process with arguments during command-execution phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application spawns Unix shell process or superuser binary such as sh, su, toybox, toolbox, or shell-like child process with parameters during execution phase'}
[DC0059] File Metadata Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-23 18:33:47.956000+00:00 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'auditd:SYSCALL', 'channel': 'stat and lstat syscall results on files, including inode and permission info'} x_mitre_log_sources {'name': 'AndroidLogs:Framework', 'channel': 'BroadcastReceiver registration for android.intent.action.BOOT_COMPLETED by previously unseen or recently installed apps'} x_mitre_domains mobile-attack
[DC0082] Network Connection Creation Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-23 18:37:33.992000+00:00 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'log entries indicating network connection initiation on macOS'} x_mitre_log_sources {'name': 'Network', 'channel': 'None'} x_mitre_log_sources {'name': 'NSM:Connections', 'channel': 'Outbound connection after script or installer launch'}
[DC0085] Network Traffic Content Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:14:34.343000+00:00 2026-04-22 14:48:50.367000+00:00 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'Traffic', 'channel': 'None'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Per-app VPN flow logging indicating opaque/archived payload transfer preceding local decode'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Per-App VPN flow with code-like content types (application/octet-stream, application/zip, text/javascript, application/x-mach-o)'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'WKWebView navigation to domain visually similar to target brand (IDN/punycode/alike score)'} x_mitre_log_sources {'name': 'NSM:Connections', 'channel': 'Outbound connections to internal enterprise services exhibiting anomalous protocol behavior, malformed sessions, or exploit-consistent traffic patterns'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'TLS/HTTP download with atypical MIME (application/octet-stream, application/x-zip, application/x-gzip) followed by local decode/write'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'HTTP(S)/QUIC media download with opaque content types (image/*, audio/*, video/*) from non-gallery domains or CDNs not previously used by the app'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'HTTP(S)/QUIC download of executable/opaque content (application/octet-stream, application/zip, application/java-archive, application/x-dex, application/x-sharedlib, text/javascript)'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'burst of DNS queries/connection attempts to RFC1918 or local gateway immediately after scans'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'HTTPS sessions exhibiting periodic request cadence or structured payload exchanges inconsistent with application baseline'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Application-layer indicators observable via enterprise network controls (HTTP method, URI path pattern class, TLS SNI, JA3/ALPN when available, DNS qname/type) showing anomalous or low-and-slow command polling behavior'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Near-term increase in traffic to identity endpoints associated with SMS MFA, account recovery, or OTP verification (IdP, banking, crypto), correlated to SIM/service loss'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Abrupt shift from cellular egress to Wi-Fi-only egress, or new VPN/proxy session establishment following cellular service loss'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Application-layer web traffic showing suspicious redirect chains, iframe/ad-tech cascades, user-agent or environment fingerprinting requests, or staged payload retrieval after page visit'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Application initiates HTTPS connection with repeated certificate validation failure under enterprise proxy followed by direct network retry or stable opaque TLS communication to same endpoint within correlation window'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'App-destination pair shows consistent inspection bypass/refusal pattern followed by direct encrypted communication or repeated short-lived TLS sessions to same endpoint within correlation window'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Application retrieves remote content from non-baselined domain or IP and the transfer direction is inbound to device during the file acquisition phase'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Managed iOS app retrieves remote content from non-baselined domain or IP with inbound payload transfer during the acquisition phase'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Device shows correlated inbound session establishment followed by outbound connections to separate external destinations with overlapping timing and relay-like byte symmetry'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Traffic spike preceding control crash'} x_mitre_log_sources {'name': 'NSM:Inspection', 'channel': 'TLS session from mobile app fails, resets, or refuses enterprise interception while same destination/app pair repeatedly establishes direct encrypted communication pattern consistent with pinned certificate/public-key validation'} x_mitre_log_sources {'name': 'NSM:Inspection', 'channel': 'TLS handshake from iOS app repeatedly fails or is rejected only when enterprise SSL inspection certificate is presented, indicating certificate or public-key pin validation effect'} x_mitre_log_sources {'name': 'TelecomLogs:SS7Signaling', 'channel': 'Subscriber information queries, routing requests, or location update messages with anomalous node identifiers or unexpected origin patterns'} x_mitre_log_sources {'name': 'TelecomLogs:SS7Signaling', 'channel': 'Location resolution, routing, or subscriber information exchanges with anomalous signaling paths or node identities'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Supervised or newly activated device initiates outbound connections to destinations outside Apple, MDM, update, or enterprise-managed baselines while locked, with no recent user interaction, or before expected app enrollment completion'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': "Application or device component communicates with legitimate external web-service infrastructure such as cloud storage, social media, messaging, collaboration, paste, code-hosting, CDN-backed API, or generic HTTPS service in a pattern inconsistent with the app's approved network baseline, timing, or service class"} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Supervised device or managed app communicates with legitimate external web-service infrastructure such as cloud storage, messaging, collaboration, social, paste, or generic HTTPS API platforms in a pattern inconsistent with expected service baseline, managed app role, or normal background refresh behavior'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'App-attributed HTTP GET or HTTPS session to public web platform (social, paste, collaboration, cloud storage, code-hosting) returned content followed by outbound connection to a different domain or IP within TimeWindow'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'DNS query or TLS SNI for previously unseen domain occurred within TimeWindow after session to legitimate web-service domain from same app identity'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Initial session to public web-service domain transferred small response payload followed by connection to new external endpoint with different ASN or domain category'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'App-attributed session to public web-service domain included inbound content retrieval followed by outbound POST, PUT, upload, comment, message send, document update, or API write to same service class within TimeWindow'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Repeated alternating inbound and outbound sessions to same public web-service domain or API endpoint occurred from same app identity with stable recurrence interval'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Outbound write operation to public web-service domain occurred after small inbound response retrieval from same domain or service class without preceding user-visible foreground activity'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'App-attributed HTTP GET, content fetch, sync pull, or inbound-oriented HTTPS session to public web-service domain recurred within TimeWindow without app-attributed POST, PUT, PATCH, upload, comment, message send, or API write to same service class'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Repeated app-attributed retrieval from same public web-service domain or API endpoint occurred at stable recurrence interval with low outbound volume relative to inbound content'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Inbound content retrieval from public web-service domain occurred without subsequent writeback to same service class and was followed by local or downstream activity outside normal app sync profile'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'TLS handshake, HTTP method/header pattern, or WebSocket upgrade was observed on destination port outside approved port set for detected protocol during app-attributed outbound session'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Repeated app-attributed sessions to same destination or service class used non-standard destination port with stable recurrence interval or persistent connection behavior'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Destination port was not in approved protocol-to-port mapping for app identity or service class and session did not match known enterprise proxy, relay, or developer tooling exception'} x_mitre_log_sources {'name': 'VPN:MobileProxy', 'channel': 'Observed protocol-to-port pairing was outside approved mapping for managed bundle or service class and did not match enterprise proxy, relay, or developer tooling exception'}
[DC0078] Network Traffic Flow Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-09 17:32:30.362000+00:00 external_references[0]['url'] https://attack.mitre.org/datacomponents/DC0078 https://attack.mitre.org/data-components/DC0078 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'TelecomLogs:MobilityEvents', 'channel': 'Unexpected location resolution events or abnormal subscriber tracking requests'} x_mitre_log_sources {'name': 'TelecomLogs:MobilityEvents', 'channel': 'Unexpected subscriber tracking or abnormal mobility/location resolution activity'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'Application-layer protocol traffic exhibiting beacon-like periodicity, anomalous session structure, or protocol misuse patterns'} x_mitre_log_sources {'name': 'NSM:Flow', 'channel': 'App-attributed traffic exhibits multi-destination fan-out, sustained session bridging, or SOCKS-like relay behavior inconsistent with normal client-only mobile communication'}
[DC0021] OS API Execution Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-23 18:22:40.476000+00:00 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'AndroidLogs:Kernel', 'channel': 'Unprivileged app process (app UID, non-system) invoking sensitive syscalls or device interfaces associated with privilege escalation (setuid, ptrace, perf_event_open, vulnerable drivers)'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'SELinux AVC for execmem/execute_no_trans/mprotect following recent writes by same UID'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'mmap/mprotect transitions to PROT_EXEC for pages associated with recently written files'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'QUERY on exported ContentProviders of other packages (content:///*) or MediaStore scoped queries immediately preceding file reads'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'ClipboardManager (addOnPrimaryClipChangedListener|getPrimaryClip|getPrimaryClipDescription) invoked by '} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'AccessibilityService connected|TYPE_VIEW_TEXT_CHANGED|TYPE_VIEW_FOCUSED events for other packages'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'TYPE_WINDOW_STATE_CHANGED / TYPE_VIEW_FOCUSED shows foreign target package in foreground'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'PackageManager getInstalledApplications|getInstalledPackages|getPackagesHoldingPermissions burst for . TYPE_WINDOW_STATE_CHANGED shows foreground app then immediate package queries by '} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'LSApplicationWorkspace or canOpenURL probe bursts for many URL schemes'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'getInstalledPackages/getPackagesHoldingPermissions with filters for known security/MDM/VPN package names. Queries to isDeviceOwnerApp/isProfileOwnerApp/getActiveAdmins/getPermissionGrantState. Requests list of enabled services or monitors TYPE_WINDOW_STATE_CHANGED to time checks'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Queries indicating MDM profile presence, supervised state, restrictions read. LSApplicationWorkspace enumeration or app proxy queries referencing security vendors'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'ACTION_VIEW redirect_uri handled by unexpected package'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'canOpenURL/LSApplicationWorkspace resolved to unexpected bundle for redirect_uri'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'query() against MediaStore/DocumentsContract URIs (Images/Video/Audio/Downloads/DocumentTree)'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'enumeratorForContainerItemIdentifier / itemForIdentifier across multiple containers/providers'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'wifiservice startScan / scanResults retrieved repeatedly or by unexpected package'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'bluetoothmanager startDiscovery / getBondedDevices / scan callback bursts by package'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'telephony cell info enumeration bursts (neighboring/all cell info) by package'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'repeated queries or dumps related to running tasks/services/process state by same package/UID (e.g., getRunningAppProcesses, running services/task inspection)'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Application accesses android.os.Build fields or device configuration APIs (MODEL, MANUFACTURER, VERSION.SDK_INT, HARDWARE)'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Application invokes UIDevice queries (model, systemVersion, name)'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Invocation of MediaRecorder.start(), AudioRecord.startRecording(), or VOICE_CALL audio source'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Invocation of AVAudioRecorder, AVCaptureSession, or related audio capture framework calls'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Application invokes LocationManager, FusedLocationProviderClient, or GPS/location sensor APIs'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Application activates CoreLocation services or CLLocationManager APIs'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Framework-based networking usage spikes or uncommon networking stacks observed by agent telemetry (e.g., repeated URLSession/OkHttp-like patterns) without corresponding foreground/user interaction'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': "Agent-observable telephony subscription/state API signals indicating SIM/eSIM subscription change (vendor-agnostic: 'telephony subscription changed')"} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Accessibility framework usage patterns such as event subscription, performAction invocation, node traversal, text change observation, or overlay/window presentation correlated to app identity'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Browser/WebView framework usage indicating external URL load, script execution enablement, file download initiation, intent handoff, or package install prompt sequence'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Observed device-service, trust-service, backup/service interaction, or other privileged framework activity associated with physical host access'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Connectivity manager, telephony, Wi-Fi, network callback, or location-provider framework reports repeated unavailable, disconnected, suspended, or degraded state transitions'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Observed network-path, reachability, DNS, transport, or location-provider framework reports repeated unavailable or failed state near active device use'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Content resolver, document provider, media store, storage access framework, bulk stream processing, or repeated crypto-adjacent framework use observed during multi-file transformation'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Known application begins first-seen or expanded use of content providers, account services, accessibility, package services, cryptographic routines, dynamic loading, or other framework interactions after update/install'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Known application begins first-seen or expanded use of protected frameworks, account services, background task APIs, crypto/network service APIs, or other runtime behaviors after update/install'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Known application begins first-seen or expanded use of account services, accessibility, content providers, dynamic loading, package services, WebView bridges, crypto/network APIs, or advertising/telemetry-adjacent framework behavior after install or update'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Privileged or OEM-context framework/API use tied to telephony, device policy, accessibility, overlay, input injection, package visibility, or protected settings modification from an identity not expected for the device model or approved image'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Invocation of Calendar.set() and Calendar.add()'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Supplemental anomaly in baseband, IOKit, accessory, security, or activation-related subsystem logging temporally adjacent to suspicious posture or network behavior'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Recently installed or updated trusted app invokes Android framework paths or special access patterns inconsistent with its role, including accessibility-like behavior, overlay behavior, package visibility expansion, protected settings access, device policy interaction, or unusual IPC/provider access'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Supplemental managed app or system subsystem anomalies near install/update, launch services, extension handling, app activation, or background execution temporally adjacent to suspicious network or lifecycle behavior'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'App uses Android framework behaviors associated with background work scheduling, network job execution, IPC/provider access, overlay or accessibility-like interaction, or unusual package visibility immediately adjacent to web-service communication'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Supplemental launch, background task, networking, or extension-handling anomalies occur temporally adjacent to suspicious web-service communication from a managed app or supervised device'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Background work scheduler, job execution, or persistent service triggered network request to public web-service followed by second outbound connection within TimeWindow'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Background task or networking subsystem event occurred immediately before resolver retrieval and pivot connection sequence'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded retrieve-then-write exchange with public web-service platform'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Background task, networking, or app-activation subsystem event occurred immediately before or during retrieve-then-write exchange with public web-service platform'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded outbound session using non-standard protocol-to-port pairing'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Invocation of CallLogs.getLastOutgoingCall()'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Invocation of ContactsContract.Contacts.getLookupUri() and/or ContactsContract.Contacts.lookupContact()'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Camera, media capture, app-activation, or background-task subsystem event occurred immediately before or during sustained camera session from same managed-app or device context'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'Invocation of AccountManager.getAccounts()'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'MediaProjection-style screen capture session began from app identity while a different app was foregrounded and capture path was not mapped to approved recording workflow'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Accessibility-service activity from app identity coincided with foreground content observation and subsequent screenshot, frame buffer, or screenrecord artifact behavior within TimeWindow'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Privileged screencap, screenrecord, adb-driven capture, or root-context screen acquisition behavior occurred from app, shell, or elevated identity while foreground app context changed or sensitive app remained active'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Accessibility-enabled app invoked programmatic click or action on behalf of user while a different app was foregrounded and injected action was not mapped to approved accessibility or autofill workflow'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Accessibility-enabled app invoked global action such as back, home, recents, or navigation control while target foreground app context changed within TimeWindow'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Accessibility-enabled app inserted text into active field of different foreground app without user keyboard activity or approved autofill relationship'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'App intercepts notification content from external package (e.g., messaging/auth apps) while in background OR without recent user interaction'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'App invokes cryptographic functions (e.g., AES/RSA/KeyStore usage) on buffer data followed by encode/transform operations not tied to normal app workflows'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'App invokes symmetric encryption routines (e.g., AES/RC4 cipher initialization + encrypt operations) with repeated key usage across multiple data buffers'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Symmetric key material reused across multiple encryption operations within short interval OR derived locally without secure hardware-backed storage'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'App invokes asymmetric cryptographic operations (e.g., RSA/ECC keypair generation OR public key encryption OR signature operations) on outbound data buffers'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Keypair generation, import, or access events (public/private key usage) occurring prior to network communication'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application invokes custom TLS trust evaluation logic or pin validation routines (e.g., custom TrustManager, HostnameVerifier override, certificate/public key comparison) immediately before outbound TLS session establishment'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application invokes archive, compression, or bulk-buffer packaging routines on previously accessed local data within the same execution chain'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application encrypts newly created archive or staged data blob after collection and before storage or outbound transfer'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application performs bulk data transformation or packaging-like processing on collected records prior to file creation or upload'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': "Application queries or opens multiple local SQLite or app-associated database stores containing records unrelated to the app's declared function during the collection phase"} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application performs repeated record access, container traversal, or local data extraction processing against local stores before staging or transmission'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application calls startForegroundService() or startForeground() / ServiceCompat.startForeground() and transitions to persistent foreground-service execution at the start of the chain'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application invokes direct file retrieval, DownloadManager usage, or streaming write from network response to local storage immediately after remote session establishment'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Managed app performs post-download unpacking, dynamic resource handling, or module preparation immediately after local payload creation'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application loads or resolves native shared library (.so) or JNI bridge immediately before suspicious native execution phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application transitions from managed code into JNI/native function execution or attaches native thread to runtime during the execution phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Existing application is replaced, updated, or reinstalled and the resulting package metadata, code sections, or executable-supporting artifacts diverge from known-good baseline during the persistence-establishment phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application invokes SMS send, intercept, delete, or provider-write behavior, including handling SMS_DELIVER or interacting with SMS content provider during unauthorized message-control phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application enqueues WorkManager work request or schedules JobScheduler or AlarmManager task with delay, periodic interval, or execution constraints during the persistence/execution setup phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application creates or executes NSBackgroundActivityScheduler activity with repeating or deferred invocation semantics during the scheduling and trigger phases'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application initializes proxy-capable or raw-socket networking constructs, including SOCKS-capable Proxy API usage or direct socket listener/setup immediately before traffic relay phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application invokes call placement, answer, redirect, block, screening, or ConnectionService call-handling APIs during unauthorized call-control phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application process loads external code modules or injects into runtime (zygote/app_process) + abnormal library loading or method interception behavior'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application registers broadcast receiver, WorkManager job, JobScheduler task, or intent filter tied to system event such as BOOT_COMPLETED, SMS_RECEIVED, CONNECTIVITY_CHANGE during persistence setup phase'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application registers or invokes broadcast receiver via registerReceiver() or manifest-declared receiver + intent filter tied to system or app events'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application launches or executes code where loaded library or component path does not match application package path or expected signing context'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'multiple applications invoking core system APIs (e.g., sensor, permission, telephony) with abnormal or inconsistent return values across apps within short interval'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'device integrity degradation + root detected or system partition modification affecting runtime libraries (e.g., /system/lib*, /vendor/lib*)'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes privileged framework APIs (Accessibility events, UI automation, package install flows) immediately following permission grant'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes DevicePolicyManager APIs (e.g., resetPassword, lockNow, setCameraDisabled) immediately following admin activation'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application queries target-selection attributes (e.g., location, SIM/operator, locale, device state, network identity) and then conditionally invokes sensitive framework APIs only after expected value is observed'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application exhibits repeated environment-context evaluation followed by delayed privileged framework use only after target-specific match'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes geolocation or geofencing framework operations (e.g., location polling or geofence registration/evaluation) and sensitive framework activity begins only after region match or location threshold condition'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application exhibits repeated location-context evaluation followed by delayed privileged framework use or feature activation only after target region match'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes package or component state changes affecting launcher-facing activity availability and subsequently continues operational framework activity after icon suppression'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes motion-sensor or device-activity framework operations followed by conditional execution of sensitive framework activity only after inferred user absence'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes system framework operations that alter monitoring, accessibility, or execution visibility followed by reduction in expected telemetry generation'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes accessibility global actions (back/home/recents) or observes package-management UI immediately after uninstall/settings screen becomes foreground'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes lock-related or UI-denial framework operations, including DevicePolicyManager lock actions, persistent overlay behavior, or accessibility-driven navigation interference immediately before device enters locked or unusable state'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes package, settings, or privileged framework operations capable of disabling security software, altering security enforcement, or interfering with reporting before telemetry loss'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes uninstall-related package-management operations, accessibility-driven uninstall confirmation actions, or privileged file-removal operations immediately before installed-state loss'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application invokes file-management, package, storage, or administrative wipe operations immediately before loss of expected local files or file collections'}
[DC0032] Process Creation Current version : 2.1
Version changed from : 2.0 → 2.1
Details dictionary_item_removed STIX Field Old value New Value x_mitre_data_source_ref
values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-13 15:49:16.424000+00:00 external_references[0]['url'] https://attack.mitre.org/datacomponents/DC0032 https://attack.mitre.org/data-components/DC0032 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'AndroidLogs:Kernel', 'channel': 'init or zygote process executing scripts or binaries from non-standard data or sdcard locations during early boot'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'launchd invocation of binary from non-Apple, non-AppStore, or sideloaded location during boot or shortly after unlock'} x_mitre_log_sources {'name': 'AndroidLogs:Framework', 'channel': 'Creation of a new process running as system or root UID whose executable path resides under an app container path (for example, /data/app or /data/user/0/), or whose parent process originates from an app sandbox'} x_mitre_log_sources {'name': 'iOS:unifiedlog', 'channel': 'Creation of a new process with elevated UID or sensitive entitlements whose binary path is associated with an app container or whose parent/caller is a low-privileged app/webcontent process'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'dlopen of a recently created .so OR short-lived child (/system/bin/sh,toybox,linker) spawned by app_process'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'startActivity on top of (launchMode/singleTop), task switch immediately after focus'} x_mitre_log_sources {'name': 'android:logcat', 'channel': 'unexpected spikes in fork/exec/app process start events for helper utilities used for enumeration (ps, toybox/toolbox variants) from same UID'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application writes audio buffer or recorded audio file into application storage directories'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Browser or WebView-hosting application brought to foreground and navigates to external content, followed by abnormal state transition, crash, restart, or process spawn behavior'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application installed from adb, sideload, or unknown USB source'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Application invokes Runtime.exec, ProcessBuilder, JNI-backed command launcher, or equivalent command-execution bridge immediately before shell or command process creation'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'Managed app invokes lower-level OS process-launch or command-execution behavior before file or network effects, including interpreter-like execution flow where visible to sensor'} x_mitre_log_sources {'name': 'MobileEDR:telemetry', 'channel': 'application execution triggered with unexpected parent context or via indirect invocation (intent redirection or component hijack)'}
[DC0107] Process History/Live Data Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-22 14:51:44.669000+00:00 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'Databases', 'channel': 'None'}
[DC0034] Process Metadata Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-16 17:01:33.771000+00:00 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'macos:unifiedlog', 'channel': 'Crash or abnormal termination of security agent or system extension host'}
[DC0109] Process/Event Alarm Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-22 15:07:16.930000+00:00 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'Databases', 'channel': 'None'}
[DC0065] Service Modification Current version : 2.1
Version changed from : 2.0 → 2.1
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-20 18:21:23.994000+00:00 x_mitre_version 2.0 2.1
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'esxi:hostd', 'channel': 'service state change'}
Patches [DC0041] Service Metadata Current version : 2.0
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-04-16 16:59:19.254000+00:00
iterable_item_added STIX Field Old value New Value x_mitre_log_sources {'name': 'auditd:DAEMON', 'channel': 'auditd stopped, config changed, logging suspended'}
[DC0063] Windows Registry Key Modification Current version : 2.0
Details dictionary_item_removed STIX Field Old value New Value x_mitre_data_source_ref
values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-03-13 23:12:09.029000+00:00 external_references[0]['url'] https://attack.mitre.org/datacomponents/DC0063 https://attack.mitre.org/data-components/DC0063
iterable_item_removed STIX Field Old value New Value x_mitre_log_sources {'name': 'Windows Registry', 'channel': 'None'}
Detection Strategies enterprise-attack New Detection Strategies [DET0899] Detect Social Engineering Current version : 1.0
[DET0901] Detect Windows Firewall Current version : 1.0
[DET0920] Detection Strategy for Invisible Unicode Current version : 1.0
[DET0918] Detection of Audio-Visual Content Current version : 1.0
[DET0900] Detection of Defense Impairment Current version : 1.0
[DET0916] Detection of Generate Content Current version : 1.0
[DET0919] Detection of Query Public AI Services Current version : 1.0
[DET0917] Detection of Written Content Current version : 1.0
Minor Version Changes [DET0497] Detection of Defense Impairment through Disabled or Modified Tools across OS Platforms. Current version : 1.1
Version changed from : 1.0 → 1.1
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value created 2025-10-21 15:10:28.402000+00:00 2025-10-21T15:10:28.402Z modified 2025-10-21 15:10:28.402000+00:00 2026-04-24T20:24:31.994Z name Detection of Impair Defenses through Disabled or Modified Tools across OS Platforms. Detection of Defense Impairment through Disabled or Modified Tools across OS Platforms. x_mitre_version 1.0 1.1
iterable_item_added STIX Field Old value New Value x_mitre_analytic_refs x-mitre-analytic--2b990a38-dedf-4a9a-9bd2-9a805c2f1b46
Patches [DET0187] Detect Disabled Windows Event Log Current version : 1.0
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value created 2025-10-21 15:10:28.402000+00:00 2025-10-21T15:10:28.402Z modified 2025-10-21 15:10:28.402000+00:00 2026-04-24T20:24:45.876Z name Detect disabled Windows event logging Detect Disabled Windows Event Log
[DET0563] Detection Strategy for Defense Impairment via Prevent Command History Logging across OS platforms. Current version : 1.0
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value created 2025-10-21 15:10:28.402000+00:00 2025-10-21T15:10:28.402Z modified 2025-10-21 15:10:28.402000+00:00 2026-04-24T20:25:01.924Z name Detection Strategy for Impair Defenses via Impair Command History Logging across OS platforms. Detection Strategy for Defense Impairment via Prevent Command History Logging across OS platforms.
[DET0289] Detection Strategy for Disable or Modify Cloud Log Current version : 1.0
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value created 2025-10-21 15:10:28.402000+00:00 2025-10-21T15:10:28.402Z modified 2025-10-21 15:10:28.402000+00:00 2026-04-24T20:25:34.812Z name Detection Strategy for Disable or Modify Cloud Logs Detection Strategy for Disable or Modify Cloud Log
[DET0062] Detection Strategy for Disable or Modify Linux Audit System Log Current version : 1.0
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value created 2025-10-21 15:10:28.402000+00:00 2025-10-21T15:10:28.402Z modified 2025-10-21 15:10:28.402000+00:00 2026-04-24T20:25:52.122Z name Detection Strategy for Disable or Modify Linux Audit System Detection Strategy for Disable or Modify Linux Audit System Log
[DET0595] Detection Strategy for Exploitation for Stealth Current version : 1.0
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value created 2025-10-21 15:10:28.402000+00:00 2025-10-21T15:10:28.402Z modified 2025-10-21 15:10:28.402000+00:00 2026-04-24T20:26:05.352Z name Detection Strategy for Exploitation for Defense Evasion Detection Strategy for Exploitation for Stealth
[DET0311] Detection for Spoofing Tool UI across OS Platforms Current version : 1.0
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value created 2025-10-21 15:10:28.402000+00:00 2025-10-21T15:10:28.402Z modified 2025-10-21 15:10:28.402000+00:00 2026-04-24T20:26:14.331Z name Detection for Spoofing Security Alerting across OS Platforms Detection for Spoofing Tool UI across OS Platforms
[DET0588] Detection of Remote Service Session Hijacking for RDP. Current version : 1.0
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value created 2025-10-21 15:10:28.402000+00:00 2025-10-21T15:10:28.402Z modified 2025-10-21 15:10:28.402000+00:00 2026-04-24T20:26:25.154Z name Detection fo Remote Service Session Hijacking for RDP. Detection of Remote Service Session Hijacking for RDP.
[DET0306] Detection of Unauthorized Network Firewall Rule Modification Current version : 1.0
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value created 2025-10-21 15:10:28.402000+00:00 2025-10-21T15:10:28.402Z modified 2025-10-21 15:10:28.402000+00:00 2026-04-24T20:26:54.885Z name Unauthorized Network Firewall Rule Modification (T1562.013) Detection of Unauthorized Network Firewall Rule Modification
Deprecations [DET0317] Detection Strategy for Impair Defenses Across Platforms Current version : 1.0
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value created 2025-10-21 15:10:28.402000+00:00 2025-10-21T15:10:28.402Z modified 2025-10-21 15:10:28.402000+00:00 2026-04-24T20:27:16.119Z x_mitre_deprecated False True
[DET0239] Detection Strategy for Impair Defenses Indicator Blocking Current version : 1.0
Details dictionary_item_added STIX Field Old value New Value spec_version 2.1
values_changed STIX Field Old value New Value created 2025-10-21 15:10:28.402000+00:00 2025-10-21T15:10:28.402Z modified 2025-10-21 15:10:28.402000+00:00 2026-04-24T20:27:28.990Z x_mitre_deprecated False True
ics-attack New Detection Strategies [DET0910] Detection of Block Communications Current version : 1.0
[DET0911] Detection of Block Ethernet Current version : 1.0
[DET0903] Detection of Block Operational Technology Message Current version : 1.0
[DET0912] Detection of Block Wi-Fi Current version : 1.0
[DET0908] Detection of Broadcast Discovery Current version : 1.0
[DET0904] Detection of Firmware Modification Current version : 1.0
[DET0905] Detection of Insecure Credentials Current version : 1.0
[DET0909] Detection of Multicast Discovery Current version : 1.0
[DET0915] Detection of Online Edit Current version : 1.0
[DET0907] Detection of Port Scan Current version : 1.0
[DET0914] Detection of Program Append Current version : 1.0
[DET0913] Detection of Program Download All Current version : 1.0
[DET0906] Detection of Siemens Project File Format Infection Current version : 1.0
[DET0902] Detection of Unauthorized Message Current version : 1.0
Analytics enterprise-attack New Analytics [AN2033] Analytic 2033 Current version : 1.0
Description :
Detects suspicious inbound communications or collaboration requests followed by rapid sensitive user actions such as file sharing changes, macro enablement, OAuth consent, credential submission, or financial workflow approvals that deviate from historical relationships or normal approval patterns.
[AN2034] Analytic 2034 Current version : 1.0
Description :
Detects consent grants, password resets, role changes, external sharing, or token creation shortly after user interaction with messages, invites, or help desk workflows. Emphasis is placed on unusual requester relationships, new device context, or off-hours approvals.
[AN2035] Analytic 2035 Current version : 1.0
Description :
Detects user execution of newly received content or instructions shortly after external communication, including script launches, Office child process spawning, browser-to-script execution chains, or credential prompts followed by new logon sessions.
[AN2036] Analytic 2036 Current version : 1.0
Description :
Detects user-authorized execution of downloaded content or scripts after communication prompts, including browser downloads followed by osascript, shell, or installer execution and subsequent network activity.
[AN2037] Analytic 2037 Current version : 1.0
Description :
Detects users executing commands copied from chats, tickets, or emails, including curl|bash patterns, shell script launches from temp directories, credential changes, or SSH key additions shortly after communication events.
[AN2038] Analytic 2038 Current version : 1.0
Description :
Detects suspicious interactions with security products followed by service crashes, unexpected restarts, driver unloads, telemetry gaps, or tamper-state changes. Correlates exploit precursor behavior with immediate degradation of defensive services and follow-on process execution.
[AN2039] Analytic 2039 Current version : 1.0
Description :
Detects exploitation attempts against security daemons or kernel security modules followed by daemon termination, disabled logging, module unload, audit stoppage, or reduced endpoint telemetry. Correlates local execution or network input with control degradation.
[AN2040] Analytic 2040 Current version : 1.0
Description :
Detects crafted activity resulting in crashes or impairment of endpoint security extensions, network filters, launch daemons, or telemetry agents. Correlates process activity, system extension state changes, and telemetry interruption.
[AN2041] Analytic 2041 Current version : 1.0
Description :
Detects exploitation of cloud-native security boundaries or management components followed by disabled logging, detached agents, changed security groups, policy bypass, or telemetry suppression. Correlates suspicious API activity with reduced control coverage.
[AN2042] Analytic 2042 Current version : 1.0
Description :
Detects exploitation or abuse of SaaS security workflows resulting in disabled alerts, reduced retention, bypassed enforcement, role escalation, or tokenized persistence that weakens monitoring. Correlates unusual admin/API activity with visibility reduction.
[AN2043] Analytic 2043 Current version : 1.0
Description :
Detects processes or users modifying Windows Defender Firewall profiles, policies, or rules followed by measurable network exposure changes. Correlates firewall management execution, registry/policy mutation, service state changes, and subsequent inbound or outbound connectivity inconsistent with baseline administration.
[AN2044] Analytic 2044 Current version : 1.0
Description :
Detects esxcli commands disabling syslog, firewall, lockdown mode, or stopping hostd/vpxa; correlates command execution with reduced forwarding activity.
[AN2059] Analytic 2059 Current version : 1.0
Description :
Much of this takes place outside the visibility of the target organization, making detection difficult for defenders.
+Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
[AN2060] Analytic 2060 Current version : 1.0
Description :
Much of this takes place outside the visibility of the target organization, making detection difficult for defenders.
+Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
[AN2061] Analytic 2061 Current version : 1.0
Description :
Much of this takes place outside the visibility of the target organization, making detection difficult for defenders.
+Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
[AN2062] Analytic 2062 Current version : 1.0
Description :
Much of this takes place outside the visibility of the target organization, making detection difficult for defenders.
+Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
[AN2063] Analytic 2063 Current version : 1.0
Description :
Detection identifies execution of scripts or files that appear visually benign (low printable character ratio) but result in runtime decoding, dynamic evaluation, and subsequent process or network activity. Correlation links script execution with abnormal Unicode density and follow-on behavior such as child process creation or outbound connections.
[AN2064] Analytic 2064 Current version : 1.0
Description :
Detection identifies execution of scripts containing high concentrations of invisible Unicode characters followed by decoding or interpretation behaviors (e.g., base64 decode, eval) and subsequent process or network activity. Emphasis is placed on mismatch between file entropy/structure and execution output.
[AN2065] Analytic 2065 Current version : 1.0
Description :
Detection identifies execution of scripts or applications containing invisible Unicode payloads reconstructed at runtime, correlated with abnormal AppleScript, JavaScript for Automation, or shell execution and subsequent process or network behavior inconsistent with visible file content.
Minor Version Changes [AN1370] Analytic 1370 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Detection of adversaries attempting to stop or disable host- t Detects kill/systemctl/service commands against EDR, auditd, based security agents by killing daemons, unloading kernel m falco, osquery, rsyslog, journald, or agent processes; conf odules, or modifying init/systemd service configurations. iguration edits disabling startup; module unload attempts; a brupt cessation of logs after privileged shell execution.
+
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-24 20:33:02.253000+00:00 description Detection of adversaries attempting to stop or disable host-based security agents by killing daemons, unloading kernel modules, or modifying init/systemd service configurations. Detects kill/systemctl/service commands against EDR, auditd, falco, osquery, rsyslog, journald, or agent processes; configuration edits disabling startup; module unload attempts; abrupt cessation of logs after privileged shell execution. x_mitre_version 1.0 1.1
[AN1371] Analytic 1371 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Detection of adversary disabling endpoint security tools by t Detection of adversary disabling endpoint security tools by unloading launch agents/daemons, modifying configuration pro unloading launch agents/daemons, modifying configuration pro files, or using security/uninstall commands to remove agents files, or disabling Gatekeeper/XProtect/logging settings, or . removing endpoint agents followed by telemetry loss.
+
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-24 20:32:42.659000+00:00 description Detection of adversary disabling endpoint security tools by unloading launch agents/daemons, modifying configuration profiles, or using security/uninstall commands to remove agents. Detection of adversary disabling endpoint security tools by unloading launch agents/daemons, modifying configuration profiles, or disabling Gatekeeper/XProtect/logging settings, or removing endpoint agents followed by telemetry loss. x_mitre_version 1.0 1.1
[AN1372] Analytic 1372 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Detection of adversaries disabling cloud monitoring and logg t Correlates control-plane API actions disabling cloud-native ing agents such as CloudWatch, Google Cloud Monitoring, or A monitoring or sensor agents (CloudTrail, GuardDuty, Security zure Monitor by API calls or agent process termination. Hub, Defender, monitoring agents), role abuse preceding dis ablement, or instance agent uninstall events
+
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-24 20:31:55.528000+00:00 description Detection of adversaries disabling cloud monitoring and logging agents such as CloudWatch, Google Cloud Monitoring, or Azure Monitor by API calls or agent process termination. Correlates control-plane API actions disabling cloud-native monitoring or sensor agents (CloudTrail, GuardDuty, Security Hub, Defender, monitoring agents), role abuse preceding disablement, or instance agent uninstall events x_mitre_version 1.0 1.1
[AN1373] Analytic 1373 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Detection of adversaries tampering with container runtime se t Detects disabling container runtime security controls, remov curity plugins, disabling admission controllers, or stopping ing sidecar sensors, modifying seccomp/AppArmor profiles, mo monitoring sidecars. unting host proc/sys paths to interfere with host logging, o r killing in-container monitoring agents.
+
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-24 20:33:43.898000+00:00 description Detection of adversaries tampering with container runtime security plugins, disabling admission controllers, or stopping monitoring sidecars. Detects disabling container runtime security controls, removing sidecar sensors, modifying seccomp/AppArmor profiles, mounting host proc/sys paths to interfere with host logging, or killing in-container monitoring agents. x_mitre_version 1.0 1.1
[AN1374] Analytic 1374 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Detection of adversaries modifying startup configuration fil t Detects disabling AAA, syslog, SNMP traps, ACL logging, or s es to disable signature verification, logging, or monitoring ecurity features on routers/switches/firewalls; correlates p features. rivileged login followed by configuration commit reducing vi sibility.
+
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-24 20:33:32.261000+00:00 description Detection of adversaries modifying startup configuration files to disable signature verification, logging, or monitoring features. Detects disabling AAA, syslog, SNMP traps, ACL logging, or security features on routers/switches/firewalls; correlates privileged login followed by configuration commit reducing visibility. x_mitre_version 1.0 1.1
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'networkdevice:syslog', 'channel': 'no logging host, no aaa new-model, no snmp-server, commit'}
[AN1452] Analytic 1452 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Process creation and command-line execution of native system t Detection of processes executing system environment inspecti discovery utilities such as `systeminfo`, `hostname`, `wmic on operations followed by access to OS configuration APIs or `, or use of PowerShell/WMI for system enumeration. registry locations that expose OS version, architecture, pa tch level, or hardware characteristics. Defenders observe pr ocess execution retrieving system configuration metadata imm ediately after process startup.
+
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-03-13 22:32:32.447000+00:00 description Process creation and command-line execution of native system discovery utilities such as `systeminfo`, `hostname`, `wmic`, or use of PowerShell/WMI for system enumeration. Detection of processes executing system environment inspection operations followed by access to OS configuration APIs or registry locations that expose OS version, architecture, patch level, or hardware characteristics. Defenders observe process execution retrieving system configuration metadata immediately after process startup. x_mitre_version 1.0 1.1
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=1'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=13, 14'}
[AN1612] Analytic 1612 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Detection of suspicious enumeration of local or domain accou t Detection of processes performing local or domain account en nts via command-line tools, WMI, or scripts. umeration by invoking account directory queries or security APIs followed by structured output of account lists. The def ender observes command execution or API invocation patterns that retrieve account information and produce enumeration ar tifacts shortly afterward.
+
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-13 22:22:07.647000+00:00 description Detection of suspicious enumeration of local or domain accounts via command-line tools, WMI, or scripts. Detection of processes performing local or domain account enumeration by invoking account directory queries or security APIs followed by structured output of account lists. The defender observes command execution or API invocation patterns that retrieve account information and produce enumeration artifacts shortly afterward. x_mitre_version 1.0 1.1
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4688'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--8e44412e-3238-4d64-8878-4f11e27784fe', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4798, 4799'}
[AN1614] Analytic 1614 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Detection of user account enumeration through tools like dsc t Detection of account enumeration through directory service q l, dscacheutil, or loginshell enumeration via command-line. ueries or system utilities accessing account metadata stores , followed by structured enumeration output.
+
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-13 22:24:28.695000+00:00 description Detection of user account enumeration through tools like dscl, dscacheutil, or loginshell enumeration via command-line. Detection of account enumeration through directory service queries or system utilities accessing account metadata stores, followed by structured enumeration output. x_mitre_version 1.0 1.1
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b5d0492b-cda4-421c-8e51-ed2b8d85c5d0', 'name': 'macos:unifiedlog', 'channel': 'DirectoryService queries retrieving account information'}
Patches [AN0551] Analytic 0551 Current version : 1.0
Details values_changed STIX Field Old value New Value modified 2025-11-12 22:03:39.105000+00:00 2026-03-13 23:17:37.896000+00:00 x_mitre_log_source_references[0]['name'] WinEventLog:Security WinEventLog:PowerShell
[AN1615] Analytic 1615 Current version : 1.0
+
+
+ t Detection of API calls listing users, IAM roles, or groups i t Detection of enumeration of identity entities through cloud n cloud environments. provider APIs where principals retrieve account metadata suc h as IAM users or roles in rapid succession.
+
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-13 22:30:14.543000+00:00 description Detection of API calls listing users, IAM roles, or groups in cloud environments. Detection of enumeration of identity entities through cloud provider APIs where principals retrieve account metadata such as IAM users or roles in rapid succession.
[AN1616] Analytic 1616 Current version : 1.0
+
+
+ t Enumeration of user or role objects via IdP API endpoints or t Detection of identity directory enumeration through API call LDAP queries. s or administrative queries retrieving multiple account obje cts within a short interval.
+
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-13 22:29:39.660000+00:00 description Enumeration of user or role objects via IdP API endpoints or LDAP queries. Detection of identity directory enumeration through API calls or administrative queries retrieving multiple account objects within a short interval.
[AN1617] Analytic 1617 Current version : 1.0
+
+
+ t Account enumeration via esxcli, vim-cmd, or API calls to vSp t Detection of enumeration activity when system processes quer here. y ESXi host account configuration or management APIs to retr ieve user account listings.
+
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-13 22:28:56.147000+00:00 description Account enumeration via esxcli, vim-cmd, or API calls to vSphere. Detection of enumeration activity when system processes query ESXi host account configuration or management APIs to retrieve user account listings.
[AN1940] Analytic 1940 Current version : 1.0
+
+
+ t Much of this activity will take place outside the visibility t Much of this activity will take place outside the visibility of the target organization, making detection of this behavi of the target organization, making detection of this behavi or difficult. Detection efforts may be focused on behaviors or difficult. Detection efforts may be focused on behaviors relating to the potential use of exploits for vulnerabilitie relating to the potential use of exploits for vulnerabilitie s (i.e. [Exploit Public-Facing Application](https://attack.m s (i.e. [Exploit Public-Facing Application](https://attack.m itre.org/techniques/T1190), [Exploitation for Client Executi itre.org/techniques/T1190), [Exploitation for Client Executi on](https://attack.mitre.org/techniques/T1203), [Exploitatio on](https://attack.mitre.org/techniques/T1203), [Exploitatio n for Privilege Escalation](https://attack.mitre.org/techniq n for Privilege Escalation](https://attack.mitre.org/techniq ues/T1068), [Exploitation for Defense Evasion ](https://attac ues/T1068), [Exploitation for Stealth ](https://attack.mitre. k.mitre.org/techniques/T1211), [Exploitation for Credential org/techniques/T1211), [Exploitation for Credential Access]( Access](https://attack.mitre.org/techniques/T1212), [Exploit https://attack.mitre.org/techniques/T1212), [Exploitation of ation of Remote Services](https://attack.mitre.org/technique Remote Services](https://attack.mitre.org/techniques/T1210) s/T1210), and [Application or System Exploitation](https://a , and [Application or System Exploitation](https://attack.mi ttack.mitre.org/techniques/T1499/004)). tre.org/techniques/T1499/004)).
+
Details values_changed STIX Field Old value New Value description Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the potential use of exploits for vulnerabilities (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)). Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the potential use of exploits for vulnerabilities (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Stealth](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).
[AN1959] Analytic 1959 Current version : 1.0
+
+
+ t Much of this activity will take place outside the visibilit t Much of this activity will take place outside the visibilit y of the target organization, making detection of this behav y of the target organization, making detection of this behav ior difficult. Detection efforts may be focused on behaviors ior difficult. Detection efforts may be focused on behaviors relating to the use of exploits (i.e. [Exploit Public-Facin relating to the use of exploits (i.e. [Exploit Public-Facin g Application](https://attack.mitre.org/techniques/T1190), [ g Application](https://attack.mitre.org/techniques/T1190), [ Exploitation for Client Execution](https://attack.mitre.org/ Exploitation for Client Execution](https://attack.mitre.org/ techniques/T1203), [Exploitation for Privilege Escalation](h techniques/T1203), [Exploitation for Privilege Escalation](h ttps://attack.mitre.org/techniques/T1068), [Exploitation for ttps://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion ](https://attack.mitre.org/techniques/T1211) Stealth ](https://attack.mitre.org/techniques/T1211), [Explo , [Exploitation for Credential Access](https://attack.mitre. itation for Credential Access](https://attack.mitre.org/tech org/techniques/T1212), [Exploitation of Remote Services](htt niques/T1212), [Exploitation of Remote Services](https://att ps://attack.mitre.org/techniques/T1210), and [Application or ack.mitre.org/techniques/T1210), and [Application or System System Exploitation](https://attack.mitre.org/techniques/T1 Exploitation](https://attack.mitre.org/techniques/T1499/004) 499/004)). ).
+
Details values_changed STIX Field Old value New Value description
+Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the use of exploits (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).
+Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the use of exploits (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Stealth](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).
[AN2026] Analytic 2026 Current version : 1.0
+
+
+ t Much of this activity will take place outside the visibility t Much of this activity will take place outside the visibility of the target organization, making detection of this behavi of the target organization, making detection of this behavi or difficult. Detection efforts may be focused on behaviors or difficult. Detection efforts may be focused on behaviors relating to the use of exploits (i.e. [Exploit Public-Facing relating to the use of exploits (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [E Application](https://attack.mitre.org/techniques/T1190), [E xploitation for Client Execution](https://attack.mitre.org/t xploitation for Client Execution](https://attack.mitre.org/t echniques/T1203), [Exploitation for Privilege Escalation](ht echniques/T1203), [Exploitation for Privilege Escalation](ht tps://attack.mitre.org/techniques/T1068), [Exploitation for tps://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion ](https://attack.mitre.org/techniques/T1211),Stealth ](https://attack.mitre.org/techniques/T1211), [Exploi [Exploitation for Credential Access](https://attack.mitre.o tation for Credential Access](https://attack.mitre.org/techn rg/techniques/T1212), [Exploitation of Remote Services](http iques/T1212), [Exploitation of Remote Services](https://atta s://attack.mitre.org/techniques/T1210), and [Application or ck.mitre.org/techniques/T1210), and [Application or System E System Exploitation](https://attack.mitre.org/techniques/T14 xploitation](https://attack.mitre.org/techniques/T1499/004)) 99/004)). .
+
Details values_changed STIX Field Old value New Value description Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the use of exploits (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)). Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the use of exploits (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Stealth](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).
mobile-attack Major Version Changes [AN1650] Analytic 1650 Current version : 2.0
Version changed from : 1.0 → 2.0
+
+
+ t Application vetting services could look for `android.permisst OLD: Application vetting services could look for `android.peion.READ_CALL_LOG` in an Android application’s manifest. Mos rmission.READ_CALL_LOG` in an Android application’s manifest t applications do not need call log access, so extra scrutin . Most applications do not need call log access, so extra sc y could be applied to those that request it. On Android, th rutiny could be applied to those that request it. On Androi e user can manage which applications have permission to acce d, the user can manage which applications have permission to ss the call log through the device settings screen, revoking access the call log through the device settings screen, rev the permission if necessary. oking the permission if necessary. NEW: A defender observes an Android application requesting for `android.permission.R EAD_CALL_LOG`, which may also be listed in the application's manifest file.
+
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-23 17:35:57.553000+00:00 description Application vetting services could look for `android.permission.READ_CALL_LOG` in an Android application’s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it.
+On Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary. OLD: Application vetting services could look for `android.permission.READ_CALL_LOG` in an Android application’s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it.
+On Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary.
+
+NEW: A defender observes an Android application requesting for `android.permission.READ_CALL_LOG`, which may also be listed in the application's manifest file. x_mitre_version 1.0 2.0 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'android:logcat', 'channel': 'Invocation of CallLogs.getLastOutgoingCall()'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'Application granted or retaining the READ_CALL_LOG permission. '}
[AN1693] Analytic 1693 Current version : 2.0
Version changed from : 1.0 → 2.0
+
+
+ t When vetting applications for potential security weaknesses, t When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure Defenders should validate the entirety of the URI. For exam that the intent can only be sent to an appropriate destinat ple, the URI's scheme should be `https` and the URI's host s ion (e.g., use explicit rather than implicit intents, permis hould be on a list of trusted hosts.(Citation: Android_Unsaf sion checking, checking of the destination app's signing cer eURILoading_Sept2024) Developers should be encouraged to us tificate, or utilizing the App Links feature). For mobile ap e techniques to ensure that the intent can only be sent to aplications using OAuth, encourage use of best practice. (Cit n appropriate destination (e.g., use explicit rather than im ation: IETF-OAuthNativeApps)(Citation: Android-AppLinks) On plicit intents, permission checking, checking of the destina Android, users may be presented with a popup to select the a tion app's signing certificate, or utilizing the App Links f ppropriate application to open the URI in. If the user sees eature). For mobile applications using OAuth, encourage use an application they do not recognize, they can remove it. of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks) On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.
+
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-02 20:08:42.566000+00:00 description When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. (Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)
+On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it. When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Defenders should validate the entirety of the URI. For example, the URI's scheme should be `https` and the URI's host should be on a list of trusted hosts.(Citation: Android_UnsafeURILoading_Sept2024)
+
+Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)
+
+On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it. x_mitre_version 1.0 2.0
iterable_item_added STIX Field Old value New Value external_references {'source_name': 'Android_UnsafeURILoading_Sept2024', 'description': 'Android Developers. (2024, September 24). Webviews – Unsafe URI Loading. Retrieved March 2, 2026.', 'url': 'https://developer.android.com/privacy-and-security/risks/unsafe-uri-loading'}
[AN1694] Analytic 1694 Current version : 2.0
Version changed from : 1.0 → 2.0
+
+
+ t When vetting applications for potential security weaknesses, t When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure Developers should be encouraged to use techniques to ensu that the intent can only be sent to an appropriate destinat re that the intent can only be sent to an appropriate destin ion (e.g., use explicit rather than implicit intents, permis ation (e.g., use explicit rather than implicit intents, perm sion checking, checking of the destination app's signing cer ission checking, checking of the destination app's signing c tificate, or utilizing the App Links feature). For mobile ap ertificate, or utilizing the App Links feature). For mobile plications using OAuth, encourage use of best practice. (Cit applications using OAuth, encourage use of best practice.(Ci ation: IETF-OAuthNativeApps)(Citation: Android- AppLinks ) On tation: IETF-OAuthNativeApps)(Citation: Secure Auth_iOSO Auth_ Android, users may be presented with a popup to select the a 2025 )ppropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.
+
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-02 20:11:59.312000+00:00 external_references[1]['source_name'] Android-AppLinks SecureAuth_iOSOAuth_2025 external_references[1]['description'] Android. (n.d.). Handling App Links. Retrieved December 21, 2016. SecureAuth. (2025). Build an iOS App Using OAuth 2.0 and PKCE. Retrieved March 2, 2026. external_references[1]['url'] https://developer.android.com/training/app-links/index.html https://docs.secureauth.com/ciam/en/build-an-ios-app-using-oauth-2-0-and-pkce.html description When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. (Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)
+On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it. When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents.
+
+Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: SecureAuth_iOSOAuth_2025) x_mitre_version 1.0 2.0
[AN1708] Analytic 1708 Current version : 2.0
Version changed from : 1.0 → 2.0
+
+
+ t Monitor for API calls that are related to the AccountManager t OLD: Monitor for API calls that are related to the AccountMa API on Android and Keychain services on iOS. Application ve nager API on Android and Keychain services on iOS. Applicati tting services may look for `MANAGE_ACCOUNTS` in an Android on vetting services may look for `MANAGE_ACCOUNTS` in an And application’s manifest. Most applications do not need access roid application’s manifest. Most applications do not need a to accounts, so extra scrutiny may be applied to those that ccess to accounts, so extra scrutiny may be applied to those request it. that request it. NEW: A defender observes an Android appli cation invoking the AccountManager API.
+
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-23 23:00:36.132000+00:00 description Monitor for API calls that are related to the AccountManager API on Android and Keychain services on iOS.
+Application vetting services may look for `MANAGE_ACCOUNTS` in an Android application’s manifest. Most applications do not need access to accounts, so extra scrutiny may be applied to those that request it. OLD: Monitor for API calls that are related to the AccountManager API on Android and Keychain services on iOS.
+Application vetting services may look for `MANAGE_ACCOUNTS` in an Android application’s manifest. Most applications do not need access to accounts, so extra scrutiny may be applied to those that request it.
+
+NEW: A defender observes an Android application invoking the AccountManager API. x_mitre_version 1.0 2.0 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'Process', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'android:logcat', 'channel': 'Invocation of AccountManager.getAccounts()'}
iterable_item_removed STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'}
[AN1774] Analytic 1774 Current version : 2.0
Version changed from : 1.0 → 2.0
+
+
+ t Application vetting services could look for `android.permisst OLD: Application vetting services could look for `android.pion.READ_CALENDAR` or `android.permission.WRITE_CALENDAR` in ermission.READ_CALENDAR` or `android.permission.WRITE_CALEND an Android application’s manifest, or `NSCalendarsUsageDesc AR` in an Android application’s manifest, or `NSCalendarsUsa ription` in an iOS application’s `Info.plist` file. Most app geDescription` in an iOS application’s `Info.plist` file. Mo lications do not need calendar access, so extra scrutiny cou st applications do not need calendar access, so extra scruti ld be applied to those that request it. On both Android and ny could be applied to those that request it. On both Andro iOS, the user can manage which applications have permission id and iOS, the user can manage which applications have perm to access calendar information through the device settings ission to access calendar information through the device set screen, revoke the permission if necessary. tings screen, revoke the permission if necessary. NEW: A d efender observes an Android application requesting for `andr oid.permission.READ_CALENDAR` or `android.permission.WRITE_C ALENDAR`, which may also be listed in the application’s Mani fest.
+
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-23 17:29:42.280000+00:00 description Application vetting services could look for `android.permission.READ_CALENDAR` or `android.permission.WRITE_CALENDAR` in an Android application’s manifest, or `NSCalendarsUsageDescription` in an iOS application’s `Info.plist` file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it.
+On both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary. OLD:
+Application vetting services could look for `android.permission.READ_CALENDAR` or `android.permission.WRITE_CALENDAR` in an Android application’s manifest, or `NSCalendarsUsageDescription` in an iOS application’s `Info.plist` file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it.
+On both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary.
+
+NEW:
+A defender observes an Android application requesting for `android.permission.READ_CALENDAR` or `android.permission.WRITE_CALENDAR`, which may also be listed in the application’s Manifest. x_mitre_version 1.0 2.0 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'android:logcat', 'channel': 'Invocation of Calendar.set() and Calendar.add()'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog ', 'channel': 'Application granted or retaining the READ_CALENDAR or WRITE_CALENDAR permissions. '}
[AN1782] Analytic 1782 Current version : 2.0
Version changed from : 1.0 → 2.0
+
+
+ t Application vetting services could look for `android.permisst OLD: Application vetting services could look for `android.peion.READ_CONTACTS` in an Android application’s manifest, or rmission.READ_CONTACTS` in an Android application’s manifest `NSContactsUsageDescription` in an iOS application’s `Info.p , or `NSContactsUsageDescription` in an iOS application’s `I list` file. Most applications do not need contact list acces nfo.plist` file. Most applications do not need contact list s, so extra scrutiny could be applied to those that request access, so extra scrutiny could be applied to those that req it. On both Android and iOS, the user can manage which appli uest it. On both Android and iOS, the user can manage which cations have permission to access the contact list through t applications have permission to access the contact list thro he device settings screen, revoking the permission if necess ugh the device settings screen, revoking the permission if n ary. ecessary. NEW: A defender observes an Android application requesting for android.permission.READ_CONTACTS, which may a lso be listed in the application's manifest file.
+
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-23 20:22:40.361000+00:00 description Application vetting services could look for `android.permission.READ_CONTACTS` in an Android application’s manifest, or `NSContactsUsageDescription` in an iOS application’s `Info.plist` file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it.
+On both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary. OLD: Application vetting services could look for `android.permission.READ_CONTACTS` in an Android application’s manifest, or `NSContactsUsageDescription` in an iOS application’s `Info.plist` file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it.
+On both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary.
+
+NEW: A defender observes an Android application requesting for android.permission.READ_CONTACTS, which may also be listed in the application's manifest file. x_mitre_version 1.0 2.0 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'android:logcat', 'channel': 'Invocation of ContactsContract.Contacts.getLookupUri() and/or ContactsContract.Contacts.lookupContact()'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'Application granted or retaining the READ_CONTACTS permission.'}
[AN1795] Analytic 1795 Current version : 2.0
Version changed from : 1.0 → 2.0
+
+
+ t Application vetting services could look for `android.permisst OLD: Application vetting services could look for `android.peion.READ_SMS` in an Android application’s manifest. Most app rmission.READ_SMS` in an Android application’s manifest. Mos lications do not need access to SMS messages, so extra scrut t applications do not need access to SMS messages, so extra iny could be applied to those that request it. On Android, scrutiny could be applied to those that request it. On Andr the user can manage which applications have permission to ac oid, the user can manage which applications have permission cess SMS messages through the device settings screen, revoki to access SMS messages through the device settings screen, r ng the permission if necessary. evoking the permission if necessary. NEW: A defender observ es an Android application requesting for `android.permission . READ_SMS` and/or ` android.permission. RECEIVE_SMS `, whic h may also be listed in the application's manifest file.
+
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-23 22:55:59.738000+00:00 description Application vetting services could look for `android.permission.READ_SMS` in an Android application’s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it.
+On Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary. OLD: Application vetting services could look for `android.permission.READ_SMS` in an Android application’s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it.
+On Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary.
+
+NEW: A defender observes an Android application requesting for `android.permission. READ_SMS` and/or ` android.permission. RECEIVE_SMS `, which may also be listed in the application's manifest file. x_mitre_version 1.0 2.0 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'Application granted or retaining the READ_SMS or RECEIVE_SMS permission.'}
iterable_item_removed STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'}
Minor Version Changes [AN1644] Analytic 1644 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services may detect API calls to `perfor t Correlates (1) an application obtaining or maintaining eleva mGlobalAction(int)`. The user can view a list of device adm ted control mechanisms capable of resisting removal (device inistrators and applications that have registered accessibil administrator, accessibility control, managed-owner posture) ity services in device settings. The user can typically visu , (2) user navigation into uninstall or application-manageme ally see when an action happens that they did not initiate a nt flows, and (3) immediate UI redirection, back-navigation nd can subsequently review installed applications for any ou injection, modal dismissal, or failed uninstall completion f t of place or unknown ones. Applications that register an ac ollowed by continued app presence. Defender observes a causa cessibility service or request device administrator permissi l chain where a removal attempt is actively disrupted and th ons should be scrutinized further for malicious behavior. e target application remains installed.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between uninstall UI entry, interference event, and continued install state'}, {'field': 'ProtectedRoleSet', 'description': 'Set of elevated roles considered removal-resistant (device admin, owner modes, accessibility)'}, {'field': 'GlobalActionSet', 'description': 'UI actions considered suspicious during uninstall flows (BACK, HOME, RECENTS)'}, {'field': 'AllowedAccessibilityApps', 'description': 'Known legitimate accessibility services expected to use global actions'}, {'field': 'UninstallRetryThreshold', 'description': 'Number of repeated uninstall attempts before escalation'}, {'field': 'UplinkBytesThreshold', 'description': 'Outbound traffic threshold confirming continued meaningful activity after failed removal'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-24 20:30:18.846000+00:00 description Application vetting services may detect API calls to `performGlobalAction(int)`.
+The user can view a list of device administrators and applications that have registered accessibility services in device settings. The user can typically visually see when an action happens that they did not initiate and can subsequently review installed applications for any out of place or unknown ones. Applications that register an accessibility service or request device administrator permissions should be scrutinized further for malicious behavior. Correlates (1) an application obtaining or maintaining elevated control mechanisms capable of resisting removal (device administrator, accessibility control, managed-owner posture), (2) user navigation into uninstall or application-management flows, and (3) immediate UI redirection, back-navigation injection, modal dismissal, or failed uninstall completion followed by continued app presence. Defender observes a causal chain where a removal attempt is actively disrupted and the target application remains installed. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'application enabled as device administrator, device owner, profile owner, or equivalent elevated management role before uninstall attempt'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'application granted accessibility service privileges capable of screen observation or global action invocation before removal attempt'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'application invokes accessibility global actions (back/home/recents) or observes package-management UI immediately after uninstall/settings screen becomes foreground'}
[AN1645] Analytic 1645 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t The user can view the default SMS handler in system settings t The defender correlates SMS-relevant permission state or def . ault SMS handler role with subsequent unauthorized SMS send, receive interception, message database modification, deleti on, or concealment behavior by an application outside expect ed messaging workflows. The analytic prioritizes Android-obs ervable control-plane effects: SEND_SMS or RECEIVE_SMS capab ility, default SMS handler change or exercise of SMS_DELIVER semantics, direct interaction with the SMS content provider or messaging database, and SMS activity occurring from back ground or locked-device state without recent user interactio n.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between permission or role change, SMS control activity, message-store modification, and any follow-on network communication'}, {'field': 'AllowedAppList', 'description': 'Apps legitimately expected to send or manage SMS, such as default messaging apps, carrier tools, device migration apps, or approved enterprise communications apps'}, {'field': 'AllowedDefaultSMSHandlers', 'description': 'Approved packages allowed to become the default SMS handler on managed devices'}, {'field': 'AllowedDestinationList', 'description': 'Approved network destinations associated with legitimate messaging synchronization or carrier workflows'}, {'field': 'ForegroundStateRequired', 'description': 'Whether SMS send or message modification should occur only during active user-driven workflows'}, {'field': 'MessageModificationThreshold', 'description': 'Number of insert, update, or delete operations against SMS store within a short interval required before alerting'}, {'field': 'SMSSendRateThreshold', 'description': 'Maximum expected SMS send frequency for legitimate app behavior'}, {'field': 'HighRiskNumberPatterns', 'description': 'Environment-specific list of premium-rate, adversary-known, or non-business SMS destination patterns'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-09 16:57:33.679000+00:00 description The user can view the default SMS handler in system settings. The defender correlates SMS-relevant permission state or default SMS handler role with subsequent unauthorized SMS send, receive interception, message database modification, deletion, or concealment behavior by an application outside expected messaging workflows. The analytic prioritizes Android-observable control-plane effects: SEND_SMS or RECEIVE_SMS capability, default SMS handler change or exercise of SMS_DELIVER semantics, direct interaction with the SMS content provider or messaging database, and SMS activity occurring from background or locked-device state without recent user interaction. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'Managed app granted SEND_SMS or RECEIVE_SMS permission, or app role/policy indicates SMS-capable behavior inconsistent with approved enterprise function before SMS control activity'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'Default SMS handler changes to non-baselined application or managed app unexpectedly becomes or remains device default SMS app during SMS control phase'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Application invokes SMS send, intercept, delete, or provider-write behavior, including handling SMS_DELIVER or interacting with SMS content provider during unauthorized message-control phase'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8', 'name': 'MobileEDR:telemetry', 'channel': 'Application inserts, updates, deletes, hides, or marks message records in SMS store or messaging database immediately after SMS receive or send event'}
[AN1646] Analytic 1646 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services could look for the Android perm t Defender correlates an app enumerating installed packages (P ission `android.permission.QUERY_ALL_PACKAGES`, and apply ex ackageManager queries or shell 'pm list packages') with sele tra scrutiny to applications that request it. On iOS, applic ctive checks for high-value targets (banking/identity/securi ation vetting services could look for usage of the private A ty apps) and near-term persistence/egress of the inventory. PI `LSApplicationWorkspace` and apply extra scrutiny to appl Chain: capability to query apps → burst of enumeration calls ications that employ it. or shell listing → optional foreground target detection → l ocal inventory file → small POST to remote endpoint.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Max time from enumeration to persist/exfil (e.g., 10–120s).'}, {'field': 'MinEnumCount', 'description': 'Minimum count of package queries or listed rows to treat as inventory (e.g., ≥50).'}, {'field': 'TargetAppWatchlist', 'description': 'List of sensitive app package prefixes (banking/IdP/AV/MDM) to raise severity.'}, {'field': 'PersistPathRegex', 'description': 'Regex for inventory artifacts in the app container.'}, {'field': 'ExfilDomainAllowlist', 'description': 'Known-good analytics/CDN endpoints to suppress FPs.'}, {'field': 'UserContext', 'description': 'Work Profile/Kiosk/Jamf/Intune policy context to scope benign inventory jobs.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-01-29 20:03:14.269000+00:00 description Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it. Defender correlates an app enumerating installed packages (PackageManager queries or shell 'pm list packages') with selective checks for high-value targets (banking/identity/security apps) and near-term persistence/egress of the inventory. Chain: capability to query apps → burst of enumeration calls or shell listing → optional foreground target detection → local inventory file → small POST to remote endpoint. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'android:logcat', 'channel': 'PackageManager getInstalledApplications|getInstalledPackages|getPackagesHoldingPermissions burst for . TYPE_WINDOW_STATE_CHANGED shows foreground app then immediate package queries by '}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0', 'name': 'android:logcat', 'channel': "Command 'pm list packages' executed by app sandbox or child proc"} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'android:logcat', 'channel': 'CREATE/WRITE /data/data//(files|databases)/(app_inventory|pkg_list).*\\\\.(json|txt|db)'}
[AN1647] Analytic 1647 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services could look for the Android perm t Defender correlates attempts to inventory installed apps via ission `android.permission.QUERY_ALL_PACKAGES`, and apply ex LaunchServices/URL-scheme probing or private APIs (e.g., LS tra scrutiny to applications that request it. On iOS, applic ApplicationWorkspace) with checks for high-value targets and ation vetting services could look for usage of the private A quick persistence/egress. Chain: capability/attempt (URL sc PI `LSApplicationWorkspace` and apply extra scrutiny to appl heme spray or LSWorkspace calls) → large scheme/app probe se ications that employ it. t → optional webview hits to brand domains → local inventory cache → small egress.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Max time from probe burst to persist/exfil (e.g., 10–120s).'}, {'field': 'MinProbeCount', 'description': 'Minimum count of scheme/app probes to treat as inventory (e.g., ≥40).'}, {'field': 'TargetBundleWatchlist', 'description': 'Bundle IDs/schemes of sensitive targets (banking/IdP/AV/MDM).'}, {'field': 'PersistPathRegex', 'description': 'Regex for inventory artifacts in container.'}, {'field': 'ExfilDomainAllowlist', 'description': 'Allowlist of enterprise analytics/CDN to reduce FPs.'}, {'field': 'JailbreakContext', 'description': 'Flag to escalate if private APIs appear on non-managed devices.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-01-29 20:27:08.190000+00:00 description Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it. Defender correlates attempts to inventory installed apps via LaunchServices/URL-scheme probing or private APIs (e.g., LSApplicationWorkspace) with checks for high-value targets and quick persistence/egress. Chain: capability/attempt (URL scheme spray or LSWorkspace calls) → large scheme/app probe set → optional webview hits to brand domains → local inventory cache → small egress. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'iOS:unifiedlog', 'channel': 'LSApplicationWorkspace or canOpenURL probe bursts for many URL schemes'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa', 'name': 'iOS:unifiedlog', 'channel': 'Repeated canOpenURL checks across diverse schemes (≥N within short window)'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'iOS:unifiedlog', 'channel': 'CREATE/WRITE container paths like /Library/Caches/app_inventory.*\\\\.(json|plist|db)'}
[AN1648] Analytic 1648 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t System information discovery can be difficult to detect, and t Defender correlates an app process performing a burst of OS/ therefore enterprises may be better served focusing on dete device attribute lookups (build, hardware, SDK level, system ction at other stages of adversarial behavior. properties) with near-term execution branching (feature gat ing, module load, permission workflow changes) and/or immedi ate outbound communications, indicating environment evaluati on used to shape follow-on actions.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_log_source_references [{'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'android:logcat', 'channel': 'Application accesses android.os.Build fields or device configuration APIs (MODEL, MANUFACTURER, VERSION.SDK_INT, HARDWARE)'}] x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Correlation window for system-info collection burst → outbound transmission (e.g., 60–900s).'}, {'field': 'MinSystemInfoSignals', 'description': 'Minimum number of distinct system-attribute reads/queries within window to count as ‘broad fingerprinting’ (tune to telemetry fidelity).'}, {'field': 'DistinctAttributeThreshold', 'description': 'How many distinct attribute categories (build fields, cpu, locale, patch level, network identifiers) must be observed.'}, {'field': 'BackgroundOnly', 'description': 'If true, require the burst occurs while app is background to reduce noise from legitimate settings/about-device screens.'}, {'field': 'AllowlistedPackages', 'description': 'Legitimate device management, diagnostics, carrier services, and enterprise security apps expected to collect device inventory.'}, {'field': 'NewDomainWindowSeconds', 'description': 'Window for ‘newly contacted domain’ enrichment after fingerprinting burst.'}, {'field': 'SmallPostByteRange', 'description': 'Approximate payload size range used for ‘fingerprint submit’ heuristic (environment dependent).'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-02-23 17:40:11.076000+00:00 description System information discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior. Defender correlates an app process performing a burst of OS/device attribute lookups (build, hardware, SDK level, system properties) with near-term execution branching (feature gating, module load, permission workflow changes) and/or immediate outbound communications, indicating environment evaluation used to shape follow-on actions. x_mitre_version 1.0 1.1
[AN1649] Analytic 1649 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t System information discovery can be difficult to detect, and t Defender correlates an app querying device model and iOS ver therefore enterprises may be better served focusing on dete sion (often limited to UIDevice-visible attributes) with sub ction at other stages of adversarial behavior. sequent behavior divergence (capability gating, alternate co de paths) and/or near-term outbound connections, suggesting device fingerprinting for decision-making rather than normal telemetry.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_log_source_references [{'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'iOS:unifiedlog', 'channel': 'Application invokes UIDevice queries (model, systemVersion, name)'}] x_mitre_mutable_elements [{'field': 'QueryFrequencyThreshold', 'description': 'Baseline-dependent threshold for distinguishing normal app telemetry from discovery behavior'}, {'field': 'QueryToExecutionDeviationWindow', 'description': 'Defines acceptable delay between device queries and execution changes'}, {'field': 'DeviceModelBaseline', 'description': 'Allows tuning for environments with homogeneous vs heterogeneous device fleets'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-02-23 17:42:33.331000+00:00 description System information discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior. Defender correlates an app querying device model and iOS version (often limited to UIDevice-visible attributes) with subsequent behavior divergence (capability gating, alternate code paths) and/or near-term outbound connections, suggesting device fingerprinting for decision-making rather than normal telemetry. x_mitre_version 1.0 1.1
[AN1652] Analytic 1652 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t The user can view a list of device administrators in device t Correlates (1) acquisition or presence of elevated control p settings and revoke permission where appropriate. Applicatio aths capable of forcing a lock state or blocking user intera ns that request device administrator permissions should be s ction, (2) invocation of screen-locking or UI-denial behavio crutinized further for malicious behavior. r such as DevicePolicyManager lock operations, persistent ov erlays, accessibility-driven navigation interruption, or for eground lock-screen impersonation, and (3) immediate transit ion of the device into an unavailable or repeatedly re-locke d state while the responsible application remains installed and active. The defender observes a causal chain where an ap plication first gains the ability to control lock-related be havior, then forces or simulates lockout, and the device bec omes unusable to the legitimate user.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between privileged control acquisition, lockout action, and resulting device lock state'}, {'field': 'ProtectedRoleSet', 'description': 'Set of elevated roles that materially increase lockout capability, such as device admin, device owner, profile owner, or accessibility service'}, {'field': 'LockActionSet', 'description': 'Framework actions treated as lockout-relevant, including lockNow, password-control changes, overlay persistence, and UI-denial actions'}, {'field': 'AllowedAdminApps', 'description': 'Baseline of legitimate enterprise or security apps expected to invoke lock-related controls'}, {'field': 'RelockThreshold', 'description': 'Number of repeated lock or lock-like transitions in a short interval required before escalation'}, {'field': 'UplinkBytesThreshold', 'description': 'Outbound traffic threshold confirming continued meaningful activity after lockout'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-24 20:30:31.921000+00:00 description The user can view a list of device administrators in device settings and revoke permission where appropriate. Applications that request device administrator permissions should be scrutinized further for malicious behavior. Correlates (1) acquisition or presence of elevated control paths capable of forcing a lock state or blocking user interaction, (2) invocation of screen-locking or UI-denial behavior such as DevicePolicyManager lock operations, persistent overlays, accessibility-driven navigation interruption, or foreground lock-screen impersonation, and (3) immediate transition of the device into an unavailable or repeatedly re-locked state while the responsible application remains installed and active. The defender observes a causal chain where an application first gains the ability to control lock-related behavior, then forces or simulates lockout, and the device becomes unusable to the legitimate user. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'application enabled as device administrator, device owner, or profile owner before screen-lock or password-control activity'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'application granted accessibility service privileges capable of intercepting UI flow or sustaining user-interaction denial before lockout event'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'application invokes lock-related or UI-denial framework operations, including DevicePolicyManager lock actions, persistent overlay behavior, or accessibility-driven navigation interference immediately before device enters locked or unusable state'}
[AN1653] Analytic 1653 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Integrity checking mechanisms can potentially detect unautho t The defender observes a newly enrolled or recently activated rized hardware modifications. device presenting abnormal integrity, hardware-backed attes tation, or firmware/build relationships at the management pl ane, followed by privileged or system-context access to prot ected resources or framework paths, and then outbound commun ication inconsistent with setup state, lock state, or recent user interaction. The causal sequence is strongest when the device has not yet reached a normal trusted posture but sti ll exhibits system-level capability use or network activity.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between enrollment/posture anomaly, privileged capability use, and network egress.'}, {'field': 'AllowedOEMComponents', 'description': 'Approved system identities, preload packages, and OEM services differ by model and fleet.'}, {'field': 'AllowedDestinations', 'description': 'OEM update, activation, MDM, and enterprise service destinations vary by environment.'}, {'field': 'ForegroundStateRequired', 'description': 'Some protected resource access may be legitimate only when the app is foregrounded.'}, {'field': 'RecentUserInteractionWindow', 'description': 'Defines how close resource access must be to user interaction to be considered expected.'}, {'field': 'EnrollmentGracePeriod', 'description': 'Initial setup/update behavior may generate benign network or configuration drift for a short period.'}, {'field': 'UplinkBytesThreshold', 'description': 'Size threshold for suspicious outbound transfer from a device in abnormal posture.'}, {'field': 'ApprovedImageBaseline', 'description': 'Known-good build fingerprint, patch, boot state, and baseband combinations vary by device fleet.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-16 21:48:51.316000+00:00 description Integrity checking mechanisms can potentially detect unauthorized hardware modifications. The defender observes a newly enrolled or recently activated device presenting abnormal integrity, hardware-backed attestation, or firmware/build relationships at the management plane, followed by privileged or system-context access to protected resources or framework paths, and then outbound communication inconsistent with setup state, lock state, or recent user interaction. The causal sequence is strongest when the device has not yet reached a normal trusted posture but still exhibits system-level capability use or network activity. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'Sensor Health', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'Device enrollment or compliance event shows failed or degraded verified boot, hardware-backed attestation mismatch, patch/build/baseband inconsistency, or unexpected device property drift near first contact'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Protected resource use or privileged framework access occurs while device is locked, before normal setup completion, or from an app/service not in foreground and not on approved preload list'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Privileged or OEM-context framework/API use tied to telephony, device policy, accessibility, overlay, input injection, package visibility, or protected settings modification from an identity not expected for the device model or approved image'}
[AN1654] Analytic 1654 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Integrity checking mechanisms can potentially detect unautho t The defender observes a device at activation, supervision, o rized hardware modifications. r enrollment time with unusual management-plane posture, inv entory, or trust characteristics and then relies primarily o n downstream network effects and device state inconsistencie s rather than direct low-level process telemetry. On iOS, th e most reliable sequence is supervision/attestation or inven tory concern near first contact followed by network egress o r protected-state behavior that is inconsistent with lock st ate, setup phase, or expected managed app activity.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between enrollment/inventory concern and suspicious network activity.'}, {'field': 'SupervisedRequired', 'description': 'Most strong posture and inventory analytics require supervised iOS devices.'}, {'field': 'AllowedDestinations', 'description': 'Apple, MDM, update, enterprise, and managed SaaS destinations vary by organization.'}, {'field': 'BackgroundRefreshBaseline', 'description': 'Expected background network behavior varies by managed app set and policy.'}, {'field': 'ActivationGracePeriod', 'description': 'Benign activation, restore, and setup traffic can be noisy immediately after provisioning.'}, {'field': 'RecentUserInteractionWindow', 'description': 'Defines how recently the user must have interacted for activity to be considered expected.'}, {'field': 'InventoryDriftTolerance', 'description': 'Tuning for acceptable changes in inventory/configuration during upgrades or replacements.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-16 22:10:25.735000+00:00 description Integrity checking mechanisms can potentially detect unauthorized hardware modifications. The defender observes a device at activation, supervision, or enrollment time with unusual management-plane posture, inventory, or trust characteristics and then relies primarily on downstream network effects and device state inconsistencies rather than direct low-level process telemetry. On iOS, the most reliable sequence is supervision/attestation or inventory concern near first contact followed by network egress or protected-state behavior that is inconsistent with lock state, setup phase, or expected managed app activity. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'Sensor Health', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'iOS:MDMLog', 'channel': 'Supervised enrollment, activation, or inventory event reveals unexpected device property relationships, anomalous managed posture, unexplained configuration drift near first contact, or identity/inventory characteristics inconsistent with approved procurement baseline'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'VPN:MobileProxy', 'channel': 'Supervised or newly activated device initiates outbound connections to destinations outside Apple, MDM, update, or enterprise-managed baselines while locked, with no recent user interaction, or before expected app enrollment completion'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Managed app or device-originated network activity occurs while the device is locked or before expected managed app initialization sequence, inconsistent with expected background refresh baseline'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'iOS:unifiedlog', 'channel': 'Supplemental anomaly in baseband, IOKit, accessory, security, or activation-related subsystem logging temporally adjacent to suspicious posture or network behavior'}
[AN1657] Analytic 1657 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Command-line activities can potentially be detected through t The defender correlates app-driven shell-launch behavior wit Mobile Threat Defense (MTD) integrations with lower-level OS h subsequent execution of Unix shell processes or shell-scri APIs. This could grant the MTD agents access to running pro pt activity under the same app context, especially when exec cesses and their parameters, potentially detecting unwanted ution occurs from background state, without recent user inte or malicious shells. Mobile Threat Defense (MTD) with lower- raction, or is followed by file-system, privilege-escalation level OS APIs integrations may have access to newly created , or network effects inconsistent with the app's declared ro processes and their parameters, potentially detecting unwant le. The analytic prioritizes Android-observable control-plan ed or malicious shells. Application vetting services could d e effects: Runtime or ProcessBuilder invocation, spawn of sh etect the invocations of methods that could be used to execu /toybox/toolbox/su or equivalent shell process, script-file te shell commands.(Citation: Samsung Knox Mobile Threat Defe staging or redirected output, and post-execution network or nse) Mobile Threat Defense (MTD) with lower-level OS APIs in local artifact creation. tegrations may have access to running processes and their pa rameters, potentially detecting unwanted or malicious shells .
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between shell-launch method use, Unix shell process creation, and follow-on file or network effects'}, {'field': 'AllowedAppList', 'description': 'Apps legitimately expected to run shells, such as approved terminal apps, enterprise support tools, device management agents, or developer tooling'}, {'field': 'AllowedProcessPatterns', 'description': 'Expected shell binaries, parent-child process chains, and helper-process patterns for approved apps'}, {'field': 'ForegroundStateRequired', 'description': 'Whether Unix shell execution should occur only during active user-driven workflows'}, {'field': 'CommandArgumentRiskPatterns', 'description': 'Environment-specific list of suspicious shell arguments, pipes, redirection, chaining operators, or privilege-escalation references'}, {'field': 'SensitivePathPatterns', 'description': 'Environment-specific list of high-value file paths or system locations touched after shell execution'}, {'field': 'PostExecutionWriteThreshold', 'description': 'Minimum number or size of artifacts created after shell execution to increase confidence'}, {'field': 'UplinkBytesThreshold', 'description': 'Minimum outbound volume after shell execution to treat network behavior as meaningful'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-09 20:47:35.790000+00:00 description Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.
+Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.
+Application vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)
+Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells. The defender correlates app-driven shell-launch behavior with subsequent execution of Unix shell processes or shell-script activity under the same app context, especially when execution occurs from background state, without recent user interaction, or is followed by file-system, privilege-escalation, or network effects inconsistent with the app's declared role. The analytic prioritizes Android-observable control-plane effects: Runtime or ProcessBuilder invocation, spawn of sh/toybox/toolbox/su or equivalent shell process, script-file staging or redirected output, and post-execution network or local artifact creation. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0', 'name': 'Command', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'MobileEDR:telemetry', 'channel': 'Application invokes Runtime.exec, ProcessBuilder, JNI-backed command launcher, or equivalent command-execution bridge immediately before shell or command process creation'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'Process', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0', 'name': 'MobileEDR:telemetry', 'channel': 'Application spawns Unix shell process or superuser binary such as sh, su, toybox, toolbox, or shell-like child process with parameters during execution phase'}
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Samsung Knox Mobile Threat Defense', 'description': 'Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.', 'url': 'https://partner.samsungknox.com/mtd'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1', 'name': 'Process', 'channel': 'None'}
[AN1658] Analytic 1658 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Command-line activities can potentially be detected through t The defender correlates managed-app process-launch or shell- Mobile Threat Defense (MTD) integrations with lower-level OS like execution effects with subsequent file or network activ APIs. This could grant the MTD agents access to running pro ity by the same app, then raises confidence when execution o cesses and their parameters, potentially detecting unwanted ccurs in background context, without recent user interaction or malicious shells. Mobile Threat Defense (MTD) with lower- , or appears tied to command delivery or output exfiltration level OS APIs integrations may have access to newly created . Because direct Unix-shell observability is typically weake processes and their parameters, potentially detecting unwant r on iOS and child processes remain constrained by the app s ed or malicious shells. Application vetting services could d andbox, the analytic anchors on process-execution effects wh etect the invocations of methods that could be used to execu ere available and then on lifecycle, file, and network side te shell commands.(Citation: Samsung Knox Mobile Threat Defe effects rather than assuming rich shell-parameter visibility nse) Mobile Threat Defense (MTD) with lower-level OS APIs in in all environments. tegrations may have access to running processes and their pa rameters, potentially detecting unwanted or malicious shells .
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between shell-like execution indication, process effects, and follow-on file or network behavior'}, {'field': 'AllowedAppList', 'description': 'Managed apps legitimately expected to perform debugging, remote support, or enterprise automation tasks'}, {'field': 'AllowedProcessPatterns', 'description': 'Expected helper-process or process-launch patterns for approved managed apps'}, {'field': 'ForegroundStateRequired', 'description': 'Whether shell-like execution should occur only during active user-driven workflows'}, {'field': 'ArtifactPathPatterns', 'description': 'Expected temporary or output file locations for approved app behavior'}, {'field': 'UplinkBytesThreshold', 'description': 'Minimum outbound volume after shell-like execution to treat network behavior as meaningful'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-09 20:52:16.713000+00:00 description Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.
+Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.
+Application vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)
+Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells. The defender correlates managed-app process-launch or shell-like execution effects with subsequent file or network activity by the same app, then raises confidence when execution occurs in background context, without recent user interaction, or appears tied to command delivery or output exfiltration. Because direct Unix-shell observability is typically weaker on iOS and child processes remain constrained by the app sandbox, the analytic anchors on process-execution effects where available and then on lifecycle, file, and network side effects rather than assuming rich shell-parameter visibility in all environments. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0', 'name': 'Command', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'MobileEDR:telemetry', 'channel': 'Managed app invokes lower-level OS process-launch or command-execution behavior before file or network effects, including interpreter-like execution flow where visible to sensor'}
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Samsung Knox Mobile Threat Defense', 'description': 'Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.', 'url': 'https://partner.samsungknox.com/mtd'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'Process', 'channel': 'None'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1', 'name': 'Process', 'channel': 'None'}
[AN1663] Analytic 1663 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services may provide a list of connectio t The defender correlates repeated or periodic app-attributed ns made or received by an application, or a list of domains retrieval from a legitimate public web-service platform with contacted by the application. Many properly configured firew runtime conditions showing that the retrieval is not aligne alls may naturally block one-way command and control traffic d to normal foreground consumption, user interaction, or app . roved app role. The strongest Android evidence is a managed or installed app repeatedly issuing inbound-oriented GET, fe tch, sync, or content-pull operations to social, collaborati on, paste, code-hosting, cloud-storage, messaging, or generi c HTTPS platforms while the app is backgrounded, while the d evice is locked, or without recent user interaction, and wit hout a corresponding outbound writeback to that same service class during the operational window. The detection is stren gthened when the retrieval is temporally adjacent to schedul ed/background execution, local state changes, or later downs tream effects that do not require the same public platform t o receive output.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window used to evaluate recurring retrieval and absence of same-service writeback.'}, {'field': 'AllowedAppList', 'description': 'Approved app identities vary by organization, role, and device group.'}, {'field': 'AllowedServiceClasses', 'description': 'Some apps legitimately retrieve content from collaboration, messaging, storage, or code-hosting services.'}, {'field': 'AllowedReadOnlyMappings', 'description': 'Defines which apps are expected to only retrieve, and under what foreground/background conditions.'}, {'field': 'RecentUserInteractionWindow', 'description': 'Defines how close retrieval must be to user activity to be considered expected'}, {'field': 'BeaconIntervalTolerance', 'description': 'Allowed recurrence interval for benign refresh, sync, or polling behavior differs by app category'}, {'field': 'ForegroundStateRequired', 'description': 'Some apps should only retrieve from certain public service classes while foregrounded'}, {'field': 'InboundOutboundRatioThreshold', 'description': 'Expected ratio of inbound to outbound bytes for benign app refresh behavior varies by workload.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-19 15:15:16.075000+00:00 description Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.
+Many properly configured firewalls may naturally block one-way command and control traffic. The defender correlates repeated or periodic app-attributed retrieval from a legitimate public web-service platform with runtime conditions showing that the retrieval is not aligned to normal foreground consumption, user interaction, or approved app role. The strongest Android evidence is a managed or installed app repeatedly issuing inbound-oriented GET, fetch, sync, or content-pull operations to social, collaboration, paste, code-hosting, cloud-storage, messaging, or generic HTTPS platforms while the app is backgrounded, while the device is locked, or without recent user interaction, and without a corresponding outbound writeback to that same service class during the operational window. The detection is strengthened when the retrieval is temporally adjacent to scheduled/background execution, local state changes, or later downstream effects that do not require the same public platform to receive output. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'VPN:MobileProxy', 'channel': 'App-attributed HTTP GET, content fetch, sync pull, or inbound-oriented HTTPS session to public web-service domain recurred within TimeWindow without app-attributed POST, PUT, PATCH, upload, comment, message send, or API write to same service class'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'Network Traffic', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'VPN:MobileProxy', 'channel': 'Repeated app-attributed retrieval from same public web-service domain or API endpoint occurred at stable recurrence interval with low outbound volume relative to inbound content'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'VPN:MobileProxy', 'channel': 'Inbound content retrieval from public web-service domain occurred without subsequent writeback to same service class and was followed by local or downstream activity outside normal app sync profile'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'AppState=background when repeated retrieval from public web-service domain began and no foreground transition occurred during the retrieval sequence'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'DeviceLockState=locked during repeated inbound retrieval sequence from public web-service platform'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'LastUserInteractionDelta exceeded threshold before repeated retrieval sequence from public web-service domain from same app identity'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'App identity performing repeated one-way retrieval was unmanaged, outside approved app baseline, or not permitted to use detected public web-service class for background content retrieval'}
[AN1664] Analytic 1664 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services may provide a list of connectio t The defender correlates repeated retrieval-oriented communic ns made or received by an application, or a list of domains ation from a supervised device or managed iOS app to a legit contacted by the application. Many properly configured firew imate public web-service platform where the activity remains alls may naturally block one-way command and control traffic primarily inbound and does not produce corresponding writeb . ack to that same service class during the operational window . The strongest iOS evidence is managed-app or device-attrib uted communication to collaboration, social, messaging, stor age, or generic HTTPS platforms where inbound fetches or con tent pulls recur during background refresh, while the device is locked, or without recent user interaction, and no match ing POST, upload, update, or message-send activity to that s ame public service class is observed. Because direct local r untime visibility is weaker than Android, the primary analyt ic is anchored on network directionality plus supervised man aged-app and device-state context.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window used to evaluate recurring retrieval and absence of same-service writeback.'}, {'field': 'SupervisedRequired', 'description': 'Strongest app-governance and bundle-baseline analytics depend on supervised iOS devices.'}, {'field': 'AllowedManagedApps', 'description': 'Approved managed bundle identities vary by organization and device profile.'}, {'field': 'AllowedServiceClasses', 'description': 'Some managed apps legitimately retrieve content from storage, collaboration, or messaging services.'}, {'field': 'AllowedReadOnlyMappings', 'description': 'Defines which bundles are expected to retrieve without writeback, and in what context.'}, {'field': 'BackgroundRefreshBaseline', 'description': 'Expected background retrieval behavior differs across managed app categories.'}, {'field': 'RecentUserInteractionWindow', 'description': 'Defines how close retrieval must be to user activity to be considered expected.'}, {'field': 'BeaconIntervalTolerance', 'description': 'Allowed recurrence interval for benign refresh, polling, or sync behavior differs by bundle type.'}, {'field': 'InboundOutboundRatioThreshold', 'description': 'Expected ratio of inbound to outbound bytes for benign managed-app refresh behavior varies by workflow.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-19 15:26:39.271000+00:00 description Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.
+Many properly configured firewalls may naturally block one-way command and control traffic. The defender correlates repeated retrieval-oriented communication from a supervised device or managed iOS app to a legitimate public web-service platform where the activity remains primarily inbound and does not produce corresponding writeback to that same service class during the operational window. The strongest iOS evidence is managed-app or device-attributed communication to collaboration, social, messaging, storage, or generic HTTPS platforms where inbound fetches or content pulls recur during background refresh, while the device is locked, or without recent user interaction, and no matching POST, upload, update, or message-send activity to that same public service class is observed. Because direct local runtime visibility is weaker than Android, the primary analytic is anchored on network directionality plus supervised managed-app and device-state context. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'VPN:MobileProxy', 'channel': 'App-attributed HTTP GET, content fetch, sync pull, or inbound-oriented HTTPS session to public web-service domain recurred within TimeWindow without app-attributed POST, PUT, PATCH, upload, comment, message send, or API write to same service class'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'Network Traffic', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'VPN:MobileProxy', 'channel': 'Repeated app-attributed retrieval from same public web-service domain or API endpoint occurred at stable recurrence interval with low outbound volume relative to inbound content'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'VPN:MobileProxy', 'channel': 'Inbound content retrieval from public web-service domain occurred without subsequent writeback to same service class and was followed by local or downstream activity outside normal app sync profile'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'DeviceLockState=locked during repeated inbound retrieval sequence from public web-service platform'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'LastUserInteractionDelta exceeded threshold before repeated retrieval sequence from public web-service domain from same app identity'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'iOS:MDMLog', 'channel': 'Bundle performing repeated one-way retrieval was not present in approved managed-app baseline or was not permitted to use detected public web-service class for background content retrieval'}
[AN1665] Analytic 1665 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t The user can also inspect and modify the list of application t An application is granted or maintains notification listener s that have notification access through the device settings access, observes notification content from other applicatio (e.g. Apps & notification -> Special app access -> Notificat ns (including sensitive sources such as SMS/email/2FA apps), ion access). Application vetting services can look for appl processes or stores notification payloads, and optionally s ications requesting the `BIND_NOTIFICATION_LISTENER_SERVICE` uppresses or programmatically interacts with notifications ( permission in a service declaration. dismiss/action triggers) without corresponding foreground us er interaction. Detection correlates special access permissi on state + notification event interception + application bac kground state + downstream data use (local write or network transmission).
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between notification interception and subsequent data write or network transmission varies by app behavior'}, {'field': 'AllowedAppList', 'description': 'Enterprise-approved apps with legitimate notification access (e.g., accessibility tools, wearables)'}, {'field': 'ForegroundStateRequired', 'description': 'Whether notification access is expected only when the app is foregrounded'}, {'field': 'UplinkBytesThreshold', 'description': 'Threshold for small outbound payloads indicative of notification content exfiltration'}, {'field': 'SensitiveSourceApps', 'description': 'Apps whose notifications are considered sensitive (SMS, email, authenticator apps)'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-01 14:50:46.895000+00:00 description The user can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access).
+Application vetting services can look for applications requesting the `BIND_NOTIFICATION_LISTENER_SERVICE` permission in a service declaration. An application is granted or maintains notification listener access, observes notification content from other applications (including sensitive sources such as SMS/email/2FA apps), processes or stores notification payloads, and optionally suppresses or programmatically interacts with notifications (dismiss/action triggers) without corresponding foreground user interaction. Detection correlates special access permission state + notification event interception + application background state + downstream data use (local write or network transmission). x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'NotificationListenerService enabled OR notification access granted to app not in enterprise-approved list'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'App intercepts notification content from external package (e.g., messaging/auth apps) while in background OR without recent user interaction'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Notification access event occurs while app_state=background AND device_state=locked OR no recent user interaction'}
[AN1666] Analytic 1666 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t The user can view applications that have registered accessib t The defender correlates Android accessibility or UI-automati ility services in the accessibility menu within the device s on-capable behavior from an app identity with injected user- ettings. interface actions occurring on behalf of the user in another foreground application. The strongest Android evidence is a ccessibility-enabled or similarly privileged app behavior th at triggers programmatic clicks, global actions, or text ins ertion into another app's active UI, especially when those a ctions occur without matching user touch interaction, while the injecting app is backgrounded or foreground-service-only , or when the target foreground app belongs to a sensitive c ategory such as banking, payments, identity, communications, or enterprise access. The detection is strengthened when th e injected input sequence is followed by target-app navigati on, form submission, transaction progression, or network act ivity from the target context.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window linking injected actions to target-app navigation, submission, or downstream network effects.'}, {'field': 'AllowedAppList', 'description': 'Approved accessibility, autofill, remote-assist, or QA/testing apps vary by organization and device group.'}, {'field': 'AllowedAccessibilityApps', 'description': 'Approved accessibility-enabled apps vary by assistive and enterprise workflow.'}, {'field': 'AllowedAutofillApps', 'description': 'Approved password managers or autofill-capable apps may legitimately inject text into fields.'}, {'field': 'RecentUserInteractionWindow', 'description': 'Defines how close an injected action must be to user interaction to be considered expected.'}, {'field': 'SensitiveForegroundAppCategories', 'description': 'Categories such as banking, payments, identity, communications, and enterprise access may warrant higher sensitivity.'}, {'field': 'GlobalActionBurstThreshold', 'description': 'Threshold for repeated programmatic global actions within a short window.'}, {'field': 'TextInjectionLengthThreshold', 'description': 'Minimum inserted text length or field-population pattern considered suspicious outside approved autofill workflows.'}, {'field': 'ConsentOrSetupGracePeriod', 'description': 'Grace period allowed after explicit user enablement of approved accessibility or autofill workflows before injection is treated as suspicious.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-30 16:54:01.193000+00:00 description The user can view applications that have registered accessibility services in the accessibility menu within the device settings. The defender correlates Android accessibility or UI-automation-capable behavior from an app identity with injected user-interface actions occurring on behalf of the user in another foreground application. The strongest Android evidence is accessibility-enabled or similarly privileged app behavior that triggers programmatic clicks, global actions, or text insertion into another app's active UI, especially when those actions occur without matching user touch interaction, while the injecting app is backgrounded or foreground-service-only, or when the target foreground app belongs to a sensitive category such as banking, payments, identity, communications, or enterprise access. The detection is strengthened when the injected input sequence is followed by target-app navigation, form submission, transaction progression, or network activity from the target context. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Accessibility-enabled app invoked programmatic click or action on behalf of user while a different app was foregrounded and injected action was not mapped to approved accessibility or autofill workflow'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Accessibility-enabled app invoked global action such as back, home, recents, or navigation control while target foreground app context changed within TimeWindow'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Accessibility-enabled app inserted text into active field of different foreground app without user keyboard activity or approved autofill relationship'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Injecting app remained backgrounded or foreground-service-only while injected click, global action, or text insertion occurred in a different foreground app'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'LastUserInteractionDelta exceeded threshold before injected UI action and no matching touch interaction was observed for the target foreground app during injection sequence'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Sensitive app category remained foregrounded during injected UI sequence from different app identity'}
[AN1669] Analytic 1669 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Mobile security products can often alert the user if their d t A defender correlates navigation to external web content in evice is vulnerable to known exploits. a browser or embedded WebView with immediate script-heavy or exploit-preparation network activity, followed by abnormal browser/WebView process behavior, suspicious file or downloa d artifacts, or rapid post-visit capability shifts such as n ew package install attempts, overlay prompts, permission req uests, or outbound command traffic inconsistent with normal browsing.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'NavigationToExploitWindow', 'description': 'Time window used to correlate web navigation with redirects, fingerprinting, downloads, or post-visit capability changes.'}, {'field': 'AllowedBrowserApps', 'description': 'Allow-list of expected browsers or sanctioned WebView-hosting apps used in the enterprise.'}, {'field': 'RedirectChainThreshold', 'description': 'Threshold for suspicious number of redirects or cross-domain hops during a single browsing session.'}, {'field': 'NewDomainBurstThreshold', 'description': 'Threshold for the number of newly observed domains contacted in a short browsing window.'}, {'field': 'DownloadArtifactThreshold', 'description': 'Threshold for suspicious downloaded or cached artifacts created after navigation.'}, {'field': 'PostVisitCapabilityShiftRequired', 'description': 'Determines whether to require a new install/prompt/permission/overlay event after browsing to raise confidence.'}, {'field': 'AllowedAdTechDomains', 'description': 'Baseline of normal advertising/CDN/tracking domains to reduce false positives from legitimate browsing.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-09 17:32:52.483000+00:00 description Mobile security products can often alert the user if their device is vulnerable to known exploits. A defender correlates navigation to external web content in a browser or embedded WebView with immediate script-heavy or exploit-preparation network activity, followed by abnormal browser/WebView process behavior, suspicious file or download artifacts, or rapid post-visit capability shifts such as new package install attempts, overlay prompts, permission requests, or outbound command traffic inconsistent with normal browsing. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'Sensor Health', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'New permission prompt, package install attempt, accessibility/overlay special access request, or other post-browse capability escalation following browser/WebView activity'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Browser/WebView framework usage indicating external URL load, script execution enablement, file download initiation, intent handoff, or package install prompt sequence'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'NSM:Flow', 'channel': 'Application-layer web traffic showing suspicious redirect chains, iframe/ad-tech cascades, user-agent or environment fingerprinting requests, or staged payload retrieval after page visit'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'MobileEDR:telemetry', 'channel': 'Browser/WebView process creates downloaded payloads, temporary files, dropped archives, or unusual cached web artifacts shortly after visiting external content'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'MobileEDR:telemetry', 'channel': 'Browser or WebView-hosting application brought to foreground and navigates to external content, followed by abnormal state transition, crash, restart, or process spawn behavior'}
[AN1670] Analytic 1670 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Mobile security products can often alert the user if their d t A defender correlates Safari or embedded web content navigat evice is vulnerable to known exploits. ion with short-lived but abnormal web session behavior such as staged redirects, environment fingerprinting, or exploit- preparation fetches, followed by browser/WebView instability , unusual file handling, profile/download prompts, or near-t erm changes in device or application behavior inconsistent w ith normal browsing.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'NavigationToExploitWindow', 'description': 'Time window linking Safari/WebView navigation to redirects, downloads, crashes, or post-visit state changes.'}, {'field': 'AllowedBrowserApps', 'description': 'Allow-list of expected browsers and sanctioned embedded web container apps.'}, {'field': 'RedirectChainThreshold', 'description': 'Threshold for suspicious redirect depth or cross-domain chaining.'}, {'field': 'FingerprintingRequestThreshold', 'description': 'Threshold for suspicious browser/environment enumeration requests during browsing session.'}, {'field': 'DownloadArtifactThreshold', 'description': 'Threshold for suspicious downloaded files, profiles, or cached artifacts created after page visit.'}, {'field': 'PostVisitBehaviorShiftThreshold', 'description': 'Threshold for abnormal changes in app/device behavior after browsing, such as repeated browser crashes or unexpected handoffs.'}, {'field': 'AllowedAdTechDomains', 'description': 'Baseline of expected ad-tech, CDN, and analytics domains to suppress benign browsing noise.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-09 17:36:14.306000+00:00 description Mobile security products can often alert the user if their device is vulnerable to known exploits. A defender correlates Safari or embedded web content navigation with short-lived but abnormal web session behavior such as staged redirects, environment fingerprinting, or exploit-preparation fetches, followed by browser/WebView instability, unusual file handling, profile/download prompts, or near-term changes in device or application behavior inconsistent with normal browsing. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'Sensor Health', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'NSM:Flow', 'channel': 'Application-layer web traffic showing suspicious redirect chains, iframe/ad-tech cascades, user-agent or environment fingerprinting requests, or staged payload retrieval after page visit'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'MobileEDR:telemetry', 'channel': 'Browser/WebView process creates downloaded payloads, temporary files, dropped archives, or unusual cached web artifacts shortly after visiting external content'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'MobileEDR:telemetry', 'channel': 'Browser or WebView-hosting application brought to foreground and navigates to external content, followed by abnormal state transition, crash, restart, or process spawn behavior'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'iOS:MDMLog', 'channel': 'Post-browse configuration profile prompt, managed/unmanaged app handoff anomaly, or compliance-relevant state change shortly after browser activity'}
[AN1675] Analytic 1675 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Many properly configured firewalls may naturally block comma t The defender correlates an app-attributed request to a legit nd and control traffic. Application vetting services may pro imate public web platform with a subsequent outbound connect vide a list of connections made or received by an applicatio ion to a newly derived or previously unseen destination with n, or a list of domains contacted by the application. in a short time window. The behavior is strengthened when th e initial request retrieves structured or encoded content fo llowed by a pivot to a different domain or IP that was not p reviously contacted by the app, especially when occurring wi thout user interaction, in background state, or immediately after app initialization or scheduled execution. This sequen ce reflects resolver retrieval followed by dynamic C2 resolu tion.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Maximum allowed time between resolver retrieval and pivot connection (e.g., 5–60 seconds).'}, {'field': 'NewDomainThreshold', 'description': 'Defines what qualifies as a previously unseen or rare destination for the app or device.'}, {'field': 'AllowedServiceToDestinationMapping', 'description': 'Legitimate mappings between apps and expected downstream services.'}, {'field': 'UserInteractionThreshold', 'description': 'Defines acceptable delay between user interaction and network activity.'}, {'field': 'PayloadSizeThreshold', 'description': 'Small resolver responses followed by larger pivot traffic can indicate extraction behavior.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-17 20:48:31.295000+00:00 description Many properly configured firewalls may naturally block command and control traffic.
+Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. The defender correlates an app-attributed request to a legitimate public web platform with a subsequent outbound connection to a newly derived or previously unseen destination within a short time window. The behavior is strengthened when the initial request retrieves structured or encoded content followed by a pivot to a different domain or IP that was not previously contacted by the app, especially when occurring without user interaction, in background state, or immediately after app initialization or scheduled execution. This sequence reflects resolver retrieval followed by dynamic C2 resolution. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'Network Traffic', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'VPN:MobileProxy', 'channel': 'App-attributed HTTP GET or HTTPS session to public web platform (social, paste, collaboration, cloud storage, code-hosting) returned content followed by outbound connection to a different domain or IP within TimeWindow'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'VPN:MobileProxy', 'channel': 'DNS query or TLS SNI for previously unseen domain occurred within TimeWindow after session to legitimate web-service domain from same app identity'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'VPN:MobileProxy', 'channel': 'Initial session to public web-service domain transferred small response payload followed by connection to new external endpoint with different ASN or domain category'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'AppState=background or foreground_service active when resolver retrieval request occurred and pivot connection followed without foreground transition'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'LastUserInteractionDelta exceeded threshold before resolver retrieval and subsequent pivot connection sequence'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Background work scheduler, job execution, or persistent service triggered network request to public web-service followed by second outbound connection within TimeWindow'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'App initiating resolver→pivot sequence was unmanaged or not authorized to communicate with detected web-service class or external infrastructure'}
[AN1676] Analytic 1676 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Many properly configured firewalls may naturally block comma t The defender correlates a supervised-device or managed-app r nd and control traffic. Application vetting services may pro equest to a legitimate web platform with a subsequent connec vide a list of connections made or received by an applicatio tion to a newly derived destination that is not part of the n, or a list of domains contacted by the application. expected service interaction. Because iOS has weaker app-lev el telemetry, the strongest signal is a network-level sequen ce where a request to a known public platform is immediately followed by a connection to a different domain or IP, parti cularly when the device is locked, no recent user interactio n occurred, and the bundle is not expected to interact with such downstream infrastructure.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Maximum allowed time between resolver retrieval and pivot connection.'}, {'field': 'NewDomainThreshold', 'description': 'Defines rarity or novelty of domain for the device or bundle.'}, {'field': 'AllowedServiceToDestinationMapping', 'description': 'Expected relationships between apps and external services.'}, {'field': 'BackgroundRefreshBaseline', 'description': 'Expected background network behavior for managed apps.'}, {'field': 'UserInteractionThreshold', 'description': 'Defines acceptable timing between user activity and network requests.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-17 20:56:49.928000+00:00 description Many properly configured firewalls may naturally block command and control traffic.
+Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. The defender correlates a supervised-device or managed-app request to a legitimate web platform with a subsequent connection to a newly derived destination that is not part of the expected service interaction. Because iOS has weaker app-level telemetry, the strongest signal is a network-level sequence where a request to a known public platform is immediately followed by a connection to a different domain or IP, particularly when the device is locked, no recent user interaction occurred, and the bundle is not expected to interact with such downstream infrastructure. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'Network Traffic', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'VPN:MobileProxy', 'channel': 'App-attributed HTTP GET or HTTPS session to public web platform (social, paste, collaboration, cloud storage, code-hosting) returned content followed by outbound connection to a different domain or IP within TimeWindow'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'VPN:MobileProxy', 'channel': 'DNS query or TLS SNI for previously unseen domain occurred within TimeWindow after session to legitimate web-service domain from same app identity'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'DeviceLockState=locked or BackgroundRefresh active during resolver→pivot sequence'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'LastUserInteractionDelta exceeded threshold before resolver request and pivot connection sequence'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'iOS:MDMLog', 'channel': 'Bundle performing resolver→pivot sequence not present in approved managed-app baseline or lacks expected service relationship'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'iOS:unifiedlog', 'channel': 'Background task or networking subsystem event occurred immediately before resolver retrieval and pivot connection sequence'}
[AN1677] Analytic 1677 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services may be able to list domains and t From the defender’s view: an app retrieves opaque code (DEX/ /or IP addresses that applications communicate with. Mobile SO/JAR/JS) over the network or IPC, writes it into an app-wr security products may provide URL inspection services that itable path, optionally performs verification-bypass behavio could determine if a domain being visited is malicious. Appl rs (reflection, addJavascriptInterface exposure, or execmem ication vetting services could look for indications that the friction), and then loads/executes that code via DexClassLoa application downloads and executes new code at runtime (e.g der/PathClassLoader, dlopen, or WebView bridge invocation wi ., on Android, use of `DexClassLoader`, `System.load`, or th thin a short window. The analytic correlates Network Content e WebView `JavaScriptInterface` capability; on iOS, use of J → File Creation/Modification → OS API Execution (loader/sys SPatch or similar capabilities). call/SELinux friction) → Module Load (DexClassLoader/dlopen) and, for WebView paths, Application Log signals of JavaScri pt interface attachment.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Max correlation window between download → write → load (e.g., 10–60s depending on device/workload).'}, {'field': 'ContentTypeList', 'description': 'List of MIME types considered ‘code-like’ (octet-stream, zip, java-archive, x-dex, x-sharedlib, javascript).'}, {'field': 'WritablePathRegex', 'description': 'Regex for app-writable destinations to watch (/data/data//(files|cache)/, /storage/emulated/0/...).'}, {'field': 'PayloadEntropyThreshold', 'description': 'Entropy cutoff to flag likely code blobs (e.g., ≥ 7.2).'}, {'field': 'KnownGoodCDNAllowlist', 'description': 'CDNs/domains expected for legitimate updates to reduce FPs.'}, {'field': 'KnownGoodLoaderAllowlist', 'description': 'Bundles/libs known to legitimately load from writable paths (dev/test apps).'}, {'field': 'JSInterfaceNameList', 'description': 'Names of allowed WebView JS interfaces for the org (e.g., analytics only).'}, {'field': 'UserContext', 'description': 'Foreground/background, Work Profile, dev mode to scope alerts.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-01-29 17:21:52.654000+00:00 description Application vetting services may be able to list domains and/or IP addresses that applications communicate with.
+Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.
+Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of `DexClassLoader`, `System.load`, or the WebView `JavaScriptInterface` capability; on iOS, use of JSPatch or similar capabilities). From the defender’s view: an app retrieves opaque code (DEX/SO/JAR/JS) over the network or IPC, writes it into an app-writable path, optionally performs verification-bypass behaviors (reflection, addJavascriptInterface exposure, or execmem friction), and then loads/executes that code via DexClassLoader/PathClassLoader, dlopen, or WebView bridge invocation within a short window. The analytic correlates Network Content → File Creation/Modification → OS API Execution (loader/syscall/SELinux friction) → Module Load (DexClassLoader/dlopen) and, for WebView paths, Application Log signals of JavaScript interface attachment. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'NSM:Flow', 'channel': 'HTTP(S)/QUIC download of executable/opaque content (application/octet-stream, application/zip, application/java-archive, application/x-dex, application/x-sharedlib, text/javascript)'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'Network Traffic', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'android:logcat', 'channel': 'Create/write under /data/data//(files|cache)/ or /storage/emulated/0/ with extension .dex/.jar/.so/.zip/.tmp/.js and elevated entropy'} x_mitre_log_source_references[2] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'android:logcat', 'channel': 'SELinux AVC for execmem/execute_no_trans/mprotect following recent writes by same UID'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1', 'name': 'android:logcat', 'channel': 'DexClassLoader|PathClassLoader load from app-writable path OR dlopen of a freshly created .so'}
[AN1678] Analytic 1678 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services may be able to list domains and t From the defender’s view: a sandboxed app retrieves code-lik /or IP addresses that applications communicate with. Mobile e content (JS/Mach-O/bundles), writes it to container tmp/Ca security products may provide URL inspection services that ches, performs memory permission changes (RW→RX/RWX) or dire could determine if a domain being visited is malicious. Appl ctly loads via dyld/dlopen from writable paths, sometimes pr ication vetting services could look for indications that the eceded by 3rd-party hotpatch frameworks (e.g., JSPatch-like application downloads and executes new code at runtime (e.g behavior) or script engine evaluation. The analytic correlat ., on Android, use of `DexClassLoader`, `System.load`, or th es Network Content → File Creation → OS API Execution (memor e WebView `JavaScriptInterface` capability; on iOS, use of J y permission change) → Module Load (dyld/dlopen) and/or Proc SPatch or similar capabilities). ess Access (codesign validation touches), with optional scri pting engine events.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Max correlation window between download → write → load (e.g., 15–60s).'}, {'field': 'ContentTypeList', 'description': 'MIME list treated as code-like (octet-stream, zip, javascript, x-mach-o).'}, {'field': 'WritablePathRegex', 'description': 'Regex for app container tmp/Caches writable paths.'}, {'field': 'PayloadEntropyThreshold', 'description': 'Entropy cutoff to flag code blobs (e.g., ≥ 7.3).'}, {'field': 'KnownJITAllowlist', 'description': 'Bundles that legitimately do JIT/script eval to reduce RWX noise.'}, {'field': 'WritableLoadPathRegex', 'description': 'Regex for loads from writable paths only (exclude app bundle).'}, {'field': 'UnsignedExecPolicy', 'description': 'Handle enterprise/dev-provisioned unsigned execution contexts.'}, {'field': 'UserContext', 'description': 'Foreground/background or Work Profile state to filter noise.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-01-29 17:39:29.213000+00:00 description Application vetting services may be able to list domains and/or IP addresses that applications communicate with.
+Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.
+Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of `DexClassLoader`, `System.load`, or the WebView `JavaScriptInterface` capability; on iOS, use of JSPatch or similar capabilities). From the defender’s view: a sandboxed app retrieves code-like content (JS/Mach-O/bundles), writes it to container tmp/Caches, performs memory permission changes (RW→RX/RWX) or directly loads via dyld/dlopen from writable paths, sometimes preceded by 3rd-party hotpatch frameworks (e.g., JSPatch-like behavior) or script engine evaluation. The analytic correlates Network Content → File Creation → OS API Execution (memory permission change) → Module Load (dyld/dlopen) and/or Process Access (codesign validation touches), with optional scripting engine events. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'iOS:unifiedlog', 'channel': 'Per-App VPN flow with code-like content types (application/octet-stream, application/zip, text/javascript, application/x-mach-o)'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'Network Traffic', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'iOS:unifiedlog', 'channel': 'Create/write in /var/mobile/Containers/Data/Application//(tmp|Library/Caches)/ for .js/.bundle/.dylib/.zip with elevated entropy'} x_mitre_log_source_references[2] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'iOS:unifiedlog', 'channel': 'mmap/mprotect transitions to PROT_EXEC for pages associated with recently written files'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1', 'name': 'iOS:unifiedlog', 'channel': 'dlopen/image load from app-writable path (tmp, Caches) outside bundled resources'}
[AN1681] Analytic 1681 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Abuse of standard application protocols can be difficult to t Defender observes an application establishing recurrent HTTP detect as many legitimate mobile applications leverage such S or FCM-based communication sessions exhibiting structured protocols for language-specific APIs. Enterprises may be bet cadence, asymmetric request/response sizes, or persistent lo ter served focusing on detection at other stages of adversar w-volume polling inconsistent with declared application func ial behavior. tionality, potentially embedding command data within web pro tocol traffic.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_log_source_references [{'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'NSM:Flow', 'channel': 'HTTPS sessions exhibiting periodic request cadence or structured payload exchanges inconsistent with application baseline'}] x_mitre_mutable_elements [{'field': 'BeaconIntervalVarianceThreshold', 'description': 'Defines acceptable deviation in HTTPS polling cadence'}, {'field': 'PayloadSymmetryThreshold', 'description': 'Defines acceptable ratio between request and response sizes'}, {'field': 'AppNetworkRoleBaseline', 'description': 'Expected mapping between application category and network endpoints'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-02 20:39:33.682000+00:00 description Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior. Defender observes an application establishing recurrent HTTPS or FCM-based communication sessions exhibiting structured cadence, asymmetric request/response sizes, or persistent low-volume polling inconsistent with declared application functionality, potentially embedding command data within web protocol traffic. x_mitre_version 1.0 1.1
[AN1682] Analytic 1682 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Abuse of standard application protocols can be difficult to t Defender observes an application establishing recurrent HTTP detect as many legitimate mobile applications leverage such S or APNS-related communications exhibiting structured caden protocols for language-specific APIs. Enterprises may be bet ce, abnormal session persistence, or notification-triggered ter served focusing on detection at other stages of adversar network bursts inconsistent with user interaction patterns o ial behavior. r declared application behavior.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_log_source_references [{'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'NSM:Flow', 'channel': 'HTTPS sessions exhibiting periodic request cadence or structured payload exchanges inconsistent with application baseline'}] x_mitre_mutable_elements [{'field': 'NotificationWakeFrequencyThreshold', 'description': 'Baseline deviation tolerance for background wake events'}, {'field': 'HTTPSCadenceAnomalyThreshold', 'description': 'Acceptable deviation in recurring web traffic timing'}, {'field': 'SessionPersistenceThreshold', 'description': 'Threshold for abnormal TLS session duration'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-02 20:40:39.182000+00:00 description Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior. Defender observes an application establishing recurrent HTTPS or APNS-related communications exhibiting structured cadence, abnormal session persistence, or notification-triggered network bursts inconsistent with user interaction patterns or declared application behavior. x_mitre_version 1.0 1.1
[AN1683] Analytic 1683 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services could detect when applications t Defender correlates an app escalating file visibility (permi store data insecurely, for example, in unprotected external ssions/flags, legacy storage modes) with enumeration of othe storage. r apps’ storage or exported ContentProviders, followed by bu lk reads/copies from target paths (including shared/external storage) and optional archive/encode then share/upload. Seq uence: storage capability/permission gain → target discovery (provider queries, directory listing) → high-volume cross-a pp data reads from writable/shared paths → archive/encode → exfil/share within a short window.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Correlation window to tie discovery → reads → package → exfil (e.g., 15–120s).'}, {'field': 'ExternalStoragePathRegex', 'description': 'Regex for cross-app paths on external/shared storage to monitor.'}, {'field': 'SuspiciousProviders', 'description': 'List of exported/weakly-protected content providers under scrutiny.'}, {'field': 'MinBytesRead', 'description': 'Lower bound on cumulative read volume to avoid noisy single-file accesses.'}, {'field': 'ArchiveExtensions', 'description': 'Extensions considered packaging (.zip,.gz,.7z,.tar,.db copies).'}, {'field': 'ExfilDomainAllowlist', 'description': 'Known good CDNs/APIs to reduce false positives.'}, {'field': 'UserContext', 'description': 'Foreground/background, Work Profile, developer mode to scope alerts.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-01-29 17:51:41.189000+00:00 description Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage. Defender correlates an app escalating file visibility (permissions/flags, legacy storage modes) with enumeration of other apps’ storage or exported ContentProviders, followed by bulk reads/copies from target paths (including shared/external storage) and optional archive/encode then share/upload. Sequence: storage capability/permission gain → target discovery (provider queries, directory listing) → high-volume cross-app data reads from writable/shared paths → archive/encode → exfil/share within a short window. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6', 'name': 'android:logcat', 'channel': 'Runtime grant or manifest presence for MANAGE_EXTERNAL_STORAGE/READ_EXTERNAL_STORAGE/READ_MEDIA_*; legacy external storage mode detection'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'android:logcat', 'channel': 'QUERY on exported ContentProviders of other packages (content:///*) or MediaStore scoped queries immediately preceding file reads'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71', 'name': 'android:logcat', 'channel': 'READ or COPY operations where path matches external/shared locations of other apps (e.g., /storage/emulated/0/Android/data//files/, /storage/emulated/0/Download//*)'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'android:logcat', 'channel': 'CREATE/WRITE of archive or container (.zip/.gz/.7z/.db copy) that aggregates files pulled from other-package paths'}
[AN1684] Analytic 1684 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services could detect when applications t Defender correlates attempts to access other apps’ data via store data insecurely, for example, in unprotected external shared containers (App Groups), Photos/Files providers, past storage. eboard abuse, or jailbroken cross-container reads, followed by aggregation/packaging and optional exfil/share. Sequence: capability/consent (TCC/entitlements) → target discovery (A ppGroup/Photos/Files enumeration, URL schemes) → bulk read f rom shared/foreign container or provider → package/encode → exfil/share.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Correlation window for consent/discovery → read → package → exfil (e.g., 20–180s).'}, {'field': 'AppGroupAllowlist', 'description': 'Allowed App Group IDs for each bundle to reduce FPs.'}, {'field': 'ProviderScope', 'description': 'Files/Photos provider collections permitted for the app.'}, {'field': 'MinBytesRead', 'description': 'Lower bound on cumulative read size to signal collection vs casual access.'}, {'field': 'ArchiveExtensions', 'description': 'Packaging extensions to track when aggregating data.'}, {'field': 'ExfilDomainAllowlist', 'description': 'Known-good enterprise domains/CDNs for uploads.'}, {'field': 'UserContext', 'description': 'Foreground/background and Work Profile state to scope analytics.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-01-29 18:00:59.178000+00:00 description Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage. Defender correlates attempts to access other apps’ data via shared containers (App Groups), Photos/Files providers, pasteboard abuse, or jailbroken cross-container reads, followed by aggregation/packaging and optional exfil/share. Sequence: capability/consent (TCC/entitlements) → target discovery (AppGroup/Photos/Files enumeration, URL schemes) → bulk read from shared/foreign container or provider → package/encode → exfil/share. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6', 'name': 'iOS:unifiedlog', 'channel': 'Privacy (TCC) prompts/grants for Photos/Files or access changes indicating new visibility into user/app data'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71', 'name': 'iOS:unifiedlog', 'channel': 'READ operations from App Group containers (/var/mobile/Containers/Shared/AppGroup/...) or Files/Photos provider mountpoints, especially when group not owned by bundle'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa', 'name': 'iOS:unifiedlog', 'channel': 'Repeated or large UIPasteboard reads; background pasteboard access shortly before packaging'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'iOS:unifiedlog', 'channel': 'CREATE/WRITE of archive/container (.zip/.gz/.7z/.db export) aggregating recently read items'}
[AN1697] Analytic 1697 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Usage of insecure or malicious third-party libraries could b t An app or app update arrives through an expected delivery pa e detected by application vetting services. Malicious softwa th or presents as a known legitimate package identity, but i re development tools could be detected by enterprises that d ts post-install or post-update behavior materially changes i eploy endpoint protection software on computers that are use n ways inconsistent with its historical role. The defender c d to develop mobile apps. Application vetting could detect t orrelates package identity and install/update context, newly he usage of insecure or malicious third-party libraries. expanded capability state, changed runtime framework use, n ew sensor or storage behaviors, and new network destinations shortly after installation or update to identify likely sup ply-chain compromise rather than ordinary malicious sideload ing or unrelated post-compromise activity.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Maximum span between app install/update event and first suspicious post-delivery behavior.'}, {'field': 'AllowedAppList', 'description': 'Approved apps expected to change permissions, add services, or contact new destinations because of legitimate feature releases.'}, {'field': 'AllowedVersionChangeWindow', 'description': 'Grace period after a documented app release during which some behavior drift may be expected.'}, {'field': 'ForegroundStateRequired', 'description': 'Whether certain behaviors should only be considered suspicious when they occur without visible user interaction.'}, {'field': 'RecentUserInteractionWindow', 'description': 'Threshold for determining whether immediate post-update activity was user-driven or autonomous.'}, {'field': 'DestinationAllowList', 'description': 'Expected new destinations, APIs, CDNs, or telemetry endpoints associated with approved app updates.'}, {'field': 'CapabilityDriftThreshold', 'description': 'Threshold for how many newly added or newly exercised permissions/capabilities are considered abnormal for a known app.'}, {'field': 'BehaviorBaselinePopulation', 'description': 'Population of prior devices, versions, or user cohorts used to baseline normal app behavior.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-12 17:37:17.976000+00:00 description Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries. An app or app update arrives through an expected delivery path or presents as a known legitimate package identity, but its post-install or post-update behavior materially changes in ways inconsistent with its historical role. The defender correlates package identity and install/update context, newly expanded capability state, changed runtime framework use, new sensor or storage behaviors, and new network destinations shortly after installation or update to identify likely supply-chain compromise rather than ordinary malicious sideloading or unrelated post-compromise activity. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2', 'name': 'android:MDMLog', 'channel': 'Managed app catalog, enterprise update policy, or trusted distribution posture remains unchanged while a known app exhibits materially different post-update behavior'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'Known application or newly updated version declares, gains, or activates expanded storage, sensor, communications, accessibility, or device-management capability inconsistent with prior baseline or app role'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Updated or newly delivered application becomes active, launches background services, or executes shortly after install/update with minimal user interaction inconsistent with baseline'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Known application begins first-seen or expanded use of content providers, account services, accessibility, package services, cryptographic routines, dynamic loading, or other framework interactions after update/install'}
[AN1698] Analytic 1698 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Usage of insecure or malicious third-party libraries could b t A managed or supervised app, app update, or enterprise-distr e detected by application vetting services. Malicious softwa ibuted build retains a legitimate-seeming identity but exhib re development tools could be detected by enterprises that d its post-delivery behavior inconsistent with its expected ro eploy endpoint protection software on computers that are use le, prior version, or distribution context. Because iOS expo d to develop mobile apps. Application vetting could detect t ses less direct visibility into bundled dependency tampering he usage of insecure or malicious third-party libraries. or component-level supply-chain insertion, the defender pri oritizes supervised app inventory, signing/provisioning trus t posture, entitlement and behavior drift after update, new sensor/resource use, and new downstream network effects soon after install or version change.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Maximum span between app install/version change and first suspicious post-delivery behavior.'}, {'field': 'SupervisedOnly', 'description': 'Whether the analytic should only apply to supervised devices with high-confidence app inventory and managed distribution telemetry.'}, {'field': 'AllowedAppList', 'description': 'Approved apps expected to expand capabilities or contact new destinations because of legitimate releases.'}, {'field': 'AllowedVersionChangeWindow', 'description': 'Grace period after approved releases during which some behavior drift may be expected.'}, {'field': 'ForegroundStateRequired', 'description': 'Whether certain behaviors should only be treated as suspicious when they occur without expected visible user interaction.'}, {'field': 'RecentUserInteractionWindow', 'description': 'Threshold for distinguishing autonomous post-update behavior from expected user-driven first-run flows.'}, {'field': 'DestinationAllowList', 'description': 'Expected new domains, APIs, telemetry services, or CDNs associated with approved app updates.'}, {'field': 'CapabilityDriftThreshold', 'description': 'Threshold for how much entitlement or capability drift is tolerated for a known app.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-13 23:37:57.341000+00:00 description Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries. A managed or supervised app, app update, or enterprise-distributed build retains a legitimate-seeming identity but exhibits post-delivery behavior inconsistent with its expected role, prior version, or distribution context. Because iOS exposes less direct visibility into bundled dependency tampering or component-level supply-chain insertion, the defender prioritizes supervised app inventory, signing/provisioning trust posture, entitlement and behavior drift after update, new sensor/resource use, and new downstream network effects soon after install or version change. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2', 'name': 'iOS:MDMLog', 'channel': 'Managed app distribution, supervised install posture, or provisioning trust context remains expected while a known app exhibits materially different behavior after version change'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'iOS:MDMLog', 'channel': 'Known application version declares, activates, or exhibits new entitlements, privacy permissions, or capability use inconsistent with prior baseline or business role'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Updated or newly delivered application wakes, foregrounds, refreshes, or becomes active shortly after version change with weak recent user interaction'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Known application begins first-seen or expanded use of protected frameworks, account services, background task APIs, crypto/network service APIs, or other runtime behaviors after update/install'}
[AN1701] Analytic 1701 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t The user is prompted for approval when an application reques t Correlates (1) activation of Device Administrator privileges ts device administrator permissions. Application vetting ser by an application, (2) absence or mismatch of legitimate us vices can check for the string `BIND_DEVICE_ADMIN` in the ap er interaction during the approval flow, and (3) immediate e plication’s manifest. This indicates it can prompt the user xecution of administrator-level control actions (e.g., passw for device administrator permissions. The user can see which ord reset, device lock, policy enforcement, prevention of un applications are registered as device administrators in the install). The defender observes a causal chain where an appl device settings. ication transitions into a privileged device control role an d rapidly exercises those capabilities outside expected user -driven patterns. Application vetting services can check fo r the string `BIND_DEVICE_ADMIN` in the application’s manife st.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Defines correlation window between Device Admin activation and subsequent privileged actions'}, {'field': 'AllowedAdminApps', 'description': 'Baseline of legitimate applications expected to request Device Administrator privileges (e.g., enterprise MDM agents)'}, {'field': 'UserInteractionThreshold', 'description': 'Defines acceptable timing between user interaction and admin activation'}, {'field': 'PrivilegedActionSet', 'description': 'List of high-risk DevicePolicyManager API actions monitored for abuse'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-13 18:17:45.586000+00:00 description The user is prompted for approval when an application requests device administrator permissions.
+Application vetting services can check for the string `BIND_DEVICE_ADMIN` in the application’s manifest. This indicates it can prompt the user for device administrator permissions.
+The user can see which applications are registered as device administrators in the device settings. Correlates (1) activation of Device Administrator privileges by an application, (2) absence or mismatch of legitimate user interaction during the approval flow, and (3) immediate execution of administrator-level control actions (e.g., password reset, device lock, policy enforcement, prevention of uninstall). The defender observes a causal chain where an application transitions into a privileged device control role and rapidly exercises those capabilities outside expected user-driven patterns.
+
+Application vetting services can check for the string `BIND_DEVICE_ADMIN` in the application’s manifest. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'application invokes DevicePolicyManager APIs (e.g., resetPassword, lockNow, setCameraDisabled) immediately following admin activation'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'application granted Device Administrator privilege + abnormal activation pattern (e.g., rapid enablement after install or no recent user interaction)'}
iterable_item_removed STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'}
[AN1702] Analytic 1702 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Enterprises may be able to detect anomalous traffic originat t The defender correlates proxy-capable network setup or socke ing from mobile devices, which could indicate compromise. t-handling behavior with subsequent bidirectional traffic re laying through the same device and app context, especially w hen inbound client sessions are followed by outbound connect ions to unrelated remote destinations or when the device sus tains multiplexed traffic patterns inconsistent with normal mobile app workflows. The analytic prioritizes Android-obser vable effects: proxy or raw-socket setup, app background exe cution, inbound-to-outbound traffic bridging, and sustained relayed flows to multiple destinations without recent user i nteraction.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between proxy/socket setup and subsequent inbound-outbound traffic bridging'}, {'field': 'AllowedAppList', 'description': 'Apps legitimately expected to proxy or tunnel traffic, such as enterprise VPN, remote access, security testing, or managed browser apps'}, {'field': 'AllowedDestinationList', 'description': 'Approved remote destinations or service categories for legitimate tunneling applications'}, {'field': 'ForegroundStateRequired', 'description': 'Whether proxy-capable or relayed traffic should occur only during active user-driven workflows'}, {'field': 'RelaySessionThreshold', 'description': 'Minimum number of correlated inbound and outbound session pairs required to indicate relay behavior'}, {'field': 'ByteSymmetryTolerance', 'description': 'Allowed variance between inbound and outbound byte volumes when identifying proxied traffic'}, {'field': 'ConcurrentDestinationThreshold', 'description': 'Maximum expected number of simultaneous unrelated remote destinations for a legitimate app'}, {'field': 'UplinkBytesThreshold', 'description': 'Minimum outbound volume required for relay behavior to be considered meaningful'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-09 17:33:41.747000+00:00 description Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise. The defender correlates proxy-capable network setup or socket-handling behavior with subsequent bidirectional traffic relaying through the same device and app context, especially when inbound client sessions are followed by outbound connections to unrelated remote destinations or when the device sustains multiplexed traffic patterns inconsistent with normal mobile app workflows. The analytic prioritizes Android-observable effects: proxy or raw-socket setup, app background execution, inbound-to-outbound traffic bridging, and sustained relayed flows to multiple destinations without recent user interaction. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a', 'name': 'Network Traffic', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Application initializes proxy-capable or raw-socket networking constructs, including SOCKS-capable Proxy API usage or direct socket listener/setup immediately before traffic relay phase'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'Managed app without approved VPN, enterprise tunneling, browser, or remote-access role exhibits proxy-like traffic handling inconsistent with policy baseline'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a', 'name': 'NSM:Flow', 'channel': 'App-attributed traffic exhibits multi-destination fan-out, sustained session bridging, or SOCKS-like relay behavior inconsistent with normal client-only mobile communication'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'NSM:Flow', 'channel': 'Device shows correlated inbound session establishment followed by outbound connections to separate external destinations with overlapping timing and relay-like byte symmetry'}
[AN1706] Analytic 1706 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services could look for usage of the `RE t Defender observes an app (package/UID) repeatedly retrieving AD_PRIVILEGED_PHONE_STATE` Android permission. This could in network interface configuration attributes (local IP/MAC/in dicate that non-system apps are attempting to access informa terface names, active network capabilities, link properties, tion that they do not have access to. proxy/DNS settings, or carrier identifiers when permitted) in a short time window, without corresponding user network-m anagement activity. The pattern is characterized by OS API e xecution for interface/config reads combined with background state, permission/role context (e.g., device owner/profile owner/carrier/default-SMS), and optional follow-on connectiv ity tests (gateway/DNS/proxy reachability). Correlate across API execution + app state + (optional) local probe to ident ify automated network configuration discovery rather than ro utine connectivity checks.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Window to correlate config reads with app state and optional connectivity tests (e.g., 30–300s).'}, {'field': 'MinConfigReadEvents', 'description': 'Minimum number of network-config read signals before flagging (environment dependent; e.g., ≥10/5m).'}, {'field': 'BackgroundOnly', 'description': 'If true, require the app to be backgrounded to reduce legitimate network UI/diagnostic activity.'}, {'field': 'AllowlistedPackages', 'description': 'Connectivity/security/MDM apps expected to query network configuration frequently.'}, {'field': 'PrivilegedRoleFilter', 'description': 'If true, elevate severity when an app with device-owner/profile-owner/carrier roles performs bursts.'}, {'field': 'LocalProbePorts', 'description': "Ports considered 'connectivity tests' (e.g., 53, 80, 443, 8080, 3128) – tune per environment."}, {'field': 'NetworkChangeSuppressionSeconds', 'description': 'Suppress alerts shortly after legitimate network transitions (Wi-Fi join, VPN connect) to reduce noise.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-02-18 19:59:27.650000+00:00 description Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to. Defender observes an app (package/UID) repeatedly retrieving network interface configuration attributes (local IP/MAC/interface names, active network capabilities, link properties, proxy/DNS settings, or carrier identifiers when permitted) in a short time window, without corresponding user network-management activity. The pattern is characterized by OS API execution for interface/config reads combined with background state, permission/role context (e.g., device owner/profile owner/carrier/default-SMS), and optional follow-on connectivity tests (gateway/DNS/proxy reachability). Correlate across API execution + app state + (optional) local probe to identify automated network configuration discovery rather than routine connectivity checks. x_mitre_version 1.0 1.1
[AN1710] Analytic 1710 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t System Network Connections Discovery can be difficult to det t Defender observes an app (package/UID) repeatedly querying d ect, and therefore enterprises may be better served focusing evice networking context APIs (Wi-Fi scan results/current SS on detection at other stages of adversarial behavior. ID/BSSID, Bluetooth device discovery, or cellular tower list s) at a rate or timing inconsistent with the app’s normal UX , often while backgrounded. Correlate API calls with permiss ion usage (fine location, nearby devices/Bluetooth) and conc urrent connectivity probes (DNS lookups/ARP/port reachabilit y) to distinguish automated discovery from user-initiated se ttings checks. The detection is based on observed API execut ion + permission use + rate/sequence, not the specific API m ethod name.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_log_source_references [{'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'android:appops', 'channel': 'ACCESS_FINE_LOCATION|NEARBY_DEVICES|BLUETOOTH_SCAN used in close proximity to network-context queries'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'android:logcat', 'channel': 'wifiservice startScan / scanResults retrieved repeatedly or by unexpected package'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'android:logcat', 'channel': 'bluetoothmanager startDiscovery / getBondedDevices / scan callback bursts by package'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'android:logcat', 'channel': 'telephony cell info enumeration bursts (neighboring/all cell info) by package'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'NSM:Flow', 'channel': 'burst of DNS queries/connection attempts to RFC1918 or local gateway immediately after scans'}] x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Correlation window to link scan/enumeration API usage with subsequent probes (e.g., 30–300s).'}, {'field': 'MinScanCalls', 'description': 'Minimum number of scan/enumeration calls per window before flagging (e.g., ≥3 Wi-Fi scans / 5 min).'}, {'field': 'MinUniqueTargets', 'description': 'For Bluetooth/cell, minimum unique devices/towers observed per window (helps avoid single-device noise).'}, {'field': 'BackgroundOnly', 'description': 'Require app to be backgrounded during discovery to suppress legitimate UI-driven network selection.'}, {'field': 'AllowlistedPackages', 'description': 'Packages expected to scan (system settings, Wi-Fi managers, MDM, enterprise connectivity tools).'}, {'field': 'LocationPermissionRequired', 'description': 'If true, require AppOps noteOp for fine location/nearby devices to reduce false positives.'}, {'field': 'LocalProbeCIDRs', 'description': "CIDR ranges considered 'local discovery' targets (e.g., 192.168.0.0/16, 10.0.0.0/8)."}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-02-18 19:46:01.796000+00:00 description System Network Connections Discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior. Defender observes an app (package/UID) repeatedly querying device networking context APIs (Wi-Fi scan results/current SSID/BSSID, Bluetooth device discovery, or cellular tower lists) at a rate or timing inconsistent with the app’s normal UX, often while backgrounded. Correlate API calls with permission usage (fine location, nearby devices/Bluetooth) and concurrent connectivity probes (DNS lookups/ARP/port reachability) to distinguish automated discovery from user-initiated settings checks. The detection is based on observed API execution + permission use + rate/sequence, not the specific API method name. x_mitre_version 1.0 1.1
[AN1711] Analytic 1711 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t The user can see persistent notifications in their notificat t The defender correlates foreground service start or promotio ion drawer and can subsequently uninstall applications that n activity with persistent-notification presentation, long-l do not belong. Applications could be vetted for their use of ived application execution, and continued access to while-in the `startForeground()` API, and could be further scrutiniz -use sensors or network activity outside expected user-drive ed if usage is found. n context. The analytic looks for an application invoking fo reground service APIs, sustaining a foreground state longer than expected for its declared role, and retaining camera, m icrophone, location, or other sensor access while the device is locked, the app lacks recent interaction, or the notific ation identity/function does not match the application’s beh avior.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'AllowedAppList', 'description': 'Apps legitimately expected to run foreground services such as navigation, fitness, calling, media playback, enterprise VPN, accessibility, or device-management apps'}, {'field': 'AllowedServiceTypes', 'description': 'Approved foreground service types and role-to-type mappings, especially for Android 14+ and later'}, {'field': 'ForegroundDurationThreshold', 'description': 'Duration a foreground service may legitimately remain active before suspicion increases'}, {'field': 'SensorAfterPromotionWindow', 'description': 'Maximum expected delay between service promotion and sensor activation for legitimate workflows'}, {'field': 'NotificationMismatchPatterns', 'description': 'Patterns indicating misleading or impersonating foreground notifications, such as benign-looking text or mismatched app function'}, {'field': 'RecentInteractionThreshold', 'description': 'How recently the user must have interacted with the app for sensor or network activity to be considered expected'}, {'field': 'UplinkBytesThreshold', 'description': 'Minimum sustained outbound volume or beacon frequency during persistent foreground execution'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-08 20:14:18.733000+00:00 description The user can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong.
+Applications could be vetted for their use of the `startForeground()` API, and could be further scrutinized if usage is found. The defender correlates foreground service start or promotion activity with persistent-notification presentation, long-lived application execution, and continued access to while-in-use sensors or network activity outside expected user-driven context. The analytic looks for an application invoking foreground service APIs, sustaining a foreground state longer than expected for its declared role, and retaining camera, microphone, location, or other sensor access while the device is locked, the app lacks recent interaction, or the notification identity/function does not match the application’s behavior. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Application calls startForegroundService() or startForeground() / ServiceCompat.startForeground() and transitions to persistent foreground-service execution at the start of the chain'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Persistent foreground-service notification is created, updated, or remains visible while app behavior or notification identity is inconsistent with declared function during the persistence interval'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'MobileEDR:telemetry', 'channel': 'Foreground service continues accessing camera, microphone, location, or other while-in-use sensors after service promotion and outside recent user interaction'}
[AN1712] Analytic 1712 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Mobile security products can detect which applications can r t Correlates (1) application access to or staging of local fil equest device administrator permissions. Application vetting es likely to be of operational, evidentiary, or user value, services could be extra scrutinous of applications that req (2) deletion of those files or wipe-like destructive actions uest device administrator permissions. The user can view app through ordinary storage access, administrative controls, o lications with administrator access through the device setti r privileged/rooted paths, and (3) continued app or device a ngs, and may also notice if user data is inexplicably missin ctivity after deletion, including cleanup, concealment, or o g. utbound transfer. The defender observes a causal chain where files are first accessed or prepared, then removed, and dev ice-side behavior continues after evidence or data is gone.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between file access or staging, deletion event, and subsequent activity'}, {'field': 'FileScopeSet', 'description': 'File paths, storage scopes, and data classes monitored for suspicious deletion, such as documents, databases, media, email stores, or update artifacts'}, {'field': 'DeletionVolumeThreshold', 'description': 'Threshold for number, size, or concentration of deleted files required before escalation'}, {'field': 'AllowedCleanupApps', 'description': 'Legitimate applications expected to rotate, purge, or clean up files in the environment'}, {'field': 'ProtectedRoleSet', 'description': 'Administrative or rooted control paths that materially increase destructive file deletion capability'}, {'field': 'UplinkBytesThreshold', 'description': 'Outbound traffic threshold used to distinguish exfiltration-linked cleanup from benign maintenance activity'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-24 20:30:39.616000+00:00 description Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.
+The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. Correlates (1) application access to or staging of local files likely to be of operational, evidentiary, or user value, (2) deletion of those files or wipe-like destructive actions through ordinary storage access, administrative controls, or privileged/rooted paths, and (3) continued app or device activity after deletion, including cleanup, concealment, or outbound transfer. The defender observes a causal chain where files are first accessed or prepared, then removed, and device-side behavior continues after evidence or data is gone. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'application holds device administrator, device owner, or other managed authority capable of wipe or destructive device-level action before bulk file loss or wipe event'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'device posture indicates rooted, compromised, or non-compliant state before protected or atypical filesystem deletion activity'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8', 'name': 'MobileEDR:telemetry', 'channel': 'application deletes, truncates, or removes user, operational, or evidence-bearing files after prior access or staging and before later continued execution or communication'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'application invokes file-management, package, storage, or administrative wipe operations immediately before loss of expected local files or file collections'}
[AN1713] Analytic 1713 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Unexpected loss of radio signal could indicate that a device t Defender correlates an Android-specific causal chain where d is being actively jammed. evice connectivity degrades or oscillates across one or more radios, applications lose or repeatedly reattempt network a ccess, and the radio or network failure pattern is inconsist ent with ordinary mobility, coverage transition, or user-ini tiated airplane mode behavior. The defender correlates radio state, connectivity framework behavior, application state, network session failures, and location/network-provider degr adation to distinguish network denial effects from routine w eak-signal conditions.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Maximum span for correlating connectivity degradation, application retry behavior, and network-session failure into a single denial event.'}, {'field': 'ExpectedMobilityPopulation', 'description': 'Users or device populations expected to move through low-coverage zones or transit environments that naturally cause network oscillation.'}, {'field': 'AllowedAppList', 'description': 'Apps expected to generate frequent retry behavior or maintain persistent sessions under ordinary weak-signal conditions.'}, {'field': 'ForegroundStateRequired', 'description': 'Whether impacted applications are expected to be actively visible to the user for the analytic to carry high confidence.'}, {'field': 'RecentUserInteractionWindow', 'description': 'Time threshold for determining whether connectivity degradation occurred during active device use versus idle background operation.'}, {'field': 'FailureBurstThreshold', 'description': 'Threshold for repeated disconnects, resets, DNS failures, or transport failures within the correlation window.'}, {'field': 'LocationProviderDependencyList', 'description': 'Apps or services expected to rely on GPS or network-based location and therefore likely to exhibit secondary degradation during jamming.'}, {'field': 'ExpectedCoverageZones', 'description': 'Known sites or geographies with weak legitimate coverage that should be baseline-adjusted.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-11 16:29:42.519000+00:00 description Unexpected loss of radio signal could indicate that a device is being actively jammed. Defender correlates an Android-specific causal chain where device connectivity degrades or oscillates across one or more radios, applications lose or repeatedly reattempt network access, and the radio or network failure pattern is inconsistent with ordinary mobility, coverage transition, or user-initiated airplane mode behavior. The defender correlates radio state, connectivity framework behavior, application state, network session failures, and location/network-provider degradation to distinguish network denial effects from routine weak-signal conditions. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'android:MDMLog', 'channel': 'No user-initiated airplane mode, radio disablement, or managed network setting change occurred during repeated connectivity degradation'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2', 'name': 'android:MDMLog', 'channel': 'Managed Wi-Fi, VPN, cellular, or location-related policy state remains unchanged while network capability degrades'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Foreground or background applications remain active while network-dependent activity stalls, retries, or transitions into repeated failure state'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Connectivity manager, telephony, Wi-Fi, network callback, or location-provider framework reports repeated unavailable, disconnected, suspended, or degraded state transitions'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'MobileEDR:telemetry', 'channel': 'App with network-, telephony-, Wi-Fi-, or location-adjacent capability is impacted by abrupt repeated service loss while permissions remain unchanged'}
[AN1714] Analytic 1714 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Unexpected loss of radio signal could indicate that a device t Defender correlates an iOS-specific reduced-confidence chain is being actively jammed. where a managed or supervised device remains active but exp eriences abrupt loss of network-dependent functionality, rep eated session failure, or sustained communication inability without matching configuration changes or ordinary user acti on. Because direct radio-layer and RF-cause visibility is we aker on iOS, the defender emphasizes device posture, applica tion wake or foreground behavior during service loss, protec ted network-policy stability, and downstream failure pattern s observed in VPN or proxy telemetry.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Maximum span for correlating app activity, posture stability, and repeated network failure into a single denial event.'}, {'field': 'SupervisedOnly', 'description': 'Whether the analytic should only apply to supervised devices with high-confidence MDM policy telemetry.'}, {'field': 'AllowedAppList', 'description': 'Apps expected to retry aggressively or queue offline work during routine coverage degradation.'}, {'field': 'ForegroundStateRequired', 'description': 'Whether the app should be foreground or recently active for the analytic to be treated as high confidence.'}, {'field': 'RecentUserInteractionWindow', 'description': 'Time threshold for determining whether the denial occurred during active user use versus background idle periods.'}, {'field': 'FailureBurstThreshold', 'description': 'Threshold for repeated session failures, resets, timeouts, or DNS failures within the correlation window.'}, {'field': 'ExpectedCoverageZones', 'description': 'Known sites or geographies where benign poor service should be baseline-adjusted.'}, {'field': 'TrustedDestinationAllowList', 'description': 'Expected enterprise destinations whose temporary maintenance or outage should not be treated as device-targeted denial.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-12 17:09:47.656000+00:00 description Unexpected loss of radio signal could indicate that a device is being actively jammed. Defender correlates an iOS-specific reduced-confidence chain where a managed or supervised device remains active but experiences abrupt loss of network-dependent functionality, repeated session failure, or sustained communication inability without matching configuration changes or ordinary user action. Because direct radio-layer and RF-cause visibility is weaker on iOS, the defender emphasizes device posture, application wake or foreground behavior during service loss, protected network-policy stability, and downstream failure patterns observed in VPN or proxy telemetry. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2', 'name': 'iOS:MDMLog', 'channel': 'Managed Wi-Fi, VPN, cellular, or location-service policy remains unchanged while device connectivity repeatedly degrades'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'iOS:MDMLog', 'channel': 'No user-initiated airplane mode or radio-related setting change occurred while applications experience repeated network unavailability'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Foreground or background applications remain active while network-dependent activity stalls, retries, or transitions into repeated failure state'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Observed network-path, reachability, DNS, transport, or location-provider framework reports repeated unavailable or failed state near active device use'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'MobileEDR:telemetry', 'channel': 'Network- or location-dependent app capability state remains unchanged while the app experiences sustained communication failure'}
[AN1715] Analytic 1715 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services could potentially detect the us t Correlates (1) changes to application visibility or user-fac age of APIs intended for artifact hiding. The user can exami ing presence such as launcher component disablement, icon su ne the list of all installed applications in the device sett ppression, or reduced discoverability, (2) continued applica ings. tion execution or privileged framework activity after that v isibility reduction, and (3) follow-on behavior such as back ground network communication, sensor access, or persistence- related state transitions. The defender observes a causal ch ain where an application becomes less visible to the user wh ile retaining or increasing operational activity.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between visibility suppression and later hidden execution or network activity'}, {'field': 'AllowedAppList', 'description': 'Baseline of legitimate apps allowed to hide launcher presence or disable user-facing components'}, {'field': 'ForegroundStateRequired', 'description': 'Whether post-hide activity is only suspicious when no foreground interaction occurs'}, {'field': 'HiddenComponentThreshold', 'description': 'Threshold for number or type of launcher-visible components disabled before raising suspicion'}, {'field': 'UplinkBytesThreshold', 'description': 'Minimum outbound traffic volume used to distinguish meaningful hidden operation from benign background telemetry'}, {'field': 'SensorAfterHideThreshold', 'description': 'Threshold for sensor access frequency after visibility suppression'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-13 19:26:01.974000+00:00 description Application vetting services could potentially detect the usage of APIs intended for artifact hiding.
+The user can examine the list of all installed applications in the device settings. Correlates (1) changes to application visibility or user-facing presence such as launcher component disablement, icon suppression, or reduced discoverability, (2) continued application execution or privileged framework activity after that visibility reduction, and (3) follow-on behavior such as background network communication, sensor access, or persistence-related state transitions. The defender observes a causal chain where an application becomes less visible to the user while retaining or increasing operational activity. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'managed app inventory or launcher-visible state changes show application remains installed but user-facing entry point or launcher component becomes disabled before later runtime activity'}
iterable_item_removed STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'}
[AN1716] Analytic 1716 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Since data encryption is a common practice in many legitimat t An application performs explicit cryptographic operations (e e applications and uses standard programming language-specif .g., symmetric/asymmetric encryption routines) on locally co ic APIs, encrypting data for command and control communicati llected or generated data, followed by structured outbound n on is regarded as undetectable to the user. etwork communication that does not align with expected appli cation behavior, particularly when occurring in the backgrou nd or without user interaction. Detection correlates crypto API usage + data staging + application state + network trans mission patterns.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_log_source_references [{'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'App invokes cryptographic functions (e.g., AES/RSA/KeyStore usage) on buffer data followed by encode/transform operations not tied to normal app workflows'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'MobileEDR:telemetry', 'channel': 'App writes encoded/encrypted blobs (high entropy data) to local storage or memory buffers prior to transmission'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Crypto + data staging occurs while app_state=background OR device_locked=true OR no recent user interaction'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'App not in enterprise-approved list performing network + crypto behavior inconsistent with declared functionality'}] x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Time correlation between crypto operation and outbound network transmission'}, {'field': 'EntropyThreshold', 'description': 'Threshold for detecting encoded/encrypted payloads based on entropy scoring'}, {'field': 'AllowedCryptoApps', 'description': 'Apps expected to perform encryption (e.g., VPNs, messaging apps)'}, {'field': 'ForegroundStateRequired', 'description': 'Whether encryption + transmission should only occur during user interaction'}, {'field': 'BeaconIntervalVariance', 'description': 'Expected jitter/interval for legitimate app traffic vs beaconing patterns'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-01 15:33:34.145000+00:00 description Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user. An application performs explicit cryptographic operations (e.g., symmetric/asymmetric encryption routines) on locally collected or generated data, followed by structured outbound network communication that does not align with expected application behavior, particularly when occurring in the background or without user interaction. Detection correlates crypto API usage + data staging + application state + network transmission patterns. x_mitre_version 1.0 1.1
[AN1717] Analytic 1717 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Since data encryption is a common practice in many legitimat t Indirect evidence of application-layer encrypted channel usa e applications and uses standard programming language-specif ge inferred through anomalous background processing and netw ic APIs, encrypting data for command and control communicati ork transmission patterns following application activity, wh on is regarded as undetectable to the user. ere encryption operations are not directly observable. Detec tion correlates background execution + network behavior + ap plication entitlement posture to identify misuse of encrypte d communication channels.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between background processing and network transmission'}, {'field': 'AllowedAppList', 'description': 'Apps expected to use encrypted communication channels'}, {'field': 'EntropyThreshold', 'description': 'Threshold for identifying encoded/encrypted payloads'}, {'field': 'BeaconIntervalVariance', 'description': 'Tolerance for periodic communication patterns'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-01 15:39:38.487000+00:00 description Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user. Indirect evidence of application-layer encrypted channel usage inferred through anomalous background processing and network transmission patterns following application activity, where encryption operations are not directly observable. Detection correlates background execution + network behavior + application entitlement posture to identify misuse of encrypted communication channels. x_mitre_version 1.0 1.1
[AN1718] Analytic 1718 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services can detect when an application t Correlates (1) application interaction with elevation contro requests administrator permission. When an application reque l mechanisms (e.g., Accessibility Service, Device Admin, ove sts administrator permission, the user is presented with a p rlay permissions, package installer flows), (2) rapid transi opup and the option to grant or deny the request. tion to elevated capability state without expected user inte raction patterns, and (3) immediate privileged actions such as sensor access, UI manipulation, or background persistence . The defender observes a causal chain where an application gains elevated privileges through abuse of system-controlled consent flows and subsequently performs actions inconsisten t with normal user-driven authorization.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Defines correlation window between permission grant and privileged behavior'}, {'field': 'HighRiskPermissionSet', 'description': 'List of permissions or access types considered high-risk (Accessibility, Device Admin, overlay)'}, {'field': 'UserInteractionThreshold', 'description': 'Defines acceptable proximity of user interaction to permission grant'}, {'field': 'AllowedAppList', 'description': 'Baseline of legitimate apps expected to use high-risk permissions'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-13 18:10:00.568000+00:00 description Application vetting services can detect when an application requests administrator permission.
+When an application requests administrator permission, the user is presented with a popup and the option to grant or deny the request. Correlates (1) application interaction with elevation control mechanisms (e.g., Accessibility Service, Device Admin, overlay permissions, package installer flows), (2) rapid transition to elevated capability state without expected user interaction patterns, and (3) immediate privileged actions such as sensor access, UI manipulation, or background persistence. The defender observes a causal chain where an application gains elevated privileges through abuse of system-controlled consent flows and subsequently performs actions inconsistent with normal user-driven authorization. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'application granted high-risk permission or special access (AccessibilityService, SYSTEM_ALERT_WINDOW, DeviceAdmin) with abnormal grant pattern (e.g., no recent user interaction or rapid sequence of grants)'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'application invokes privileged framework APIs (Accessibility events, UI automation, package install flows) immediately following permission grant'}
[AN1719] Analytic 1719 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services could detect usage of standard t From the defender view: an app registers a clipboard listene clipboard APIs. r or calls ClipboardManager getters; the app is (a) foregrou nd, (b) the default IME, or (c) abusing legacy paths. Shortl y after each clipboard change, the app reads the primary cli p repeatedly, optionally persists content (local file/DB) an d/or exfiltrates it. We correlate: listener/clip-access → pr ivilege/foreground confirmation → bursty reads → local write and/or network egress within a tight window.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Max time between clip access → persist/exfil (e.g., 5–45s).'}, {'field': 'MinReadBurst', 'description': 'Minimum reads per clipboard change to flag harvesting (e.g., ≥2).'}, {'field': 'PersistPathRegex', 'description': 'Regex for files/DBs used to stash clipboard content in app container.'}, {'field': 'ExfilDomainAllowlist', 'description': 'Allowlisted domains to suppress false positives for analytics SDKs.'}, {'field': 'ForegroundRequired', 'description': 'Require foreground unless app is the default IME (true/false).'}, {'field': 'UserContext', 'description': 'Work Profile/Developer Mode/Doze to scope alerts.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-01-29 18:06:40.461000+00:00 description Application vetting services could detect usage of standard clipboard APIs. From the defender view: an app registers a clipboard listener or calls ClipboardManager getters; the app is (a) foreground, (b) the default IME, or (c) abusing legacy paths. Shortly after each clipboard change, the app reads the primary clip repeatedly, optionally persists content (local file/DB) and/or exfiltrates it. We correlate: listener/clip-access → privilege/foreground confirmation → bursty reads → local write and/or network egress within a tight window. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'android:logcat', 'channel': 'ClipboardManager (addOnPrimaryClipChangedListener|getPrimaryClip|getPrimaryClipDescription) invoked by '}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6', 'name': 'android:logcat', 'channel': 'Activity/Process state change (mFocusedApp, onResume/onPause) identifying as foreground'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa', 'name': 'android:logcat', 'channel': 'Default IME active or bound to (InputMethodManager reports imeId=)'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'android:logcat', 'channel': 'CREATE/WRITE to app-writable DB/file path indicating clipboard dump (e.g., clipboard.db, clip_*.txt)'}
[AN1720] Analytic 1720 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services could detect usage of standard t From the defender view: an app accesses UIPasteboard content clipboard APIs. s, sometimes repeatedly, including in background or immediat ely after another app copies sensitive text. iOS 14+ shows u ser notifications when pasting cross-app; unified logs refle ct pasteboard access, notification, and optional subsequent persistence/exfil. We correlate: pasteboard access → optiona l cross-app notification → local write (cache/DB) and/or net work egress within a short window.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Max time between pasteboard access → persist/exfil (e.g., 5–60s).'}, {'field': 'MinReadBurst', 'description': 'Minimum reads within window to flag harvesting (e.g., ≥2).'}, {'field': 'PersistPathRegex', 'description': 'Regex for paste dumps in app container.'}, {'field': 'ExfilDomainAllowlist', 'description': 'Allowlisted analytics/CDN endpoints.'}, {'field': 'ForegroundRequired', 'description': 'Require foreground state for benign use; flag background reads.'}, {'field': 'UserContext', 'description': 'Work profile/MDM policy state to scope alerts.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-01-29 18:13:22.436000+00:00 description Application vetting services could detect usage of standard clipboard APIs. From the defender view: an app accesses UIPasteboard contents, sometimes repeatedly, including in background or immediately after another app copies sensitive text. iOS 14+ shows user notifications when pasting cross-app; unified logs reflect pasteboard access, notification, and optional subsequent persistence/exfil. We correlate: pasteboard access → optional cross-app notification → local write (cache/DB) and/or network egress within a short window. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa', 'name': 'iOS:unifiedlog', 'channel': 'UIPasteboard read (general/string/data) by ; repeated reads or background access'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4', 'name': 'iOS:unifiedlog', 'channel': '\\"has pasted from\\" cross-app paste notification text containing source app name'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'iOS:unifiedlog', 'channel': 'CREATE/WRITE of clipboard dump artifacts in container (clipboard.db, clip_*.txt, caches)'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6', 'name': 'iOS:unifiedlog', 'channel': 'Foreground/background transition for to contextualize access timing'}
[AN1721] Analytic 1721 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services could look for known software p t From the defender view: a sandboxed process receives/creates ackers or artifacts of packing techniques. Packing is not a a high-entropy Mach-O/bundle or encrypted segment, performs definitive indicator of malicious activity, because as legit in-memory decrypt/unpack (mmap/mprotect RW→RX or RWX), opti imate software may use packing techniques to reduce binary s onally drops a transient image in app-writable dirs, then lo ize or to protect proprietary code. ads it through dyld/dlopen or spawns it. We correlate: (1) o paque blob write/arrival → (2) kernel memory protection chan ges → (3) dyld/dlopen from app-writable path or posix_spawn of a recently created image → (4) (optional) code-sign evalu ation anomalies for the new image.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Correlation window from write→rwx→load/exec (e.g., 5–45s).'}, {'field': 'PayloadEntropyThreshold', 'description': 'Entropy to flag packed blobs (e.g., ≥ 7.3).'}, {'field': 'RWXPageMinKB', 'description': 'Minimum RWX allocation size (e.g., ≥ 32KB).'}, {'field': 'KnownJITAllowlist', 'description': 'Bundle IDs legitimately using JIT to avoid RWX false positives.'}, {'field': 'WritableLoadPathRegex', 'description': 'Regex for app-writable load paths (tmp, Caches) outside app bundle.'}, {'field': 'UnsignedExecPolicy', 'description': 'Tuning if enterprise/dev provisioning allows non-App Store binaries.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-01-29 17:01:36.709000+00:00 description Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code. From the defender view: a sandboxed process receives/creates a high-entropy Mach-O/bundle or encrypted segment, performs in-memory decrypt/unpack (mmap/mprotect RW→RX or RWX), optionally drops a transient image in app-writable dirs, then loads it through dyld/dlopen or spawns it. We correlate: (1) opaque blob write/arrival → (2) kernel memory protection changes → (3) dyld/dlopen from app-writable path or posix_spawn of a recently created image → (4) (optional) code-sign evaluation anomalies for the new image. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'iOS:unifiedlog', 'channel': 'Create/write of high-entropy Mach-O/bundle or generic blob in /var/mobile/Containers/Data/Application//(tmp|Library/Caches)/'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'iOS:unifiedlog', 'channel': 'mmap/mprotect transitions to PROT_EXEC for pages associated with recently written files'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1', 'name': 'iOS:unifiedlog', 'channel': 'dlopen/image load from app-writable path (tmp, Caches) outside bundled resources'}
[AN1722] Analytic 1722 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services could look for known software p t From the defender view: a sandboxed app handles a high-entro ackers or artifacts of packing techniques. Packing is not a py executable blob, performs rapid decode/decrypt in memory definitive indicator of malicious activity, because as legit (often with RW→RX or execmem friction), optionally emits a t imate software may use packing techniques to reduce binary s ransient .dex/.so into app-writable paths, then immediately ize or to protect proprietary code. loads/executes it (DexClassLoader/dlopen) or spawns a helper . We correlate: (1) opaque blob write/arrival → (2) decode/u npack or memory protection change → (3) new code artifact or byte[] class definition → (4) dynamic load/exec within a ti ght window.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Correlation window from write→unpack→load (e.g., 5–45s; device-dependent).'}, {'field': 'PayloadEntropyThreshold', 'description': 'Entropy to flag packed blobs (e.g., ≥ 7.2).'}, {'field': 'RWXPageMinKB', 'description': 'Minimum RWX allocation size to reduce noise (e.g., ≥ 32KB).'}, {'field': 'ExecPathRegex', 'description': 'Regex for suspicious .dex/.so/.jar/temp paths under app container.'}, {'field': 'KnownGoodLoadersAllowlist', 'description': 'Legit libraries/bundles expected to load from writable paths (test/dev builds).'}, {'field': 'UserContext', 'description': 'Foreground/background, Work Profile, developer mode to scope alerts.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-01-28 17:28:26.921000+00:00 description Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code. From the defender view: a sandboxed app handles a high-entropy executable blob, performs rapid decode/decrypt in memory (often with RW→RX or execmem friction), optionally emits a transient .dex/.so into app-writable paths, then immediately loads/executes it (DexClassLoader/dlopen) or spawns a helper. We correlate: (1) opaque blob write/arrival → (2) decode/unpack or memory protection change → (3) new code artifact or byte[] class definition → (4) dynamic load/exec within a tight window. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'android:logcat', 'channel': 'Create/write of high-entropy files in /data/data//(files|cache)/ or /storage/emulated/0/<...> with .dex/.so/.jar/.tmp/.bin'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1', 'name': 'android:logcat', 'channel': 'DexClassLoader/PathClassLoader loading from app-writable path OR reflective defineClass on byte[] payload'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'android:logcat', 'channel': 'SELinux AVC for execmem/execute_no_trans/mprotect following recent writes by same UID'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'android:logcat', 'channel': 'dlopen of a recently created .so OR short-lived child (/system/bin/sh,toybox,linker) spawned by app_process'}
[AN1723] Analytic 1723 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Mobile security products can often alert the user if their d t A lock-state transition telemetry, special access or privile evice is vulnerable to known exploits. ged interaction capability, security-sensitive framework use , and immediate downstream activity while the user-interacti on context is weak or inconsistent. This yields stronger cov erage on Android than iOS.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Maximum allowed time between locked-state boundary, suspicious app/framework activity, and unlock transition.'}, {'field': 'AllowedAppList', 'description': 'Approved apps permitted to hold accessibility, overlay, device-admin, or other authentication-adjacent special access.'}, {'field': 'ForegroundStateRequired', 'description': 'Whether a benign authentication-adjacent app is expected to be visible in the foreground during unlock-related operations.'}, {'field': 'RecentUserInteractionWindow', 'description': 'Time threshold for treating the unlock as user-driven based on touch, motion, or interaction context.'}, {'field': 'ExpectedUnlockPopulation', 'description': 'User or device groups expected to use alternative lockscreen workflows, enterprise trust agents, or kiosk-like modes.'}, {'field': 'TrustedDestinationAllowList', 'description': 'Expected destinations contacted immediately after legitimate unlock by enterprise apps.'}, {'field': 'UplinkBytesThreshold', 'description': 'Threshold for suspicious immediate post-unlock outbound traffic.'}, {'field': 'SensorUseAllowList', 'description': 'Apps expected to access camera or other sensors near the authentication boundary.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-11 16:02:58.868000+00:00 description Mobile security products can often alert the user if their device is vulnerable to known exploits. A lock-state transition telemetry, special access or privileged interaction capability, security-sensitive framework use, and immediate downstream activity while the user-interaction context is weak or inconsistent. This yields stronger coverage on Android than iOS. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'Sensor Health', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2', 'name': 'android:MDMLog', 'channel': 'Biometric, credential, lockscreen, trust-agent, Smart Lock, or device-admin-related protected device configuration changed'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'Application gains or is observed with elevated interaction capability such as accessibility, overlay, device admin, notification access, or other authentication-adjacent special access'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'pplication or service remains active, foregrounds, or overlays during device locked state or immediately at unlock transition with weak recent user interaction context'}
[AN1724] Analytic 1724 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Mobile security products can often alert the user if their d t Defender correlates an iOS-specific reduced-confidence chain evice is vulnerable to known exploits. where a supervised or managed device transitions from locke d or inactive state to interactive or application-active sta te with weak evidence of expected user authentication, often accompanied by abnormal protected posture change, trust-sta te change, unexpected app wake, sensor use, or immediate dow nstream communication. Because direct visibility into locksc reen bypass mechanics on iOS is limited, the analytic priori tizes strong device-state effects and post-unlock behavior r ather than pretending to observe the exact bypass method.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Maximum allowed span between locked or inactive device state, suspicious app/service activity, and interactive transition.'}, {'field': 'AllowedAppList', 'description': 'Apps allowed to wake, foreground, or access protected resources near legitimate authentication events.'}, {'field': 'SupervisedOnly', 'description': 'Whether the analytic should only apply to supervised devices with high-confidence MDM policy telemetry.'}, {'field': 'RecentUserInteractionWindow', 'description': 'Time threshold for treating the transition as expected and user-driven.'}, {'field': 'ExpectedUnlockPopulation', 'description': 'User or device groups expected to use atypical enterprise lockscreen workflows, kiosk-like modes, or accessibility accommodations.'}, {'field': 'SensorUseAllowList', 'description': 'Apps expected to access camera or biometric-adjacent resources near the authentication boundary.'}, {'field': 'TrustedDestinationAllowList', 'description': 'Expected destinations contacted immediately after legitimate app activation post-authentication.'}, {'field': 'UplinkBytesThreshold', 'description': 'Threshold for suspicious immediate outbound traffic after suspicious unlock-adjacent activity.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-11 16:09:37.177000+00:00 description Mobile security products can often alert the user if their device is vulnerable to known exploits. Defender correlates an iOS-specific reduced-confidence chain where a supervised or managed device transitions from locked or inactive state to interactive or application-active state with weak evidence of expected user authentication, often accompanied by abnormal protected posture change, trust-state change, unexpected app wake, sensor use, or immediate downstream communication. Because direct visibility into lockscreen bypass mechanics on iOS is limited, the analytic prioritizes strong device-state effects and post-unlock behavior rather than pretending to observe the exact bypass method. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'Sensor Health', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2', 'name': 'iOS:MDMLog', 'channel': 'Passcode, biometrics, attention-aware authentication, or supervised-device lock policy changed in a way that weakens or alters the authentication boundary'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Application wakes, becomes active, refreshes, or foregrounds immediately after locked or inactive state transition with weak recent user interaction'}
[AN1725] Analytic 1725 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services can detect certificate pinning t The defender correlates application TLS trust customization by examining an application’s `network_security_config.xml` activity with subsequent outbound encrypted sessions that by file, although this behavior can be benign. pass enterprise interception visibility or fail only under e nterprise inspection conditions. The analytic looks for an a pp establishing its own certificate or public-key trust logi c, then initiating HTTPS sessions to destinations not aligne d with approved app behavior, especially from background sta te or without recent user interaction. Higher-confidence obs ervations come from Android runtime/framework telemetry show ing custom trust manager, certificate validation override, o r pin validation logic immediately preceding network connect ion attempts, combined with network evidence of failed-inspe ction patterns or opaque direct TLS sessions.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between trust customization activity and outbound TLS connection'}, {'field': 'AllowedAppList', 'description': 'Apps legitimately expected to implement SSL pinning such as banking, enterprise auth, or secure messaging apps'}, {'field': 'AllowedDestinationList', 'description': 'Approved domains, IPs, and service endpoints for managed applications'}, {'field': 'ForegroundStateRequired', 'description': 'Whether the application is expected to establish pinned sessions only during active user-driven workflows'}, {'field': 'InspectionFailureThreshold', 'description': 'Number of repeated inspection failures or certificate mismatch events before escalating'}, {'field': 'RetryPatternWindow', 'description': 'Time tolerance for inspection failure followed by retry/direct connection pattern'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-06 16:02:58.850000+00:00 description Application vetting services can detect certificate pinning by examining an application’s `network_security_config.xml` file, although this behavior can be benign. The defender correlates application TLS trust customization activity with subsequent outbound encrypted sessions that bypass enterprise interception visibility or fail only under enterprise inspection conditions. The analytic looks for an app establishing its own certificate or public-key trust logic, then initiating HTTPS sessions to destinations not aligned with approved app behavior, especially from background state or without recent user interaction. Higher-confidence observations come from Android runtime/framework telemetry showing custom trust manager, certificate validation override, or pin validation logic immediately preceding network connection attempts, combined with network evidence of failed-inspection patterns or opaque direct TLS sessions. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Application invokes custom TLS trust evaluation logic or pin validation routines (e.g., custom TrustManager, HostnameVerifier override, certificate/public key comparison) immediately before outbound TLS session establishment'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'TLS trust customization and outbound HTTPS session occur while app_state=background or device_locked=true or recent_user_interaction=false'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'Managed app with undeclared secure transport behavior or app category mismatch initiates opaque TLS communications inconsistent with enterprise policy baseline'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'NSM:Flow', 'channel': 'Application initiates HTTPS connection with repeated certificate validation failure under enterprise proxy followed by direct network retry or stable opaque TLS communication to same endpoint within correlation window'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'NSM:Inspection', 'channel': 'TLS session from mobile app fails, resets, or refuses enterprise interception while same destination/app pair repeatedly establishes direct encrypted communication pattern consistent with pinned certificate/public-key validation'}
[AN1726] Analytic 1726 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services can detect certificate pinning t The defender correlates supervised-device application postur by examining an application’s `network_security_config.xml` e and background execution context with network-side evidenc file, although this behavior can be benign. e that an app rejects enterprise inspection or performs cert ificate/public-key-bound trust behavior during TLS establish ment. Because direct app-level pin-validation observability is weaker on iOS, the analytic is anchored primarily to netw ork control-plane effects: repeated TLS handshake rejection under enterprise inspection, destination-specific inspection bypass patterns, or persistent opaque app-to-endpoint encry pted sessions inconsistent with baseline app behavior. Addit ional confidence comes from managed app identity, background execution context, and supervised device policy state.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between app lifecycle event and network-side inspection failure or opaque TLS session'}, {'field': 'AllowedAppList', 'description': 'Managed apps expected to use certificate or public-key pinning for legitimate purposes'}, {'field': 'AllowedDestinationList', 'description': 'Approved endpoints expected for legitimate pinned sessions'}, {'field': 'ForegroundStateRequired', 'description': 'Whether the app is expected to perform network establishment only during user-driven workflows'}, {'field': 'InspectionFailureThreshold', 'description': 'Number of repeated TLS-inspection failures needed before escalating confidence'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-08 16:26:13.027000+00:00 description Application vetting services can detect certificate pinning by examining an application’s `network_security_config.xml` file, although this behavior can be benign. The defender correlates supervised-device application posture and background execution context with network-side evidence that an app rejects enterprise inspection or performs certificate/public-key-bound trust behavior during TLS establishment. Because direct app-level pin-validation observability is weaker on iOS, the analytic is anchored primarily to network control-plane effects: repeated TLS handshake rejection under enterprise inspection, destination-specific inspection bypass patterns, or persistent opaque app-to-endpoint encrypted sessions inconsistent with baseline app behavior. Additional confidence comes from managed app identity, background execution context, and supervised device policy state. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'iOS:MDMLog', 'channel': 'Supervised managed app with undeclared secure transport behavior or unexpected network role communicates with non-baselined destination over opaque TLS'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Managed app initiates or resumes network-capable execution while app_state=background or device_locked=true before opaque TLS session attempt'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'NSM:Flow', 'channel': 'App-destination pair shows consistent inspection bypass/refusal pattern followed by direct encrypted communication or repeated short-lived TLS sessions to same endpoint within correlation window'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'NSM:Inspection', 'channel': 'TLS handshake from iOS app repeatedly fails or is rejected only when enterprise SSL inspection certificate is presented, indicating certificate or public-key pin validation effect'}
[AN1727] Analytic 1727 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services can detect which broadcast inte t The defender correlates application registration for system nts an application registers for and which permissions it re event triggers (e.g., broadcast receivers, WorkManager, JobS quests. cheduler, SMS/BOOT events) with subsequent execution of appl ication code immediately following the triggering event, wit hout direct user interaction. Confidence increases when exec ution occurs in background or locked state, is tied to sensi tive triggers (SMS received, boot completed, connectivity ch ange), and produces follow-on file or network activity incon sistent with the application’s expected role.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between event trigger occurrence and execution behavior'}, {'field': 'SensitiveEventList', 'description': 'List of high-risk trigger events such as BOOT_COMPLETED, SMS_RECEIVED, CONNECTIVITY_CHANGE, PACKAGE_ADDED'}, {'field': 'AllowedAppList', 'description': 'Applications legitimately expected to use background scheduling or event-driven execution (e.g., messaging, system services)'}, {'field': 'ForegroundStateRequired', 'description': 'Whether execution should only occur during active user interaction for specific app categories'}, {'field': 'ExecutionDelayThreshold', 'description': 'Maximum allowed delay between event trigger and execution to still be considered causal'}, {'field': 'UplinkBytesThreshold', 'description': 'Minimum outbound data volume after event-triggered execution to indicate meaningful activity'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-09 21:01:31.075000+00:00 description Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. The defender correlates application registration for system event triggers (e.g., broadcast receivers, WorkManager, JobScheduler, SMS/BOOT events) with subsequent execution of application code immediately following the triggering event, without direct user interaction. Confidence increases when execution occurs in background or locked state, is tied to sensitive triggers (SMS received, boot completed, connectivity change), and produces follow-on file or network activity inconsistent with the application’s expected role. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Application registers broadcast receiver, WorkManager job, JobScheduler task, or intent filter tied to system event such as BOOT_COMPLETED, SMS_RECEIVED, CONNECTIVITY_CHANGE during persistence setup phase'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'System event occurs (e.g., SMS received, device boot completed, network state changed) acting as trigger event for execution phase'}
[AN1728] Analytic 1728 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services can detect unnecessary and pote t Correlates (1) acquisition of foreground or background locat ntially abused location permissions. On Android 10 and later ion permission sufficient for continuous geolocation evaluat , the system shows a notification to the user when an app ha ion, (2) repeated location checks or registration of geofenc s been accessing device location in the background. Applicat e monitoring in background or low-interaction states, and (3 ion vetting services can detect unnecessary and potentially ) transition into sensitive behavior only after the device e abused API calls. The user can review which applications hav nters, exits, or remains within a qualifying geographic regi e location permissions in the operating system’s settings me on. The defender observes a causal chain where an applicatio nu. n suppresses malicious or higher-risk behavior until a locat ion-derived condition is satisfied, then initiates follow-on actions such as network communication, background processin g, or protected resource access.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between location evaluation, region transition, and guarded execution'}, {'field': 'RegionMatchThreshold', 'description': 'Defines proximity, radius, or duration within region required before subsequent activity is considered geographically gated'}, {'field': 'BackgroundLocationRequired', 'description': 'Whether suspiciousness increases when background location permission is present and activity occurs outside foreground use'}, {'field': 'DormancyThreshold', 'description': 'Amount of low-activity or dormant runtime before location-qualified activation'}, {'field': 'AllowedAppList', 'description': 'Baseline of legitimate apps expected to use geofencing or conditional location-based features'}, {'field': 'ForegroundStateRequired', 'description': 'Whether execution should be considered higher fidelity only when it begins from background or without recent user interaction'}, {'field': 'UplinkBytesThreshold', 'description': 'Minimum outbound traffic volume used to distinguish meaningful post-match activity from benign telemetry'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-13 19:15:22.491000+00:00 description Application vetting services can detect unnecessary and potentially abused location permissions.
+On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background.
+Application vetting services can detect unnecessary and potentially abused API calls.
+The user can review which applications have location permissions in the operating system’s settings menu. Correlates (1) acquisition of foreground or background location permission sufficient for continuous geolocation evaluation, (2) repeated location checks or registration of geofence monitoring in background or low-interaction states, and (3) transition into sensitive behavior only after the device enters, exits, or remains within a qualifying geographic region. The defender observes a causal chain where an application suppresses malicious or higher-risk behavior until a location-derived condition is satisfied, then initiates follow-on actions such as network communication, background processing, or protected resource access. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'application remains dormant, low-activity, or background-resident across non-qualifying locations and transitions into active execution only after geographic condition is met'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'application granted ACCESS_FINE_LOCATION and, when required for background operation, ACCESS_BACKGROUND_LOCATION + capability state sufficient for persistent geolocation monitoring before later guarded activity'} x_mitre_log_source_references[2] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'application invokes geolocation or geofencing framework operations (e.g., location polling or geofence registration/evaluation) and sensitive framework activity begins only after region match or location threshold condition'}
iterable_item_removed STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'}
[AN1729] Analytic 1729 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services can detect unnecessary and pote t Correlates (1) application possession and use of location au ntially abused location permissions. On Android 10 and later thorization sufficient for ongoing geographic evaluation, (2 , the system shows a notification to the user when an app ha ) repeated location or region-monitoring behavior with limit s been accessing device location in the background. Applicat ed visible feature activation outside target area, and (3) a ion vetting services can detect unnecessary and potentially brupt onset of network communication, background execution, abused API calls. The user can review which applications hav or feature activation only after a qualifying location conte e location permissions in the operating system’s settings me xt is reached. Because direct visibility into every geofence nu. callback is often weaker on iOS, the defender relies more h eavily on the combination of location authorization state, r epeated location access, app state transition, and downstrea m behavior that begins after region alignment.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between location access, region qualification, and guarded activity'}, {'field': 'AuthorizationMode', 'description': 'Expected risk weighting for when-in-use versus always authorization and whether background behavior occurs under that mode'}, {'field': 'RegionMatchThreshold', 'description': 'Defines geospatial or dwell-time threshold used to infer region-based activation'}, {'field': 'DormancyThreshold', 'description': 'Duration of inactivity or suppressed behavior before location-qualified activation'}, {'field': 'ExpectedBackgroundModes', 'description': 'Baseline of apps legitimately using location-driven background execution or region monitoring'}, {'field': 'AllowedDestinationList', 'description': 'Expected destinations for apps whose network activity legitimately depends on user location'}, {'field': 'UserInteractionThreshold', 'description': 'Acceptable recency of user interaction before post-location activation is considered suspicious'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-13 19:20:39.637000+00:00 description Application vetting services can detect unnecessary and potentially abused location permissions.
+On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background.
+Application vetting services can detect unnecessary and potentially abused API calls.
+The user can review which applications have location permissions in the operating system’s settings menu. Correlates (1) application possession and use of location authorization sufficient for ongoing geographic evaluation, (2) repeated location or region-monitoring behavior with limited visible feature activation outside target area, and (3) abrupt onset of network communication, background execution, or feature activation only after a qualifying location context is reached. Because direct visibility into every geofence callback is often weaker on iOS, the defender relies more heavily on the combination of location authorization state, repeated location access, app state transition, and downstream behavior that begins after region alignment. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'iOS:MDMLog', 'channel': 'application authorized for when-in-use or always location access and, where relevant, background execution capability sufficient for continued geographic evaluation before later guarded behavior'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'application exhibits repeated location-context evaluation followed by delayed privileged framework use or feature activation only after target region match'}
iterable_item_removed STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'}
[AN1730] Analytic 1730 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t This behavior is seamless to the user and is typically undet t The defender correlates anomalous application package replac ectable. ement, update, or executable-content drift with subsequent e xecution under the trusted application's identity, especiall y when package metadata, signing lineage, install source, fi le integrity, or native/DEX component characteristics change without a corresponding trusted distribution path. The anal ytic prioritizes Android-observable control-plane effects: p ackage install/update events, package hash or code-section d rift, signer mismatch or lineage break, unexpected app proce ss behavior after replacement, and optional near-term networ k or sensor activity inconsistent with the legitimate applic ation's baseline.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_log_source_references [{'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'Managed application package version, signer lineage, installer source, or app identity changes outside approved enterprise or store-mediated update workflow'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Existing application is replaced, updated, or reinstalled and the resulting package metadata, code sections, or executable-supporting artifacts diverge from known-good baseline during the persistence-establishment phase'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'MobileEDR:telemetry', 'channel': 'APK, DEX, native library, or package-associated executable content is written, expanded, or swapped in app package paths, staging paths, or installer cache immediately before or during application replacement'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Modified or newly replaced application begins execution or persists while recent_user_interaction=false or device_locked=true or launch context is inconsistent with expected user-driven update flow'}] x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between package replacement, code drift, first launch, and follow-on behavior'}, {'field': 'AllowedAppList', 'description': 'Applications legitimately expected to update frequently or use staged package delivery'}, {'field': 'ApprovedInstallerSources', 'description': 'Expected install or update sources such as managed store, Google Play, or enterprise MDM'}, {'field': 'AllowedSignerLineage', 'description': 'Approved signing certificates, rotation chains, and version lineage for managed apps'}, {'field': 'AllowedPackagePaths', 'description': 'Expected package cache, installer, and app storage locations involved in legitimate updates'}, {'field': 'IntegrityDriftThreshold', 'description': 'Degree of executable-content or metadata change tolerated before alerting'}, {'field': 'ForegroundStateRequired', 'description': 'Whether package replacement and first launch should occur only during active user-driven workflows'}, {'field': 'UplinkBytesThreshold', 'description': 'Minimum outbound volume after first execution of replaced app to treat post-compromise communication as meaningful'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-09 16:22:36.406000+00:00 description This behavior is seamless to the user and is typically undetectable. The defender correlates anomalous application package replacement, update, or executable-content drift with subsequent execution under the trusted application's identity, especially when package metadata, signing lineage, install source, file integrity, or native/DEX component characteristics change without a corresponding trusted distribution path. The analytic prioritizes Android-observable control-plane effects: package install/update events, package hash or code-section drift, signer mismatch or lineage break, unexpected app process behavior after replacement, and optional near-term network or sensor activity inconsistent with the legitimate application's baseline. x_mitre_version 1.0 1.1
[AN1731] Analytic 1731 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Since data encryption is a common practice in many legitimat t An application performs repeated symmetric cryptographic ope e applications and uses standard programming language-specif rations (e.g., AES/RC4) on collected or staged data using lo ic APIs, encrypting data for command and control communicati cally accessible or reusable keys, followed by structured ou on is regarded as undetectable to the user. tbound communication. Detection correlates symmetric crypto API invocation + key reuse patterns + data staging + backgro und execution context + network transmission, especially whe n inconsistent with expected application functionality.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_log_source_references [{'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Symmetric key material reused across multiple encryption operations within short interval OR derived locally without secure hardware-backed storage'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'App invokes symmetric encryption routines (e.g., AES/RC4 cipher initialization + encrypt operations) with repeated key usage across multiple data buffers'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'MobileEDR:telemetry', 'channel': 'App writes high-entropy encrypted blobs to local storage or memory buffers prior to transmission'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Crypto + data staging occurs while app_state=background OR device_locked=true OR no recent user interaction'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'App not in enterprise-approved list performing network + crypto behavior inconsistent with declared functionality'}] x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Time correlation between symmetric encryption operations and outbound communication'}, {'field': 'EntropyThreshold', 'description': 'Threshold for detecting encrypted payloads based on entropy scoring'}, {'field': 'KeyReuseThreshold', 'description': 'Number of repeated uses of the same symmetric key within a defined interval'}, {'field': 'AllowedCryptoApps', 'description': 'Apps expected to use symmetric encryption (e.g., messaging, VPN)'}, {'field': 'ForegroundStateRequired', 'description': 'Whether encryption activity should occur only during active user interaction'}, {'field': 'BeaconIntervalVariance', 'description': 'Expected jitter vs periodic encrypted communication'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-01 16:01:38.627000+00:00 description Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user. An application performs repeated symmetric cryptographic operations (e.g., AES/RC4) on collected or staged data using locally accessible or reusable keys, followed by structured outbound communication. Detection correlates symmetric crypto API invocation + key reuse patterns + data staging + background execution context + network transmission, especially when inconsistent with expected application functionality. x_mitre_version 1.0 1.1
[AN1732] Analytic 1732 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Since data encryption is a common practice in many legitimat t Indirect evidence of symmetric cryptographic channel usage i e applications and uses standard programming language-specif nferred through repeated structured encrypted network transm ic APIs, encrypting data for command and control communicati issions and background processing patterns, where direct obs on is regarded as undetectable to the user. ervation of symmetric crypto operations is limited. Detectio n correlates application background execution + consistent e ncrypted payload patterns + app entitlement posture to ident ify misuse of symmetric encryption for command and control.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between background execution and network transmission'}, {'field': 'EntropyThreshold', 'description': 'Threshold for detecting encrypted payloads'}, {'field': 'BeaconIntervalVariance', 'description': 'Tolerance for periodic encrypted communication'}, {'field': 'AllowedAppList', 'description': 'Apps expected to exhibit encrypted communication patterns'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-01 16:04:16.642000+00:00 description Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user. Indirect evidence of symmetric cryptographic channel usage inferred through repeated structured encrypted network transmissions and background processing patterns, where direct observation of symmetric crypto operations is limited. Detection correlates application background execution + consistent encrypted payload patterns + app entitlement posture to identify misuse of symmetric encryption for command and control. x_mitre_version 1.0 1.1
[AN1733] Analytic 1733 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Mobile security products can detect which applications can r t Detects indirect evidence of host-side indicator removal by equest device administrator permissions. Application vetting correlating (1) local artifact creation or compromise-state- services could look for use of APIs that could indicate the relevant activity, (2) later disappearance, alteration, or r application is trying to hide activity. The user can view a eporting loss for those artifacts or state indicators, and ( pplications with administrator access through the device set 3) continued application or device activity under reduced vi tings, and may also notice if user data is inexplicably miss sibility. Because iOS provides weaker direct visibility into ing. The user can see a list of applications that can use ac some Android-style artifact and jailbreak-indicator manipul cessibility services in the device settings. ation patterns, the defender relies more on app-private arti fact lifecycle changes, managed posture shifts, and continue d runtime or network activity after expected evidence disapp ears.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between artifact disappearance, posture change, and continued activity'}, {'field': 'ArtifactTypeSet', 'description': 'Host artifacts and state indicators monitored for suspicious removal, alteration, or disappearance'}, {'field': 'ExpectedTelemetrySources', 'description': 'Baseline sources expected to continue exposing artifact presence or compromise-relevant state'}, {'field': 'TelemetryGapThreshold', 'description': 'Threshold defining abnormal loss of artifact visibility or managed-state continuity'}, {'field': 'ExpectedManagementChanges', 'description': 'Known legitimate posture or inventory changes that may remove or update artifacts'}, {'field': 'UplinkBytesThreshold', 'description': 'Outbound traffic threshold used to confirm meaningful continued activity after indicator removal'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-24 20:30:22.993000+00:00 description Mobile security products can detect which applications can request device administrator permissions. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity.
+The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. The user can see a list of applications that can use accessibility services in the device settings. Detects indirect evidence of host-side indicator removal by correlating (1) local artifact creation or compromise-state-relevant activity, (2) later disappearance, alteration, or reporting loss for those artifacts or state indicators, and (3) continued application or device activity under reduced visibility. Because iOS provides weaker direct visibility into some Android-style artifact and jailbreak-indicator manipulation patterns, the defender relies more on app-private artifact lifecycle changes, managed posture shifts, and continued runtime or network activity after expected evidence disappears. x_mitre_version 1.0 1.1
[AN1734] Analytic 1734 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Mobile security products can detect which applications can r t Correlates (1) application activity that creates, modifies, equest device administrator permissions. Application vetting or accesses local artifacts relevant to detection or device services could look for use of APIs that could indicate the compromise state, (2) subsequent deletion, alteration, renam application is trying to hide activity. The user can view a ing, relocation, or visibility suppression of those artifact pplications with administrator access through the device set s, including files, application presence, media, or root-com tings, and may also notice if user data is inexplicably miss promise indicators, and (3) continued application execution, ing. The user can see a list of applications that can use ac reduced telemetry quality, or outbound activity after the a cessibility services in the device settings. rtifact state changes. The defender observes a causal chain where host-side evidence is first manipulated and expected v isibility or reporting degrades while the initiating applica tion remains active.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between artifact change, visibility degradation, and continued execution or network activity'}, {'field': 'ArtifactTypeSet', 'description': 'Types of host artifacts monitored for suspicious removal or alteration, such as files, installed-app presence, hidden media, or compromise markers'}, {'field': 'ExpectedTelemetrySources', 'description': 'Baseline sources expected to continue reflecting artifacts or compromise state'}, {'field': 'TelemetryGapThreshold', 'description': 'Threshold defining abnormal loss of artifact visibility or reporting continuity'}, {'field': 'AllowedAppList', 'description': 'Legitimate apps expected to delete or alter artifacts as part of normal lifecycle or cleanup behavior'}, {'field': 'UplinkBytesThreshold', 'description': 'Outbound traffic threshold used to confirm meaningful activity after indicator removal'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-24 20:30:21.803000+00:00 description Mobile security products can detect which applications can request device administrator permissions. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity.
+The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. The user can see a list of applications that can use accessibility services in the device settings. Correlates (1) application activity that creates, modifies, or accesses local artifacts relevant to detection or device compromise state, (2) subsequent deletion, alteration, renaming, relocation, or visibility suppression of those artifacts, including files, application presence, media, or root-compromise indicators, and (3) continued application execution, reduced telemetry quality, or outbound activity after the artifact state changes. The defender observes a causal chain where host-side evidence is first manipulated and expected visibility or reporting degrades while the initiating application remains active. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'device posture or compromise-state indicators change unexpectedly, including rooted or non-compliant status disappearance, after prior app or system activity suggesting persistence on device'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'managed application state changes unexpectedly through uninstall, disappearance from expected inventory, or install-state mismatch after prior suspicious activity'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'application invokes package, settings, or privileged framework operations capable of disabling security software, altering security enforcement, or interfering with reporting before telemetry loss'}
[AN1737] Analytic 1737 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t The user can review which applications have location and sen t Correlates (1) application access to device- or environment- sitive phone information permissions in the operating system specific attributes used to validate target conditions, (2) ’s settings menu. Application vetting services can detect u suppression of sensitive behavior until those attributes mat nnecessary and potentially abused API calls. Application vet ch an expected value, and (3) immediate transition into prot ting services can detect unnecessary and potentially abused ected actions such as sensor use, file access, or network co permissions. mmunication only after the condition is satisfied. The defen der observes a causal chain where an app repeatedly evaluate s device state or environment context and withholds executio n until a target-specific match occurs.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between environment checks and subsequent guarded execution'}, {'field': 'TargetAttributeSet', 'description': 'Environment attributes treated as likely guardrail inputs, such as locale, geolocation, carrier, Wi-Fi identity, device model, or lock state'}, {'field': 'DormancyThreshold', 'description': 'Amount of suppressed or low-activity runtime before sensitive behavior begins'}, {'field': 'AllowedAppList', 'description': 'Baseline of legitimate apps expected to evaluate environment attributes before conditional feature activation'}, {'field': 'ForegroundStateRequired', 'description': 'Whether guarded execution is only suspicious when activated from background or without recent user interaction'}, {'field': 'UplinkBytesThreshold', 'description': 'Minimum outbound traffic volume used to distinguish meaningful guarded execution from benign telemetry'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-13 18:45:30.914000+00:00 description The user can review which applications have location and sensitive phone information permissions in the operating system’s settings menu.
+Application vetting services can detect unnecessary and potentially abused API calls.
+Application vetting services can detect unnecessary and potentially abused permissions. Correlates (1) application access to device- or environment-specific attributes used to validate target conditions, (2) suppression of sensitive behavior until those attributes match an expected value, and (3) immediate transition into protected actions such as sensor use, file access, or network communication only after the condition is satisfied. The defender observes a causal chain where an app repeatedly evaluates device state or environment context and withholds execution until a target-specific match occurs. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'application holds permissions enabling environment validation (e.g., location, phone state, nearby device/network context) and subsequently delays protected activity until qualifying values are present'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'application queries target-selection attributes (e.g., location, SIM/operator, locale, device state, network identity) and then conditionally invokes sensitive framework APIs only after expected value is observed'}
iterable_item_removed STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'}
[AN1738] Analytic 1738 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t The user can review which applications have location and sen t Detects conditional execution by correlating (1) application sitive phone information permissions in the operating system access to constrained environment signals such as location, ’s settings menu. Application vetting services can detect u locale, network context, device state, or user interaction nnecessary and potentially abused API calls. Application vet timing, (2) prolonged inactivity or feature suppression desp ting services can detect unnecessary and potentially abused ite available permissions, and (3) abrupt initiation of high permissions. er-risk behavior only when the expected target context is pr esent. Because direct observation of some runtime decision l ogic is weaker on iOS, the defender relies more heavily on l ifecycle, sensor, and downstream network effects following t arget-condition alignment.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between context checks and guarded execution'}, {'field': 'TargetContextSet', 'description': 'Expected environment properties used for gating, such as location region, locale, SSID/network context, device lock state, or user activity timing'}, {'field': 'DormancyThreshold', 'description': 'Duration of inactivity before guarded behavior begins'}, {'field': 'ExpectedBackgroundModes', 'description': 'Baseline of legitimate apps whose feature activation is context-dependent in background execution'}, {'field': 'AllowedDestinationList', 'description': 'Expected destinations for apps whose network activity legitimately begins only in certain contexts'}, {'field': 'UserInteractionThreshold', 'description': 'Acceptable recency of user interaction before guarded execution is considered suspicious'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-13 18:49:55.440000+00:00 description The user can review which applications have location and sensitive phone information permissions in the operating system’s settings menu.
+Application vetting services can detect unnecessary and potentially abused API calls.
+Application vetting services can detect unnecessary and potentially abused permissions. Detects conditional execution by correlating (1) application access to constrained environment signals such as location, locale, network context, device state, or user interaction timing, (2) prolonged inactivity or feature suppression despite available permissions, and (3) abrupt initiation of higher-risk behavior only when the expected target context is present. Because direct observation of some runtime decision logic is weaker on iOS, the defender relies more heavily on lifecycle, sensor, and downstream network effects following target-condition alignment. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'application remains inactive across normal execution windows and transitions into background or foreground activity burst only when qualifying device context, lock state, locale, or network condition exists'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'iOS:MDMLog', 'channel': 'application has approved capabilities required for conditional execution (e.g., location/background modes) but observed behavior is deferred until target-specific state is present'} x_mitre_log_source_references[2] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'application exhibits repeated environment-context evaluation followed by delayed privileged framework use only after target-specific match'}
[AN1739] Analytic 1739 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t On Android, Verified Boot can detect unauthorized modificati t Correlates anomalous modifications to boot-time or logon-tim ons to the system partition.(Citation: Android-VerifiedBoot) e initialization artifacts (for example, init.rc, vendor ini Android's SafetyNet API provides remote attestation capabil t scripts, app_process or shell hijacks, and malicious BOOT_ ities, which could potentially be used to identify and respo COMPLETED BroadcastReceivers) with subsequent unauthorized s nd to compromise devices. Samsung Knox provides a similar re cript execution after boot. From the defender’s perspective mote attestation capability on supported Samsung devices. this appears as integrity or attestation failures on the sys tem partition, unexpected writes to protected init paths, ne w apps registering for boot events, and privileged processes invoking scripts or binaries from non-standard locations sh ortly after the device boots.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between boot/attestation event and suspicious script execution (for example, 0–10 minutes after BOOT_COMPLETED).'}, {'field': 'AuthorizedBootReceivers', 'description': 'Enterprise-specific allow list of packages expected to register BOOT_COMPLETED receivers.'}, {'field': 'ProtectedPaths', 'description': 'OEM- and ROM-specific list of system and vendor init script locations that should be immutable in production devices.'}, {'field': 'ExpectedAttestationState', 'description': 'Expected Verified Boot, SafetyNet, and OEM attestation states for enrolled devices. Custom ROM or dev devices may need relaxed thresholds.'}, {'field': 'IntegrityFailureThreshold', 'description': 'Number or rate of attestation failures before escalating to a high-severity incident.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2025-12-02 15:38:03.766000+00:00 description On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. Correlates anomalous modifications to boot-time or logon-time initialization artifacts (for example, init.rc, vendor init scripts, app_process or shell hijacks, and malicious BOOT_COMPLETED BroadcastReceivers) with subsequent unauthorized script execution after boot. From the defender’s perspective this appears as integrity or attestation failures on the system partition, unexpected writes to protected init paths, new apps registering for boot events, and privileged processes invoking scripts or binaries from non-standard locations shortly after the device boots. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'Sensor Health', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'AndroidAttestation:VerifiedBoot', 'channel': 'Verified Boot or dm-verity reports partition hash mismatch, non-green boot state, or integrity failure'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8', 'name': 'AndroidLogs:FileSystem', 'channel': 'Modification to /system/etc/init/ or /vendor/etc/init/ boot-time scripts'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5', 'name': 'AndroidLogs:Framework', 'channel': 'BroadcastReceiver registration for android.intent.action.BOOT_COMPLETED by previously unseen or recently installed apps'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'AndroidLogs:Kernel', 'channel': 'init or zygote process executing scripts or binaries from non-standard data or sdcard locations during early boot'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'AndroidAttestation:SafetyNet', 'channel': 'SafetyNet attestation with CTSProfileMatch=false or BasicIntegrity=false'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'OEMAttestation:Knox', 'channel': 'Samsung Knox attestation shows attestation_state=COMPROMISED or warranty bit set'}
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Android-VerifiedBoot', 'description': 'Android. (n.d.). Verified Boot. Retrieved December 21, 2016.', 'url': 'https://source.android.com/security/verifiedboot/'}
[AN1740] Analytic 1740 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t On Android, Verified Boot can detect unauthorized modificati t Correlates unauthorized alterations to launchd configuration ons to the system partition.(Citation: Android-VerifiedBoot) (LaunchDaemons/LaunchAgents plists), background execution e Android's SafetyNet API provides remote attestation capabil ntitlements, or sideloaded app containers with suspicious au ities, which could potentially be used to identify and respo to-start behavior during device boot or user unlock. From th nd to compromise devices. Samsung Knox provides a similar re e defender’s view this shows up as new or modified plist fil mote attestation capability on supported Samsung devices. es in launchd directories, launchd starting binaries from no n-Apple or non-AppStore locations, and apps with unexpected background modes that remain active immediately after boot/u nlock.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'JailbreakIndicators', 'description': 'List of filesystem paths or process names that identify intentionally jailbroken lab devices and should be handled differently.'}, {'field': 'LaunchdWhitelist', 'description': 'Organization-specific list of allowed launchd job labels and binary paths.'}, {'field': 'AllowedBackgroundModes', 'description': 'Per-app allow list for background execution modes (for example, VOIP, location) to reduce noise.'}, {'field': 'BootUnlockWindow', 'description': 'Time window after boot or unlock within which unexpected launchd auto-starts are considered high risk.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2025-12-04 17:05:14.687000+00:00 description On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. Correlates unauthorized alterations to launchd configuration (LaunchDaemons/LaunchAgents plists), background execution entitlements, or sideloaded app containers with suspicious auto-start behavior during device boot or user unlock. From the defender’s view this shows up as new or modified plist files in launchd directories, launchd starting binaries from non-Apple or non-AppStore locations, and apps with unexpected background modes that remain active immediately after boot/unlock. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'Sensor Health', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8', 'name': 'iOS:unifiedlog', 'channel': 'Creation or modification of LaunchDaemon or LaunchAgent plist in /System/Library/LaunchDaemons, /Library/LaunchDaemons, or /Library/LaunchAgents'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'iOS:unifiedlog', 'channel': 'launchd invocation of binary from non-Apple, non-AppStore, or sideloaded location during boot or shortly after unlock'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa', 'name': 'iOS:unifiedlog', 'channel': 'Application gaining or using unexpected background execution entitlements or modes'}
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Android-VerifiedBoot', 'description': 'Android. (n.d.). Verified Boot. Retrieved December 21, 2016.', 'url': 'https://source.android.com/security/verifiedboot/'}
[AN1741] Analytic 1741 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Command-line activities can potentially be detected through t The defender correlates app-driven shell or command executio Mobile Threat Defense (MTD) integrations with lower-level OS n setup with subsequent process creation, command invocation APIs. This could grant the MTD agents access to running pro , or script-driven follow-on behavior under the same app con cesses and their parameters, potentially detecting unwanted text, especially when command execution occurs from backgrou or malicious shells. Mobile Threat Defense (MTD) with lower- nd state, without recent user interaction, or immediately af level OS APIs integrations may have access to newly created ter payload retrieval or local staging. The analytic priorit processes and their parameters, potentially detecting unwant izes Android-observable control-plane effects: Java Runtime ed or malicious shells. Application vetting services could d or similar command-execution method use, shell or sh-like pr etect the invocations of methods that could be used to execu ocess creation, command parameter visibility where available te shell commands.(Citation: Samsung Knox Mobile Threat Defe , and immediate file or network effects produced by the inte nse) Mobile Threat Defense (MTD) with lower-level OS APIs in rpreter. tegrations may have access to running processes and their pa rameters, potentially detecting unwanted or malicious shells .
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between command-launch method use, process creation, and follow-on file or network effects'}, {'field': 'AllowedAppList', 'description': 'Apps legitimately expected to run shell-like or administrative commands, such as enterprise support tools, terminal apps, approved EMM agents, or developer tooling'}, {'field': 'AllowedProcessPatterns', 'description': 'Expected command interpreters, process names, or parent-child execution chains for approved apps'}, {'field': 'ForegroundStateRequired', 'description': 'Whether command execution should occur only during active user-driven workflows'}, {'field': 'CommandArgumentRiskPatterns', 'description': 'Environment-specific list of suspicious command arguments, redirection usage, chaining operators, or shell-control syntax'}, {'field': 'PostExecutionWriteThreshold', 'description': 'Minimum number or size of file artifacts created after interpreter execution to increase confidence'}, {'field': 'UplinkBytesThreshold', 'description': 'Minimum outbound volume after command execution to treat network behavior as meaningful'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-09 20:26:15.372000+00:00 description Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.
+Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.
+Application vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)
+Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells. The defender correlates app-driven shell or command execution setup with subsequent process creation, command invocation, or script-driven follow-on behavior under the same app context, especially when command execution occurs from background state, without recent user interaction, or immediately after payload retrieval or local staging. The analytic prioritizes Android-observable control-plane effects: Java Runtime or similar command-execution method use, shell or sh-like process creation, command parameter visibility where available, and immediate file or network effects produced by the interpreter. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0', 'name': 'Command', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'MobileEDR:telemetry', 'channel': 'Application invokes Runtime.exec, ProcessBuilder, JNI-backed command launcher, or equivalent command-execution bridge immediately before shell or command process creation'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'Process', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0', 'name': 'MobileEDR:telemetry', 'channel': 'Application spawns shell, command interpreter, or command-executing child process with arguments during command-execution phase'}
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Samsung Knox Mobile Threat Defense', 'description': 'Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.', 'url': 'https://partner.samsungknox.com/mtd'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1', 'name': 'Process', 'channel': 'None'}
[AN1742] Analytic 1742 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Command-line activities can potentially be detected through t The defender correlates managed-app runtime behavior indicat Mobile Threat Defense (MTD) integrations with lower-level OS ive of command or shell invocation with subsequent spawned p APIs. This could grant the MTD agents access to running pro rocess or shell-like execution effects, then raises confiden cesses and their parameters, potentially detecting unwanted ce when the resulting activity produces local artifacts or n or malicious shells. Mobile Threat Defense (MTD) with lower- etwork communication outside expected user context. Because level OS APIs integrations may have access to newly created direct shell-process visibility can be weaker on iOS in many processes and their parameters, potentially detecting unwant enterprise deployments, the analytic anchors first on proce ed or malicious shells. Application vetting services could d ss-creation or lower-level OS API effects where mobile telem etect the invocations of methods that could be used to execu etry can observe them, then on lifecycle context and post-ex te shell commands.(Citation: Samsung Knox Mobile Threat Defe ecution network or file behavior. Confidence is strongest wh nse) Mobile Threat Defense (MTD) with lower-level OS APIs in en the same app shows command invocation followed by process tegrations may have access to running processes and their pa execution and immediate follow-on effects. rameters, potentially detecting unwanted or malicious shells .
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between command-execution indication, process effects, and follow-on file or network behavior'}, {'field': 'AllowedAppList', 'description': 'Managed apps legitimately expected to perform debugging, remote support, or enterprise automation tasks'}, {'field': 'AllowedProcessPatterns', 'description': 'Expected process-launch or helper-execution patterns for approved managed apps'}, {'field': 'ForegroundStateRequired', 'description': 'Whether command-execution behavior should occur only during active user-driven workflows'}, {'field': 'ArtifactPathPatterns', 'description': 'Expected temporary or output file locations for approved app behavior'}, {'field': 'UplinkBytesThreshold', 'description': 'Minimum outbound volume after command execution to treat network behavior as meaningful'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-09 20:37:17.277000+00:00 description Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.
+Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.
+Application vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)
+Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells. The defender correlates managed-app runtime behavior indicative of command or shell invocation with subsequent spawned process or shell-like execution effects, then raises confidence when the resulting activity produces local artifacts or network communication outside expected user context. Because direct shell-process visibility can be weaker on iOS in many enterprise deployments, the analytic anchors first on process-creation or lower-level OS API effects where mobile telemetry can observe them, then on lifecycle context and post-execution network or file behavior. Confidence is strongest when the same app shows command invocation followed by process execution and immediate follow-on effects. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0', 'name': 'Command', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'MobileEDR:telemetry', 'channel': 'Managed app invokes lower-level OS process-launch or command-execution behavior before file or network effects, including interpreter-like execution flow where visible to sensor'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'Process', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0', 'name': 'MobileEDR:telemetry', 'channel': 'Application spawns shell, command interpreter, or command-executing child process with arguments during command-execution phase'}
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Samsung Knox Mobile Threat Defense', 'description': 'Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.', 'url': 'https://partner.samsungknox.com/mtd'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1', 'name': 'Process', 'channel': 'None'}
[AN1743] Analytic 1743 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t When vetting applications for potential security weaknesses, t Defender observes an OAuth/OIDC redirect (ACTION_VIEW) resol the vetting process could look for insecure use of Intents. ved to a non-allowlisted handler package (logcat:IntentResol Developers should be encouraged to use techniques to ensure ver), followed within a short window by that same package ac that the intent can only be sent to an appropriate destinat cessing token material via AccountManager/Keystore or readin ion (e.g., use explicit rather than implicit intents, permis g application token caches under /data/data/<pkg>/(shared_pr sion checking, checking of the destination app's signing cer efs|databases) (logcat:AccountManager, logcat:Keystore, logc tificate, or utilizing the App Links feature). For mobile ap at:FileIO). Correlate on package/UID/profile and time proxim plications using OAuth, encourage use of best practice.(Cita ity to indicate token acquisition. tion: IETF-OAuthNativeApps)(Citation: Android-AppLinks) On A ndroid, users may be presented with a popup to select the ap propriate application to open a URI in. If the user sees an application they do not recognize, they can remove it.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Max seconds between redirect handling and token access (e.g., 30–180).'}, {'field': 'RedirectUriAllowlist', 'description': 'Approved redirect URI patterns per app (HTTPS/app-scheme).'}, {'field': 'TrustedHandlerPackages', 'description': 'Expected package names allowed to handle the redirect.'}, {'field': 'TokenFileRegex', 'description': 'Environment-specific token cache filenames/paths.'}, {'field': 'WorkProfileScope', 'description': 'Restrict to enterprise work profile to reduce personal-app noise.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-02-02 17:41:17.052000+00:00 description When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)
+On Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it. Defender observes an OAuth/OIDC redirect (ACTION_VIEW) resolved to a non-allowlisted handler package (logcat:IntentResolver), followed within a short window by that same package accessing token material via AccountManager/Keystore or reading application token caches under /data/data//(shared_prefs|databases) (logcat:AccountManager, logcat:Keystore, logcat:FileIO). Correlate on package/UID/profile and time proximity to indicate token acquisition. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'android:logcat', 'channel': 'ACTION_VIEW redirect_uri handled by unexpected package'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa', 'name': 'android:logcat', 'channel': 'Task switch from browser/custom tab to handler immediately after OAuth return'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71', 'name': 'android:logcat', 'channel': 'KeyChain/AndroidKeyStore read of token alias'}
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Android-AppLinks', 'description': 'Android. (n.d.). Handling App Links. Retrieved December 21, 2016.', 'url': 'https://developer.android.com/training/app-links/index.html'} external_references {'source_name': 'IETF-OAuthNativeApps', 'description': 'W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.', 'url': 'https://tools.ietf.org/html/rfc8252'}
[AN1747] Analytic 1747 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t The OS may show a notification to the user that the SIM card t A defender correlates a sudden carrier identity/service stat has been transferred to another device. e change (SIM/line identifier change or unexpected loss of c ellular service) with near-term device messaging/telephony d isruption and a concurrent shift in authentication traffic p atterns—such as a spike in SMS-based verification flows or a ccount recovery activity from the same user’s identities—ind icating the user’s number may have been transferred to a dif ferent SIM/device (SIM swap impact).
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'ServiceLossDurationThreshold', 'description': 'Minimum duration of unexpected cellular service loss before considering it suspicious (reduces noise from transient coverage issues).'}, {'field': 'SimStateChangeTypes', 'description': 'Which SIM-related state changes to alert on (SIM removed, SIM refresh, operator changed, eSIM profile changed).'}, {'field': 'SwapCorrelationWindow', 'description': 'Time window to correlate SIM/service state change with downstream identity traffic anomalies (e.g., 30m–6h).'}, {'field': 'IdentityEndpointAllowList', 'description': 'Baseline of expected IdP/banking/crypto identity endpoints for the org; used to reduce false positives.'}, {'field': 'AuthTrafficSpikeThreshold', 'description': 'Threshold for increase in OTP/MFA/account recovery traffic volume relative to user baseline.'}, {'field': 'UserTravelContext', 'description': 'Optional enrichment—treat carrier changes as lower risk during known travel/roaming windows.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-06 15:07:15.622000+00:00 description The OS may show a notification to the user that the SIM card has been transferred to another device. A defender correlates a sudden carrier identity/service state change (SIM/line identifier change or unexpected loss of cellular service) with near-term device messaging/telephony disruption and a concurrent shift in authentication traffic patterns—such as a spike in SMS-based verification flows or account recovery activity from the same user’s identities—indicating the user’s number may have been transferred to a different SIM/device (SIM swap impact). x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'MobileEDR:telemetry', 'channel': 'Cellular service state transitions (in-service→no-service), SIM state change, carrier/operator identifier change, or baseband/telephony stack state change observed by agent telemetry'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': "Agent-observable telephony subscription/state API signals indicating SIM/eSIM subscription change (vendor-agnostic: 'telephony subscription changed')"} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'Device inventory changes involving phone number/line identifier fields (when available), eSIM profile presence, or compliance signal indicating SIM profile change'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'NSM:Flow', 'channel': 'Near-term increase in traffic to identity endpoints associated with SMS MFA, account recovery, or OTP verification (IdP, banking, crypto), correlated to SIM/service loss'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'NSM:Flow', 'channel': 'Abrupt shift from cellular egress to Wi-Fi-only egress, or new VPN/proxy session establishment following cellular service loss'}
[AN1748] Analytic 1748 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t The OS may show a notification to the user that the SIM card t A defender correlates an unexpected change in cellular subsc has been transferred to another device. ription state (eSIM/SIM profile change, carrier/operator cha nge, or sudden persistent loss of cellular service) with nea r-term disruption signals and a rapid increase in authentica tion-related network activity consistent with SMS verificati on or account recovery flows, suggesting the user’s number h as been ported to an adversary-controlled SIM/device (SIM sw ap impact).
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'SupervisedInventoryAvailability', 'description': 'Tuning based on whether supervised iOS + MDM provides sufficient subscription/eSIM visibility; otherwise rely on agent + network signals.'}, {'field': 'ServiceLossDurationThreshold', 'description': 'Minimum persistent no-service duration required to reduce false positives from normal carrier fluctuations.'}, {'field': 'SwapCorrelationWindow', 'description': 'Time window to link subscription disruption with identity/auth network anomalies.'}, {'field': 'AuthTrafficSpikeThreshold', 'description': 'Threshold for suspicious increase in OTP/MFA/account recovery traffic relative to device/user baseline.'}, {'field': 'RoamingExpectedRegions', 'description': 'Tuning to reduce false positives when the user is traveling or roaming across carrier networks.'}, {'field': 'IdentityEndpointAllowList', 'description': 'Baseline list of expected identity endpoints (IdP, banking, crypto) for the device/user population'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-06 18:43:26.902000+00:00 description The OS may show a notification to the user that the SIM card has been transferred to another device. A defender correlates an unexpected change in cellular subscription state (eSIM/SIM profile change, carrier/operator change, or sudden persistent loss of cellular service) with near-term disruption signals and a rapid increase in authentication-related network activity consistent with SMS verification or account recovery flows, suggesting the user’s number has been ported to an adversary-controlled SIM/device (SIM swap impact). x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'MobileEDR:telemetry', 'channel': 'Cellular service state transitions (in-service→no-service), SIM state change, carrier/operator identifier change, or baseband/telephony stack state change observed by agent telemetry'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'iOS:MDMLog', 'channel': 'Managed device inventory change indicating cellular plan/eSIM profile updates (where available via supervised iOS + MDM reporting)'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': "Agent-observable telephony subscription/state API signals indicating SIM/eSIM subscription change (vendor-agnostic: 'telephony subscription changed')"} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'NSM:Flow', 'channel': 'Near-term increase in traffic to identity endpoints associated with SMS MFA, account recovery, or OTP verification (IdP, banking, crypto), correlated to SIM/service loss'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'NSM:Flow', 'channel': 'Abrupt shift from cellular egress to Wi-Fi-only egress, or new VPN/proxy session establishment following cellular service loss'}
[AN1751] Analytic 1751 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services can look for applications reque t Defender correlates an app acquiring input-capture capabilit sting the `android.permission.BIND_ACCESSIBILITY_SERVICE` pe y (AccessibilityService enablement or default IME set) with rmission in a service declaration. On Android, the user can high-frequency text-change/IME commit callbacks sourced from view and manage which applications can use accessibility ser other packages, followed by local keylog persistence and/or vices through the device settings in Accessibility. The exac small, immediate network egress. Chain: capability/permissi t device settings menu locations may vary between operating on → intercept (accessibility ‘TYPE_VIEW_TEXT_CHANGED’ or IM system versions. On Android, the user can view and manage wh E commitText/onStartInput bursts) → persist to container → n ich applications have third-party keyboard access through th ear-term egress. e device settings in System -> Languages & input -> Virtual keyboard. On iOS, the user can view and manage which applica tions have third-party keyboard access through the device se ttings in General -> Keyboard.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Max time between intercept → persist/exfil (e.g., 5–45s).'}, {'field': 'MinKeyEventBurst', 'description': 'Minimum input events in window to flag (e.g., ≥10).'}, {'field': 'RequireA11yOrIME', 'description': 'Only alert when capability is via Accessibility or IME (true/false).'}, {'field': 'PersistPathRegex', 'description': 'Regex for keylog artifacts in app container.'}, {'field': 'ExfilDomainAllowlist', 'description': 'Enterprise/analytics endpoints to suppress FPs.'}, {'field': 'UserContext', 'description': 'Foreground/Work Profile/Kiosk to scope alerts.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-01-29 18:53:00.289000+00:00 description Application vetting services can look for applications requesting the `android.permission.BIND_ACCESSIBILITY_SERVICE` permission in a service declaration. On Android, the user can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions.
+On Android, the user can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, the user can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard. Defender correlates an app acquiring input-capture capability (AccessibilityService enablement or default IME set) with high-frequency text-change/IME commit callbacks sourced from other packages, followed by local keylog persistence and/or small, immediate network egress. Chain: capability/permission → intercept (accessibility ‘TYPE_VIEW_TEXT_CHANGED’ or IME commitText/onStartInput bursts) → persist to container → near-term egress. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6', 'name': 'android:logcat', 'channel': 'Grant/enablement for BIND_ACCESSIBILITY_SERVICE or BIND_INPUT_METHOD for '} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'android:logcat', 'channel': 'AccessibilityService connected|TYPE_VIEW_TEXT_CHANGED|TYPE_VIEW_FOCUSED events for other packages'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa', 'name': 'android:logcat', 'channel': 'Default IME active imeId=; frequent onStartInput/commitText calls'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'android:logcat', 'channel': 'CREATE/WRITE to /data/data//(files|databases)/(keys|inputs|clipboard).*\\\\.(db|sqlite|txt|log)'}
[AN1752] Analytic 1752 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services can look for applications reque t Defender correlates a custom keyboard extension activation ( sting the `android.permission.BIND_ACCESSIBILITY_SERVICE` pe optionally with TCC ‘Full Access’) or abnormal UI text-entry rmission in a service declaration. On Android, the user can interception with local keylog persistence and/or small egr view and manage which applications can use accessibility ser ess. Chain: capability/consent (keyboard Full Access/TCC) → vices through the device settings in Accessibility. The exac intercept (keyboard commit events or repeated secure text en t device settings menu locations may vary between operating try edits) → persist to container → near-term egress. system versions. On Android, the user can view and manage wh ich applications have third-party keyboard access through th e device settings in System -> Languages & input -> Virtual keyboard. On iOS, the user can view and manage which applica tions have third-party keyboard access through the device se ttings in General -> Keyboard.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Max time from intercept → persist/exfil (e.g., 5–60s).'}, {'field': 'MinKeyEventBurst', 'description': 'Minimum keyboard commit or editingChanged events (e.g., ≥10).'}, {'field': 'KeyboardFullAccessRequired', 'description': 'Require Full Access to elevate severity (true/false).'}, {'field': 'PersistPathRegex', 'description': 'Regex for keylog artifacts under container paths.'}, {'field': 'ExfilDomainAllowlist', 'description': 'Allowlisted enterprise/analytics endpoints.'}, {'field': 'UserContext', 'description': 'Foreground state, Focus modes, MDM policy.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-01-29 19:12:28.428000+00:00 description Application vetting services can look for applications requesting the `android.permission.BIND_ACCESSIBILITY_SERVICE` permission in a service declaration. On Android, the user can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions.
+On Android, the user can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, the user can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard. Defender correlates a custom keyboard extension activation (optionally with TCC ‘Full Access’) or abnormal UI text-entry interception with local keylog persistence and/or small egress. Chain: capability/consent (keyboard Full Access/TCC) → intercept (keyboard commit events or repeated secure text entry edits) → persist to container → near-term egress. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6', 'name': 'iOS:unifiedlog', 'channel': 'Keyboard extension Full Access change or related privacy grant for '} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa', 'name': 'iOS:unifiedlog', 'channel': 'Secure text entry focus and editingChanged bursts not typical for the app'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'iOS:unifiedlog', 'channel': 'CREATE/WRITE of keylog artifacts (keys_*.txt, inputs.db) within app/keyboard container'}
[AN1753] Analytic 1753 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Network carriers may be able to use firewalls, Intrusion Det t Defender observes anomalous signaling network queries target ection Systems (IDS), or Intrusion Prevention Systems (IPS) ing subscriber information associated with a device, includi to detect and/or block SS7 exploitation.(Citation: CSRIC5-WG ng unexpected routing requests, location information exchang 10-FinalReport) The CSRIC also suggests threat information s es, or node-origin inconsistencies indicative of SS7 signali haring between telecommunications industry members. ng abuse. (Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunicati ons industry members.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'NodeIdentityDeviationThreshold', 'description': 'Defines acceptable variance for signaling node identifiers'}, {'field': 'SubscriberQueryFrequencyThreshold', 'description': 'Baseline-dependent threshold for excessive subscriber queries'}, {'field': 'GeographicRoutingDeviation', 'description': 'Expected signaling path vs observed routing anomalies'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-02-24 17:54:57.531000+00:00 description Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members. Defender observes anomalous signaling network queries targeting subscriber information associated with a device, including unexpected routing requests, location information exchanges, or node-origin inconsistencies indicative of SS7 signaling abuse. (Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a', 'name': 'Network Traffic', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'TelecomLogs:SS7Signaling', 'channel': 'Subscriber information queries, routing requests, or location update messages with anomalous node identifiers or unexpected origin patterns'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a', 'name': 'TelecomLogs:MobilityEvents', 'channel': 'Unexpected location resolution events or abnormal subscriber tracking requests'}
[AN1754] Analytic 1754 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Network carriers may be able to use firewalls, Intrusion Det t Defender observes anomalous signaling interactions involving ection Systems (IDS), or Intrusion Prevention Systems (IPS) subscriber identity or location resolution events associate to detect and/or block SS7 exploitation.(Citation: CSRIC5-WG d with a device, including abnormal routing requests, unexpe 10-FinalReport) The CSRIC also suggests threat information s cted location information exchanges, or signaling node incon haring between telecommunications industry members. sistencies indicative of SS7 abuse. (Citation: CSRIC5-WG10-F inalReport) The CSRIC also suggests threat information shari ng between telecommunications industry members.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'LocationQueryAnomalyThreshold', 'description': 'Baseline deviation tolerance for location resolution events'}, {'field': 'SignalingPathDeviationThreshold', 'description': 'Expected vs observed signaling routing paths'}, {'field': 'SubscriberResolutionFrequency', 'description': 'Threshold for abnormal resolution or lookup behavior'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-02-24 17:56:26.375000+00:00 description Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members. Defender observes anomalous signaling interactions involving subscriber identity or location resolution events associated with a device, including abnormal routing requests, unexpected location information exchanges, or signaling node inconsistencies indicative of SS7 abuse. (Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a', 'name': 'Network Traffic', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'TelecomLogs:SS7Signaling', 'channel': 'Location resolution, routing, or subscriber information exchanges with anomalous signaling paths or node identities'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a', 'name': 'TelecomLogs:MobilityEvents', 'channel': 'Unexpected subscriber tracking or abnormal mobility/location resolution activity'}
[AN1755] Analytic 1755 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Network traffic analysis could reveal patterns of compromise t Defender observes a mobile device initiating abnormal or exp if devices attempt to access unusual targets or resources. loit-like network interactions with internal or remote servi Application vetting may be able to identify applications th ces, followed by process-level instability, privilege bounda at perform [Discovery](https://attack.mitre.org/tactics/TA00 ry shifts, or unexpected execution behaviors indicative of s 32) or utilize existing connectivity to remotely access host ervice exploitation outcomes. s within an internal enterprise network.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'ProtocolAnomalyThreshold', 'description': 'Defines deviation tolerance for malformed or exploit-like protocol behavior'}, {'field': 'CrashCorrelationWindow', 'description': 'Temporal linkage between suspicious network activity and process instability'}, {'field': 'EnterpriseServiceBaseline', 'description': 'Environment-specific baseline of expected internal service communications'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-02-23 17:50:48.706000+00:00 description Network traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources.
+Application vetting may be able to identify applications that perform [Discovery](https://attack.mitre.org/tactics/TA0032) or utilize existing connectivity to remotely access hosts within an internal enterprise network. Defender observes a mobile device initiating abnormal or exploit-like network interactions with internal or remote services, followed by process-level instability, privilege boundary shifts, or unexpected execution behaviors indicative of service exploitation outcomes. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'Network Traffic', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'NSM:Connections', 'channel': 'Outbound connections to internal enterprise services exhibiting anomalous protocol behavior, malformed sessions, or exploit-consistent traffic patterns'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'AndroidLogs:Crash', 'channel': 'Application or system process crash/restart patterns temporally associated with remote service communications'}
[AN1756] Analytic 1756 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Network traffic analysis could reveal patterns of compromise t Defender observes a mobile device engaging remote or interna if devices attempt to access unusual targets or resources. l services with traffic characteristics inconsistent with no Application vetting may be able to identify applications th rmal application behavior, followed by execution anomalies, at perform [Discovery](https://attack.mitre.org/tactics/TA00 application instability, or security context deviations cons 32) or utilize existing connectivity to remotely access host istent with exploitation effects. s within an internal enterprise network.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TrafficDeviationThreshold', 'description': 'Defines acceptable protocol and payload variation'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-02-23 17:58:13.523000+00:00 description Network traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources.
+Application vetting may be able to identify applications that perform [Discovery](https://attack.mitre.org/tactics/TA0032) or utilize existing connectivity to remotely access hosts within an internal enterprise network. Defender observes a mobile device engaging remote or internal services with traffic characteristics inconsistent with normal application behavior, followed by execution anomalies, application instability, or security context deviations consistent with exploitation effects. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'Network Traffic', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'NSM:Connections', 'channel': 'Outbound connections to internal enterprise services exhibiting anomalous protocol behavior, malformed sessions, or exploit-consistent traffic patterns'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'iOS:unifiedlog', 'channel': 'Application crash logs, watchdog terminations, or abnormal execution events associated with service communication'}
[AN1758] Analytic 1758 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Mobile security products can potentially utilize device APIs t From the defender’s perspective, this strategy correlates si to determine if a device has been rooted or jailbroken. App gnals that a previously unprivileged Android app or process lication vetting services could potentially determine if an has gained higher privileges through exploitation rather tha application contains code designed to exploit vulnerabilitie n normal OS or MDM flows. Observable behaviors include: (1 s. ) unprivileged app processes issuing sensitive syscalls or a ccessing privileged device interfaces, (2) bursts of SELinu x denials followed by an unexpected domain or permission cha nge, (3) creation of new processes running with system or r oot UID whose lineage traces back to an app sandbox path, an d (4) crashes or abnormal restarts of privileged system ser vices followed shortly by a new connection or binder interac tion from the same low-privileged app. The focus is on unusu al privilege transitions, anomalous process ancestry, and OS security policy violations, not on specific exploit binarie s or CVE signatures.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window (for example, 60–300 seconds) between SELinux events, crashes, and privilege changes to reduce noise while still capturing exploit chains.'}, {'field': 'AppUidRange', 'description': 'UID ranges that represent unprivileged application accounts in a specific Android OEM or enterprise deployment.'}, {'field': 'SensitiveSyscalls', 'description': 'List of syscalls considered indicative of privilege escalation attempts; may vary by kernel version, OEM drivers, and threat model.'}, {'field': 'PrivilegedServices', 'description': 'Set of high-value Android system services where crashes or restarts are particularly suspicious (for example, system_server, mediaserver).'}, {'field': 'PrivilegedUids', 'description': 'Enterprise-defined mapping of UIDs considered elevated (for example, root, system, radio) for alert scoping.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2025-12-04 17:12:06.342000+00:00 description Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken.
+Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities. From the defender’s perspective, this strategy correlates signals that a previously unprivileged Android app or process has gained higher privileges through exploitation rather than normal OS or MDM flows.
+Observable behaviors include:
+(1) unprivileged app processes issuing sensitive syscalls or accessing privileged device interfaces,
+(2) bursts of SELinux denials followed by an unexpected domain or permission change,
+(3) creation of new processes running with system or root UID whose lineage traces back to an app sandbox path, and
+(4) crashes or abnormal restarts of privileged system services followed shortly by a new connection or binder interaction from the same low-privileged app. The focus is on unusual privilege transitions, anomalous process ancestry, and OS security policy violations, not on specific exploit binaries or CVE signatures. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'Sensor Health', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'AndroidLogs:Crash', 'channel': 'Crash or abnormal restart of privileged system services (for example, system_server, mediaserver, installd) followed shortly by new privileged process activity or binder connections from a single app UID'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'AndroidLogs:Kernel', 'channel': 'Unprivileged app process (app UID, non-system) invoking sensitive syscalls or device interfaces associated with privilege escalation (setuid, ptrace, perf_event_open, vulnerable drivers)'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'AndroidLogs:Framework', 'channel': 'Creation of a new process running as system or root UID whose executable path resides under an app container path (for example, /data/app or /data/user/0/), or whose parent process originates from an app sandbox'}
[AN1759] Analytic 1759 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Mobile security products can potentially utilize device APIs t Correlates app sandbox escape attempts via unsigned binary e to determine if a device has been rooted or jailbroken. App xecution, mmap memory permission changes (RWX), and sandbox lication vetting services could potentially determine if an profile violations. Detection chain includes app leveraging application contains code designed to exploit vulnerabilitie JIT/JSC to execute shellcode or triggering kernel exploit vi s. a crafted IOKit or Mach port abuse.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'ExecutableHashAllowList', 'description': 'Allowlist known benign unsigned binaries for reducing FP.'}, {'field': 'RWXThreshold', 'description': 'Adjustable threshold for RWX page allocation frequency or size.'}, {'field': 'JITContextDetection', 'description': 'May require tuning based on OS version and legitimate app usage (e.g., Safari JIT).'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-01-16 15:51:26.313000+00:00 description Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken.
+Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities. Correlates app sandbox escape attempts via unsigned binary execution, mmap memory permission changes (RWX), and sandbox profile violations. Detection chain includes app leveraging JIT/JSC to execute shellcode or triggering kernel exploit via crafted IOKit or Mach port abuse. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'Sensor Health', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'iOS:unifiedlog', 'channel': 'code signature validation failure / exec of invalidly-signed payload from sandboxed app'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'iOS:unifiedlog', 'channel': 'mmap with PROT_EXEC and PROT_WRITE by sandboxed app'}
[AN1762] Analytic 1762 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Since data encryption is a common practice in many legitimat t An application generates, imports, or accesses asymmetric ke e applications and uses standard programming language-specif ypairs (e.g., RSA/ECC), uses a public key to encrypt outboun ic APIs, encrypting data for command and control communicati d data or establish encrypted sessions, and transmits result on is regarded as undetectable to the user. ing ciphertext in structured communication patterns. Detecti on correlates keypair lifecycle activity + asymmetric crypto API usage + data transformation + background execution cont ext + network transmission, especially when inconsistent wit h expected application functionality.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_log_source_references [{'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'App invokes asymmetric cryptographic operations (e.g., RSA/ECC keypair generation OR public key encryption OR signature operations) on outbound data buffers'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Keypair generation, import, or access events (public/private key usage) occurring prior to network communication'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'MobileEDR:telemetry', 'channel': 'App writes asymmetric-encrypted blobs or encoded ciphertext to local buffers or files prior to transmission'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Asymmetric crypto operations occur while app_state=background OR device_locked=true OR no recent user interaction'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'App not in approved cryptographic or secure communication category performing keypair + encryption + transmission behavior'}] x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between keypair usage and outbound communication'}, {'field': 'AllowedCryptoApps', 'description': 'Apps expected to use asymmetric cryptography (e.g., secure messaging, VPN, enterprise auth apps)'}, {'field': 'ForegroundStateRequired', 'description': 'Whether key generation/encryption should occur only during user interaction'}, {'field': 'KeyGenerationThreshold', 'description': 'Frequency of keypair generation/import events considered anomalous'}, {'field': 'PayloadSizeVariance', 'description': 'Expected variability in payload sizes due to asymmetric encryption overhead'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-06 15:51:25.896000+00:00 description Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user. An application generates, imports, or accesses asymmetric keypairs (e.g., RSA/ECC), uses a public key to encrypt outbound data or establish encrypted sessions, and transmits resulting ciphertext in structured communication patterns. Detection correlates keypair lifecycle activity + asymmetric crypto API usage + data transformation + background execution context + network transmission, especially when inconsistent with expected application functionality. x_mitre_version 1.0 1.1
[AN1763] Analytic 1763 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Since data encryption is a common practice in many legitimat t Indirect evidence of asymmetric cryptographic channel usage e applications and uses standard programming language-specif inferred through key exchange-like network patterns and appl ic APIs, encrypting data for command and control communicati ication background execution behavior, where direct observat on is regarded as undetectable to the user. ion of keypair operations is limited. Detection correlates a pp entitlement posture + background execution + asymmetric h andshake patterns + subsequent encrypted communication.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between initial communication burst and steady encrypted traffic'}, {'field': 'AllowedAppList', 'description': 'Apps expected to perform asymmetric key exchanges'}, {'field': 'HandshakePatternThreshold', 'description': 'Threshold for identifying asymmetric handshake-like traffic patterns'}, {'field': 'ForegroundStateRequired', 'description': 'Whether communication establishment should occur during user interaction'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-06 15:53:14.197000+00:00 description Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user. Indirect evidence of asymmetric cryptographic channel usage inferred through key exchange-like network patterns and application background execution behavior, where direct observation of keypair operations is limited. Detection correlates app entitlement posture + background execution + asymmetric handshake patterns + subsequent encrypted communication. x_mitre_version 1.0 1.1
[AN1764] Analytic 1764 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services can look for the use of the And t The defender correlates Android screen-capture-capable behav roid `MediaProjectionManager` class, applying extra scrutiny ior from an app identity with runtime context showing that f to applications that use the class. The user can view a lis oreground content from another app is being captured outside t of apps with accessibility service privileges in the devic expected user-driven workflows. The strongest Android evide e settings. nce is MediaProjection-like capture initiation, accessibilit y-assisted observation of foreground UI content, or privileg ed screencap or screenrecord behavior, followed by screensho t or video artifact creation, buffer growth, or outbound tra nsfer. The detection is strengthened when the capturing app is backgrounded, operates as a foreground service without cl ear user-driven recording intent, captures while another sen sitive app is foregrounded, runs with accessibility or eleva ted access inconsistent with its role, or performs capture w ithout recent user interaction.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window linking capture-path invocation, foreground-app context, artifact creation, and optional upload.'}, {'field': 'AllowedAppList', 'description': 'Approved screen-recording, accessibility, remote-support, or QA/testing apps vary by organization and device group.'}, {'field': 'AllowedAccessibilityApps', 'description': 'Approved accessibility-enabled apps vary by assistive and enterprise workflow.'}, {'field': 'AllowedForegroundServiceCaptureApps', 'description': 'Some approved apps may legitimately use foreground services during screen recording.'}, {'field': 'RecentUserInteractionWindow', 'description': 'Defines how close capture initiation must be to user interaction to be considered expected.'}, {'field': 'SensitiveForegroundAppCategories', 'description': 'Categories such as banking, identity, messaging, or enterprise apps may warrant higher sensitivity during capture.'}, {'field': 'ArtifactWriteThreshold', 'description': 'Minimum screenshot/video/cache write volume indicating probable screen-capture output.'}, {'field': 'UplinkBytesThreshold', 'description': 'Threshold for suspicious outbound transfer after capture.'}, {'field': 'ConsentInteractionGracePeriod', 'description': 'Grace period allowed for expected user consent or explicit initiation before capture is treated as suspicious.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-24 17:47:35.979000+00:00 description Application vetting services can look for the use of the Android `MediaProjectionManager` class, applying extra scrutiny to applications that use the class.
+The user can view a list of apps with accessibility service privileges in the device settings. The defender correlates Android screen-capture-capable behavior from an app identity with runtime context showing that foreground content from another app is being captured outside expected user-driven workflows. The strongest Android evidence is MediaProjection-like capture initiation, accessibility-assisted observation of foreground UI content, or privileged screencap or screenrecord behavior, followed by screenshot or video artifact creation, buffer growth, or outbound transfer. The detection is strengthened when the capturing app is backgrounded, operates as a foreground service without clear user-driven recording intent, captures while another sensitive app is foregrounded, runs with accessibility or elevated access inconsistent with its role, or performs capture without recent user interaction. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'MediaProjection-style screen capture session began from app identity while a different app was foregrounded and capture path was not mapped to approved recording workflow'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Accessibility-service activity from app identity coincided with foreground content observation and subsequent screenshot, frame buffer, or screenrecord artifact behavior within TimeWindow'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Privileged screencap, screenrecord, adb-driven capture, or root-context screen acquisition behavior occurred from app, shell, or elevated identity while foreground app context changed or sensitive app remained active'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Capturing app remained backgrounded or foreground-service-only while screen capture session occurred and another app was foregrounded during capture interval'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'LastUserInteractionDelta exceeded threshold before screen capture session start and no expected foreground transition or consent-linked interaction occurred during capture interval'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Sensitive app category remained foregrounded during screen capture session from different app identity'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'App identity performing screen capture had unapproved accessibility posture, capture-related special access, unmanaged state, or was not approved for screen recording or assistive observation workflows'}
[AN1767] Analytic 1767 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Many encryption mechanisms are built into standard applicati t The defender correlates recent access to locally collected o on-accessible APIs and are therefore undetectable to the end r protected data with subsequent compression, packaging, or user. encryption behavior inside the same app context, followed by creation of archive-like or high-entropy output and optiona l near-term network transmission. The analytic prioritizes A ndroid runtime and storage effects: application data access or sensor-derived collection, compression/encryption framewo rk use, archive/blob creation in app-accessible storage, and background or device-locked execution inconsistent with the app’s declared function.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_log_source_references [{'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'MobileEDR:telemetry', 'channel': 'Application reads multiple user-data files, media objects, message stores, or app-private records in burst sequence immediately before packaging or encryption activity'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'MobileEDR:telemetry', 'channel': 'Application writes archive-like container or high-entropy packaged blob to app storage, cache, temp path, or shared external path after burst collection activity'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Application invokes archive, compression, or bulk-buffer packaging routines on previously accessed local data within the same execution chain'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Application encrypts newly created archive or staged data blob after collection and before storage or outbound transfer'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'Managed application with no declared backup, sync, export, or media-editing role performs bulk local packaging or encrypted archive generation'}] x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between data access, package creation, encryption, and optional network upload'}, {'field': 'AllowedAppList', 'description': 'Apps legitimately expected to package local data such as backup, cloud sync, file manager, or media editing apps'}, {'field': 'AllowedPathList', 'description': 'Expected storage paths for legitimate archives, exports, or caches'}, {'field': 'ForegroundStateRequired', 'description': 'Whether packaging/export behavior should occur only during active user-driven workflows'}, {'field': 'BurstReadThreshold', 'description': 'Number of files or records read in a short interval before archive creation'}, {'field': 'ArchiveSizeThreshold', 'description': 'Minimum output size for suspicious packaged blob or archive'}, {'field': 'EntropyThreshold', 'description': 'Threshold for identifying encrypted or heavily compressed output'}, {'field': 'UplinkBytesThreshold', 'description': 'Minimum upload size consistent with recent archive creation'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-08 16:39:38.897000+00:00 description Many encryption mechanisms are built into standard application-accessible APIs and are therefore undetectable to the end user. The defender correlates recent access to locally collected or protected data with subsequent compression, packaging, or encryption behavior inside the same app context, followed by creation of archive-like or high-entropy output and optional near-term network transmission. The analytic prioritizes Android runtime and storage effects: application data access or sensor-derived collection, compression/encryption framework use, archive/blob creation in app-accessible storage, and background or device-locked execution inconsistent with the app’s declared function. x_mitre_version 1.0 1.1
[AN1768] Analytic 1768 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Many encryption mechanisms are built into standard applicati t The defender correlates managed-app data access and lifecycl on-accessible APIs and are therefore undetectable to the end e context with indirect evidence of packaging or encryption user. prior to outbound transfer. Because direct archive/compressi on visibility is generally weaker on iOS, the analytic ancho rs on app lifecycle state, file/output effects observable by mobile EDR where available, managed app role via MDM, and d ownstream network uploads that closely follow creation of ne w large or high-entropy local artifacts. Confidence is lower when only network effects are available.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_log_source_references [{'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'iOS:MDMLog', 'channel': 'Supervised managed app without expected export, backup, or sync role performs local data staging behavior followed by opaque upload activity'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Managed app enters background-capable execution or resumes processing immediately before archive-like file creation or upload behavior'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Application performs bulk data transformation or packaging-like processing on collected records prior to file creation or upload'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'MobileEDR:telemetry', 'channel': 'Application writes new large container, temp package, or high-entropy blob after clustered local data access and before outbound communication'}] x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between lifecycle event, local package creation, and upload'}, {'field': 'AllowedAppList', 'description': 'Managed apps expected to archive, export, or synchronize data'}, {'field': 'AllowedDestinationList', 'description': 'Approved cloud, enterprise, or sync endpoints for legitimate exports'}, {'field': 'ForegroundStateRequired', 'description': 'Whether packaging or export should occur only during active user interaction'}, {'field': 'ArchiveSizeThreshold', 'description': 'Minimum size for suspicious local package or blob'}, {'field': 'EntropyThreshold', 'description': 'Threshold for identifying encrypted or compressed staged output'}, {'field': 'UplinkBytesThreshold', 'description': 'Minimum outbound volume consistent with recently created archive'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-08 18:29:03.808000+00:00 description Many encryption mechanisms are built into standard application-accessible APIs and are therefore undetectable to the end user. The defender correlates managed-app data access and lifecycle context with indirect evidence of packaging or encryption prior to outbound transfer. Because direct archive/compression visibility is generally weaker on iOS, the analytic anchors on app lifecycle state, file/output effects observable by mobile EDR where available, managed app role via MDM, and downstream network uploads that closely follow creation of new large or high-entropy local artifacts. Confidence is lower when only network effects are available. x_mitre_version 1.0 1.1
[AN1770] Analytic 1770 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services may provide a list of connectio t The defender correlates outbound communication from an appli ns made or received by an application, or a list of domains cation or service to legitimate external web platforms with contacted by the application. Many properly configured firew mobile runtime context showing that the communication is inc alls may naturally block command and control traffic. onsistent with the app's approved role, expected destination s, user interaction pattern, or device state. The strongest Android evidence is a managed or installed app communicating with cloud storage, social, messaging, code-hosting, or gen eric HTTPS web-service infrastructure shortly after backgrou nd activation, protected-resource use, or local staging acti vity, especially when the device is locked, user interaction is absent, or the app's historical network baseline does no t include that service class.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window linking app state, resource use, staging activity, and web-service communication.'}, {'field': 'AllowedAppList', 'description': 'Approved app identities and expected business roles vary by fleet and device group.'}, {'field': 'AllowedServiceClasses', 'description': 'Some organizations legitimately use cloud storage, messaging, or collaboration services from mobile apps.'}, {'field': 'AllowedDestinations', 'description': 'Expected domains, SNI values, CDNs, API endpoints, and redirectors vary by application and tenant.'}, {'field': 'ForegroundStateRequired', 'description': 'Certain apps may legitimately communicate only in foreground, while others support background sync.'}, {'field': 'RecentUserInteractionWindow', 'description': 'Defines how close traffic must be to user activity to be considered expected.'}, {'field': 'BeaconIntervalTolerance', 'description': 'Recurring connection periodicity thresholds vary with push, sync, and collaboration workloads.'}, {'field': 'UplinkBytesThreshold', 'description': 'Data volume threshold for suspicious transfer to legitimate web-service infrastructure.'}, {'field': 'ExpectedBackgroundBehavior', 'description': 'Normal background communication differs across app categories such as mail, chat, navigation, and security tools.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-17 19:52:38.107000+00:00 description Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.
+Many properly configured firewalls may naturally block command and control traffic. The defender correlates outbound communication from an application or service to legitimate external web platforms with mobile runtime context showing that the communication is inconsistent with the app's approved role, expected destinations, user interaction pattern, or device state. The strongest Android evidence is a managed or installed app communicating with cloud storage, social, messaging, code-hosting, or generic HTTPS web-service infrastructure shortly after background activation, protected-resource use, or local staging activity, especially when the device is locked, user interaction is absent, or the app's historical network baseline does not include that service class. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'VPN:MobileProxy', 'channel': "Application or device component communicates with legitimate external web-service infrastructure such as cloud storage, social media, messaging, collaboration, paste, code-hosting, CDN-backed API, or generic HTTPS service in a pattern inconsistent with the app's approved network baseline, timing, or service class"} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'Network Traffic', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'App communicating with external web service is backgrounded, persistent, recently awakened, or active while device is locked or without recent user interaction in a way inconsistent with expected app behavior'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'MobileEDR:telemetry', 'channel': 'App stages, buffers, caches, or exports data locally immediately before communication with legitimate external web-service endpoints in a way inconsistent with normal sync or offline workflow'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'App uses Android framework behaviors associated with background work scheduling, network job execution, IPC/provider access, overlay or accessibility-like interaction, or unusual package visibility immediately adjacent to web-service communication'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'App communicating with legitimate web-service infrastructure is unmanaged, newly installed, recently updated, outside approved app list, or shows baseline drift in role, installer source, or expected capability profile'}
[AN1771] Analytic 1771 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services may provide a list of connectio t The defender correlates communication to legitimate external ns made or received by an application, or a list of domains web-service platforms with supervised managed-app context a contacted by the application. Many properly configured firew nd device-state information showing that the traffic is inco alls may naturally block command and control traffic. nsistent with the app's expected role, background-refresh pr ofile, or user interaction timing. On iOS, the strongest rel iable evidence is network telemetry tied to a managed app or device plus app state and supervision context, especially w hen traffic to social, collaboration, cloud-storage, or gene ric HTTPS platforms occurs shortly after background activity , while the device is locked, or without expected user-drive n foreground execution. Direct low-level framework visibilit y is weaker than Android, so primary analytic confidence sho uld be anchored to supervised app context plus network behav ior rather than assumed host-level proof.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between app state changes and communication with legitimate web-service infrastructure.'}, {'field': 'SupervisedRequired', 'description': 'Strongest app context and managed state analytics depend on supervised iOS devices.'}, {'field': 'AllowedManagedApps', 'description': 'Approved managed apps and expected business use vary by organization and device profile.'}, {'field': 'AllowedServiceClasses', 'description': 'Some managed apps legitimately communicate with collaboration, cloud-storage, or messaging services.'}, {'field': 'AllowedDestinations', 'description': 'Expected Apple, enterprise, SaaS, CDN, and API destinations vary by app and tenant.'}, {'field': 'BackgroundRefreshBaseline', 'description': 'Normal background network behavior differs across mail, chat, navigation, and enterprise apps.'}, {'field': 'RecentUserInteractionWindow', 'description': 'Defines how close traffic must be to user activity to be considered expected.'}, {'field': 'BeaconIntervalTolerance', 'description': 'Allowed periodicity for sync, push, and refresh traffic varies across app categories.'}, {'field': 'UplinkBytesThreshold', 'description': 'Threshold for suspicious transfer volume to legitimate web-service platforms.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-17 20:24:52.509000+00:00 description Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.
+Many properly configured firewalls may naturally block command and control traffic. The defender correlates communication to legitimate external web-service platforms with supervised managed-app context and device-state information showing that the traffic is inconsistent with the app's expected role, background-refresh profile, or user interaction timing. On iOS, the strongest reliable evidence is network telemetry tied to a managed app or device plus app state and supervision context, especially when traffic to social, collaboration, cloud-storage, or generic HTTPS platforms occurs shortly after background activity, while the device is locked, or without expected user-driven foreground execution. Direct low-level framework visibility is weaker than Android, so primary analytic confidence should be anchored to supervised app context plus network behavior rather than assumed host-level proof. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'VPN:MobileProxy', 'channel': 'Supervised device or managed app communicates with legitimate external web-service infrastructure such as cloud storage, messaging, collaboration, social, paste, or generic HTTPS API platforms in a pattern inconsistent with expected service baseline, managed app role, or normal background refresh behavior'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'Network Traffic', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Managed app shows background activity, refresh, or lock-state-adjacent execution temporally aligned to web-service communication without expected foreground use or recent user interaction'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'iOS:MDMLog', 'channel': 'Managed app communicating with legitimate web-service infrastructure is newly installed, recently updated, outside expected managed-app set, or displays baseline drift in app role, release path, or business justification'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'iOS:unifiedlog', 'channel': 'Supplemental launch, background task, networking, or extension-handling anomalies occur temporally adjacent to suspicious web-service communication from a managed app or supervised device'}
[AN1772] Analytic 1772 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t In iOS 14 and up, an orange dot (or orange square if the Dif t A defender observes an application holding microphone captur ferentiate Without Color setting is enabled) appears in the e capability transitioning into active microphone resource u status bar when the microphone is being used by an applicati sage through Android audio APIs (e.g., MediaRecorder or Audi on. However, there have been demonstrations indicating it ma oRecord), followed by sustained capture while the applicatio y still be possible to access the microphone in the backgrou n is backgrounded or the device is locked, and subsequent ou nd without triggering this visual indicator by abusing featu tbound network traffic suggesting potential audio exfiltrati res that natively access the microphone or camera but do not on or streaming. trigger the visual indicators.(Citation: iOS Mic Spyware) In Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citati on: Android Privacy Indicators) Android applications using t he `RECORD_AUDIO` permission and iOS applications using `Req uestRecordPermission` should be carefully reviewed and monit ored. If the `CAPTURE_AUDIO_OUTPUT` permission is found in a third-party Android application, the application should be heavily scrutinized. In both Android (6.0 and up) and iOS, the user can review which applications have the permission t o access the microphone through the device settings screen a nd revoke permissions as necessary.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'RecordingDurationThreshold', 'description': 'Minimum microphone session duration before triggering detection to reduce noise from short legitimate captures.'}, {'field': 'BackgroundCapturePolicy', 'description': 'Environment-specific baseline for legitimate background microphone usage'}, {'field': 'CaptureToNetworkTimeWindow', 'description': 'Time window correlating microphone activation with outbound network traffic.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-04 23:26:47.489000+00:00 description In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware)
+
+
+In Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators)
+Android applications using the `RECORD_AUDIO` permission and iOS applications using `RequestRecordPermission` should be carefully reviewed and monitored. If the `CAPTURE_AUDIO_OUTPUT` permission is found in a third-party Android application, the application should be heavily scrutinized.
+
+In both Android (6.0 and up) and iOS, the user can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary. A defender observes an application holding microphone capture capability transitioning into active microphone resource usage through Android audio APIs (e.g., MediaRecorder or AudioRecord), followed by sustained capture while the application is backgrounded or the device is locked, and subsequent outbound network traffic suggesting potential audio exfiltration or streaming. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'android:logcat', 'channel': 'Invocation of MediaRecorder.start(), AudioRecord.startRecording(), or VOICE_CALL audio source'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'MobileEDR:telemetry', 'channel': 'Microphone sensor activation or audio recording session initiated by application process'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'MobileEDR:telemetry', 'channel': 'Application transitions to background or executes while screen locked during microphone session'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'Application granted or retaining RECORD_AUDIO permission or privileged CAPTURE_AUDIO_OUTPUT capability'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'MobileEDR:telemetry', 'channel': 'Application writes audio buffer or recorded audio file into application storage directories'}
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Android Privacy Indicators', 'description': 'Google. (n.d.). Privacy Indicators. Retrieved April 20, 2022.', 'url': 'https://source.android.com/devices/tech/config/privacy-indicators'} external_references {'source_name': 'iOS Mic Spyware', 'description': 'ZecOps Research Team. (2021, November 4). How iOS Malware Can Spy on Users Silently. Retrieved April 1, 2022.', 'url': 'https://blog.zecops.com/research/how-ios-malware-can-spy-on-users-silently/'}
[AN1773] Analytic 1773 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t In iOS 14 and up, an orange dot (or orange square if the Dif t A defender observes an application with declared microphone ferentiate Without Color setting is enabled) appears in the capability initiating microphone resource use through iOS au status bar when the microphone is being used by an applicati dio frameworks, potentially during background execution or s on. However, there have been demonstrations indicating it ma hortly after a silent wake event, followed by sustained audi y still be possible to access the microphone in the backgrou o capture and outbound encrypted traffic suggesting audio st nd without triggering this visual indicator by abusing featu reaming or upload activity. res that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware) In Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citati on: Android Privacy Indicators) Android applications using t he `RECORD_AUDIO` permission and iOS applications using `Req uestRecordPermission` should be carefully reviewed and monit ored. If the `CAPTURE_AUDIO_OUTPUT` permission is found in a third-party Android application, the application should be heavily scrutinized. In both Android (6.0 and up) and iOS, the user can review which applications have the permission t o access the microphone through the device settings screen a nd revoke permissions as necessary.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'ExpectedAudioAppsBaseline', 'description': 'Allow-list of legitimate applications expected to record audio on the device.'}, {'field': 'BackgroundWakeCorrelationWindow', 'description': 'Time window correlating background wake events with microphone activation.'}, {'field': 'MicSessionDurationThreshold', 'description': 'Minimum microphone recording duration considered suspicious.'}, {'field': 'MicToNetworkCorrelationWindow', 'description': 'Time window linking microphone activation to outbound network activity.'}, {'field': 'UplinkBytesThreshold', 'description': 'Threshold for outbound traffic volume indicating possible audio upload.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-04 23:33:56.647000+00:00 description In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware)
+
+
+In Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators)
+Android applications using the `RECORD_AUDIO` permission and iOS applications using `RequestRecordPermission` should be carefully reviewed and monitored. If the `CAPTURE_AUDIO_OUTPUT` permission is found in a third-party Android application, the application should be heavily scrutinized.
+
+In both Android (6.0 and up) and iOS, the user can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary. A defender observes an application with declared microphone capability initiating microphone resource use through iOS audio frameworks, potentially during background execution or shortly after a silent wake event, followed by sustained audio capture and outbound encrypted traffic suggesting audio streaming or upload activity. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'MobileEDR:telemetry', 'channel': 'Microphone sensor activation or audio recording session initiated by application process'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'iOS:unifiedlog', 'channel': 'Invocation of AVAudioRecorder, AVCaptureSession, or related audio capture framework calls'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'MobileEDR:telemetry', 'channel': 'Application writes audio buffer or recorded audio file into application storage directories'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'MobileEDR:telemetry', 'channel': 'Application transitions to background or executes while screen locked during microphone session'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'iOS:MDMLog', 'channel': 'Application installed with NSMicrophoneUsageDescription entitlement indicating microphone capability'}
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Android Privacy Indicators', 'description': 'Google. (n.d.). Privacy Indicators. Retrieved April 20, 2022.', 'url': 'https://source.android.com/devices/tech/config/privacy-indicators'} external_references {'source_name': 'iOS Mic Spyware', 'description': 'ZecOps Research Team. (2021, November 4). How iOS Malware Can Spy on Users Silently. Retrieved April 1, 2022.', 'url': 'https://blog.zecops.com/research/how-ios-malware-can-spy-on-users-silently/'}
[AN1776] Analytic 1776 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t In both Android (6.0 and up) and iOS, the user can view whic t Defender correlates an application gaining/retaining fine or h applications have the permission to access the device loca background location capability with subsequent location sen tion through the device settings screen and revoke permissio sor sessions that occur while the app is backgrounded or the ns as necessary. Android applications requesting the `ACCES device is locked, followed by repeated location reads at a S_COARSE_LOCATION`, `ACCESS_FINE_LOCATION`, or `ACCESS_BACKG periodic cadence and near-term outbound connections to domai ROUND_LOCATION` permissions and iOS applications including t ns not typical for fleet navigation/MDM services, indicating he `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysA covert location tracking. ndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageD escription` keys in their `Info.plist` file could be scrutin ized during the application vetting process.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'LocationSamplingFrequencyThreshold', 'description': 'Defines acceptable rate of location queries before triggering anomaly conditions'}, {'field': 'BackgroundLocationPolicy', 'description': 'Baseline of legitimate background location usage across applications'}, {'field': 'LocationToNetworkTimeWindow', 'description': 'Temporal linkage between location access and outbound traffic'}, {'field': 'UserInteractionWindow', 'description': 'Maximum time since last user interaction before location access becomes suspicious.'}, {'field': 'AllowedLocationApps', 'description': 'Allow-list of expected location-heavy apps (maps, rideshare, fleet apps) for the enterprise device population'}, {'field': 'DevicePolicySensitivity', 'description': 'Tuning for how aggressively to treat background location permission as risky depending on org policy.'}, {'field': 'AllowedDestinationsBaseline', 'description': 'Baseline of expected domains/IPs for legitimate location services (OEM, mapping SDKs, MDM endpoints) to reduce false positives.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-04 23:46:03.218000+00:00 description In both Android (6.0 and up) and iOS, the user can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary.
+Android applications requesting the `ACCESS_COARSE_LOCATION`, `ACCESS_FINE_LOCATION`, or `ACCESS_BACKGROUND_LOCATION` permissions and iOS applications including the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file could be scrutinized during the application vetting process. Defender correlates an application gaining/retaining fine or background location capability with subsequent location sensor sessions that occur while the app is backgrounded or the device is locked, followed by repeated location reads at a periodic cadence and near-term outbound connections to domains not typical for fleet navigation/MDM services, indicating covert location tracking. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'android:logcat', 'channel': 'Application invokes LocationManager, FusedLocationProviderClient, or GPS/location sensor APIs'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6', 'name': 'EDR:telemetry', 'channel': 'Sustained or high-frequency location sensor access, including background location usage'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'Application granted/retaining ACCESS_FINE_LOCATION and/or ACCESS_COARSE_LOCATION; background location capability present (ACCESS_BACKGROUND_LOCATION on Android 10+)'}
[AN1777] Analytic 1777 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t In both Android (6.0 and up) and iOS, the user can view whic t Defender correlates an application’s location authorization h applications have the permission to access the device loca level (When-In-Use vs Always) and entitlement posture with o tion through the device settings screen and revoke permissio bserved location sensor activity that occurs without proxima ns as necessary. Android applications requesting the `ACCES te user interaction, including background updates, followed S_COARSE_LOCATION`, `ACCESS_FINE_LOCATION`, or `ACCESS_BACKG by periodic outbound network sessions aligned to location up ROUND_LOCATION` permissions and iOS applications including t date timing—suggesting covert or policy-violating location t he `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysA racking. ndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageD escription` keys in their `Info.plist` file could be scrutin ized during the application vetting process.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'ForegroundLocationExpectation', 'description': 'Defines legitimate location usage relative to app state'}, {'field': 'LocationAccessDurationThreshold', 'description': 'Baseline deviation tolerance for sustained location tracking'}, {'field': 'LocationToTransmissionWindow', 'description': 'Temporal threshold linking location access to network activity'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-04 23:47:29.735000+00:00 description In both Android (6.0 and up) and iOS, the user can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary.
+Android applications requesting the `ACCESS_COARSE_LOCATION`, `ACCESS_FINE_LOCATION`, or `ACCESS_BACKGROUND_LOCATION` permissions and iOS applications including the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file could be scrutinized during the application vetting process. Defender correlates an application’s location authorization level (When-In-Use vs Always) and entitlement posture with observed location sensor activity that occurs without proximate user interaction, including background updates, followed by periodic outbound network sessions aligned to location update timing—suggesting covert or policy-violating location tracking. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'iOS:unifiedlog', 'channel': 'Application activates CoreLocation services or CLLocationManager APIs'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'iOS:MDMLog', 'channel': 'App installed with location usage declarations (WhenInUse/Always usage description) and granted authorization level via managed policy state'}
[AN1778] Analytic 1778 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t An Android user can view and manage which applications hold t Defender correlates an app preparing to phish (gaining overl the `SYSTEM_ALERT_WINDOW` permission through the device sett ay/notification/accessibility capability) with precise foreg ings in Apps & notifications -> Special app access -> Displa round targeting (reading activity in front via accessibility y over other apps (the exact menu location may vary between /focus) and then presenting a look-alike UI (overlay window Android versions). Application vetting services can look fo or activity-on-top) immediately before local storage or smal r applications requesting the `android.permission.SYSTEM_ALE l-burst egress of entered data. Chain: capability/permission RT_WINDOW` permission in the list of permissions in the app → target app in foreground detected → overlay/activity-on-t manifest. op or fake notification tap → local prompt input write → nea r-term network egress.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Max time from overlay/activity to persist/exfil (e.g., 5–60s).'}, {'field': 'OverlayRequired', 'description': 'Require overlay evidence unless activity-on-top is observed (true/false).'}, {'field': 'TargetPkgWatchlist', 'description': 'List of high-value target packages (banking, identity) to raise severity.'}, {'field': 'PersistPathRegex', 'description': 'Regex for local prompt data artifacts.'}, {'field': 'ExfilDomainAllowlist', 'description': 'Known-good analytics/CDN/service domains to suppress FPs.'}, {'field': 'UserContext', 'description': 'Work Profile/Kiosk mode/Accessibility allowlist to scope benign cases.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-01-29 19:36:34.664000+00:00 description An Android user can view and manage which applications hold the `SYSTEM_ALERT_WINDOW` permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions).
+Application vetting services can look for applications requesting the `android.permission.SYSTEM_ALERT_WINDOW` permission in the list of permissions in the app manifest. Defender correlates an app preparing to phish (gaining overlay/notification/accessibility capability) with precise foreground targeting (reading activity in front via accessibility/focus) and then presenting a look-alike UI (overlay window or activity-on-top) immediately before local storage or small-burst egress of entered data. Chain: capability/permission → target app in foreground detected → overlay/activity-on-top or fake notification tap → local prompt input write → near-term network egress. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6', 'name': 'android:logcat', 'channel': 'Grant/enablement of SYSTEM_ALERT_WINDOW, BIND_ACCESSIBILITY_SERVICE, POST_NOTIFICATIONS for '} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'android:logcat', 'channel': 'TYPE_WINDOW_STATE_CHANGED / TYPE_VIEW_FOCUSED shows foreign target package in foreground'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa', 'name': 'android:logcat', 'channel': 'addView TYPE_APPLICATION_OVERLAY|TYPE_APPLICATION_ATTACHED_DIALOG shown over '} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'android:logcat', 'channel': 'startActivity on top of (launchMode/singleTop), task switch immediately after focus'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'android:logcat', 'channel': 'CREATE/WRITE to /data/data//(files|databases)/(creds|form|prompt).*\\\\.(db|sqlite|json|txt)'}
[AN1779] Analytic 1779 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t An Android user can view and manage which applications hold t Defender correlates a look-alike prompt inside an app (e.g., the `SYSTEM_ALERT_WINDOW` permission through the device sett faux Apple ID password view, webview of brand login) with t ings in Apps & notifications -> Special app access -> Displa iming against scene/foreground activation, optional push not y over other apps (the exact menu location may vary between ification bait, then local form cache writes and/or small eg Android versions). Application vetting services can look fo ress. Chain: scene activation around sensitive UI → suspicio r applications requesting the `android.permission.SYSTEM_ALE us prompt creation (UIKit events without expected auth contr RT_WINDOW` permission in the list of permissions in the app oller) or webview navigated to look-alike domain → local cac manifest. he write → near-term egress
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Max time from prompt to persist/exfil (e.g., 5–60s).'}, {'field': 'LookalikeDomainScore', 'description': 'Threshold for domain visual similarity (e.g., ≥0.85).'}, {'field': 'PersistPathRegex', 'description': 'Regex for credential/form cache artifacts in container.'}, {'field': 'ExfilDomainAllowlist', 'description': 'Enterprise/analytics endpoints to suppress FPs'}, {'field': 'UserContext', 'description': 'MDM policy, Focus mode, foreground requirement.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-01-29 19:53:20.408000+00:00 description An Android user can view and manage which applications hold the `SYSTEM_ALERT_WINDOW` permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions).
+Application vetting services can look for applications requesting the `android.permission.SYSTEM_ALERT_WINDOW` permission in the list of permissions in the app manifest. Defender correlates a look-alike prompt inside an app (e.g., faux Apple ID password view, webview of brand login) with timing against scene/foreground activation, optional push notification bait, then local form cache writes and/or small egress. Chain: scene activation around sensitive UI → suspicious prompt creation (UIKit events without expected auth controller) or webview navigated to look-alike domain → local cache write → near-term egress x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa', 'name': 'iOS:unifiedlog', 'channel': 'Presentation of credential-like view (UIAlertController with text fields / custom modal) not backed by system auth controller; frequent editingChanged in secureTextEntry fields'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6', 'name': 'iOS:unifiedlog', 'channel': 'Scene/foreground transitions for to contextualize timing'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'iOS:unifiedlog', 'channel': 'WKWebView navigation to domain visually similar to target brand (IDN/punycode/alike score)'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'iOS:unifiedlog', 'channel': 'CREATE/WRITE of form cache/credential-like artifacts (forms.db, creds.json) in container'}
[AN1780] Analytic 1780 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Detection of steganography is difficult unless detectable ar t Defender correlates an app's opaque media ingress (download/ tifacts with a known signature are left behind by the obfusc IPC) with high-entropy or anomalous edits to image/audio/vid ation process. Look for strings are other signatures left in eo files in app-writable storage (e.g., bursts of bitmap/cod system artifacts related to decoding steganography. ec operations, EXIF/IPTC/XMP mutation, suspicious container growth), followed by decoding/extraction behavior (new non-m edia artifact derived from the edited media) and optional ex filtration/sharing of the stego media. Focus is on: (1) opaq ue media arrival → (2) rapid metadata or pixel-domain mutati ons with atypical size/entropy deltas → (3a) decoded payload creation or dynamic load from decoded path, and/or (3b) upl oad/share of the modified media within a tight window.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_log_source_references [{'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'NSM:Flow', 'channel': 'HTTP(S)/QUIC media download with opaque content types (image/*, audio/*, video/*) from non-gallery domains or CDNs not previously used by the app'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8', 'name': 'android:logcat', 'channel': 'INSERT or UPDATE of image/*, audio/*, video/* via ContentResolver with same URI re-written within short window; abnormal MIME/container change'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'android:logcat', 'channel': 'App UID writes edited media to container paths (e.g., /data/data//files/, .../cache/, /storage/emulated/0/Pictures//) with high delta in size vs. original and elevated estimated segment entropy '}] x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Max time between media download/ingress, edit, and payload use/share (e.g., 10–120s depending on device performance).'}, {'field': 'PayloadEntropyThresholdMediaSegment', 'description': 'Minimum Shannon entropy for edited media regions or container deltas (e.g., ≥ 7.1) to flag likely embedded payloads.'}, {'field': 'SizeDeltaRatio', 'description': 'Minimum growth ratio between pre/post edit media (e.g., ≥ 1.25) to reduce noise from normal compression.'}, {'field': 'EditBurstWriteCount', 'description': 'Minimum sequential small-write count to indicate chunked embedding or re-encode bursts.'}, {'field': 'SuspiciousMimeTransitions', 'description': 'List of atypical MIME/container transitions (e.g., PNG→JPEG with EXIF injection, WAV→M4A) for local tuning.'}, {'field': 'KnownGoodMediaAppsAllowlist', 'description': 'Trusted editors/camera apps allowed to perform frequent edits without alerting.'}, {'field': 'NetworkCDNAllowlist', 'description': 'CDNs/domains expected to host user media for the enterprise; suppresses FP for legitimate apps.'}, {'field': 'UserContext', 'description': 'Foreground, Work Profile, developer mode flags used to scope analytics.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-01-22 19:50:50.601000+00:00 description Detection of steganography is difficult unless detectable artifacts with a known signature are left behind by the obfuscation process. Look for strings are other signatures left in system artifacts related to decoding steganography. Defender correlates an app's opaque media ingress (download/IPC) with high-entropy or anomalous edits to image/audio/video files in app-writable storage (e.g., bursts of bitmap/codec operations, EXIF/IPTC/XMP mutation, suspicious container growth), followed by decoding/extraction behavior (new non-media artifact derived from the edited media) and optional exfiltration/sharing of the stego media. Focus is on: (1) opaque media arrival → (2) rapid metadata or pixel-domain mutations with atypical size/entropy deltas → (3a) decoded payload creation or dynamic load from decoded path, and/or (3b) upload/share of the modified media within a tight window. x_mitre_version 1.0 1.1
[AN1781] Analytic 1781 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services may be able to detect if an app t An application with access to broad file scopes or sensitive lication attempts to encrypt files, although this may be ben storage areas becomes active, performs abnormal burst file ign behavior. reads and writes across many user or shared-storage location s, transforms file content or extensions at scale in a short window, and causes rapid file inaccessibility, rewrite, or replacement inconsistent with normal sync, backup, media pro cessing, or document-editing behavior. The defender correlat es capability state, app lifecycle, framework use, bulk file -write effects, and optional network communications to disti nguish encrypt-for-impact behavior from benign bulk file ope rations.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Maximum correlation span between app activation, framework use, and burst file transformation.'}, {'field': 'AllowedAppList', 'description': 'Approved apps allowed to perform legitimate broad file operations such as backup, sync, AV scanning, enterprise migration, media editing, or document management.'}, {'field': 'ForegroundStateRequired', 'description': 'Whether a benign bulk file operation is expected to occur only while the app is visible and actively used.'}, {'field': 'RecentUserInteractionWindow', 'description': 'Threshold for determining whether large-scale file transformation was user-driven versus unattended.'}, {'field': 'FileWriteBurstThreshold', 'description': 'Threshold for number of file create, overwrite, rename, or replace actions within the correlation window.'}, {'field': 'DistinctDirectoryThreshold', 'description': 'Threshold for number of distinct folders or content roots touched during the file-impact burst.'}, {'field': 'ExtensionChangeThreshold', 'description': 'Threshold for suspicious file extension changes or replacement-file patterns indicative of mass transformation.'}, {'field': 'BytesWrittenThreshold', 'description': 'Threshold for cumulative bytes written during the impact window.'}, {'field': 'ProtectedPathAllowList', 'description': 'Known paths, document roots, or work-profile storage locations where benign enterprise migration or sync tooling may rewrite many files.'}, {'field': 'DestinationAllowList', 'description': 'Expected network destinations contacted by legitimate storage, sync, backup, or MDM remediation apps.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-12 17:25:00.733000+00:00 description Application vetting services may be able to detect if an application attempts to encrypt files, although this may be benign behavior. An application with access to broad file scopes or sensitive storage areas becomes active, performs abnormal burst file reads and writes across many user or shared-storage locations, transforms file content or extensions at scale in a short window, and causes rapid file inaccessibility, rewrite, or replacement inconsistent with normal sync, backup, media processing, or document-editing behavior. The defender correlates capability state, app lifecycle, framework use, bulk file-write effects, and optional network communications to distinguish encrypt-for-impact behavior from benign bulk file operations. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2', 'name': 'android:MDMLog', 'channel': 'Managed storage, backup, enterprise file access, or device policy state remains unchanged while bulk destructive file transformation occurs'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'MobileEDR:telemetry', 'channel': 'Application holds or is granted broad storage, document-provider, media, or file-management capability inconsistent with its expected role before or during bulk file transformation'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Application runs in foreground, service, or sustained background-active state while concentrated file transformation occurs with weak or no recent user interaction'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Content resolver, document provider, media store, storage access framework, bulk stream processing, or repeated crypto-adjacent framework use observed during multi-file transformation'}
[AN1784] Analytic 1784 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services could look for the Android perm t Defender observes an app enumerating installed security/mana ission `android.permission.QUERY_ALL_PACKAGES`, and apply ex gement controls (AV/EDR/MDM/VPN/Play Protect) via PackageMan tra scrutiny to applications that request it. On iOS, applic ager, DevicePolicyManager, AppOps, and Settings queries or s ation vetting services could look for usage of the private A hell ‘pm list’ usage, optionally probing Accessibility/Devic PI `LSApplicationWorkspace` and apply extra scrutiny to appl e Admin state. Enumeration is followed by local inventory ar ications that employ it. tifact creation and/or small egress. Chain: capability to qu ery → burst of security-focused checks (packages/permissions /policies) → optional foreground targeting → artifact write → quick POST.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Max time from discovery burst to persist/exfil (e.g., 10–120s).'}, {'field': 'MinEnumCount', 'description': 'Minimum API calls/rows indicating inventory (e.g., ≥30 in 10s).'}, {'field': 'SecurityTargetsList', 'description': 'Regex/prefix list of AV/EDR/MDM/VPN packages & services to elevate severity.'}, {'field': 'PersistPathRegex', 'description': 'Regex for local inventory artifacts (DB/JSON/TXT) in app container.'}, {'field': 'ExfilDomainAllowlist', 'description': 'Allowlisted analytics/endpoints to suppress FPs.'}, {'field': 'WorkProfileOnly', 'description': 'Scope to Work Profile events to reduce personal-profile noise.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-02-02 16:07:33.370000+00:00 description Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it. Defender observes an app enumerating installed security/management controls (AV/EDR/MDM/VPN/Play Protect) via PackageManager, DevicePolicyManager, AppOps, and Settings queries or shell ‘pm list’ usage, optionally probing Accessibility/Device Admin state. Enumeration is followed by local inventory artifact creation and/or small egress. Chain: capability to query → burst of security-focused checks (packages/permissions/policies) → optional foreground targeting → artifact write → quick POST. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'android:logcat', 'channel': 'getInstalledPackages/getPackagesHoldingPermissions with filters for known security/MDM/VPN package names. Queries to isDeviceOwnerApp/isProfileOwnerApp/getActiveAdmins/getPermissionGrantState. Requests list of enabled services or monitors TYPE_WINDOW_STATE_CHANGED to time checks'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0', 'name': 'android:logcat', 'channel': "Command 'pm list packages' executed by app sandbox or child proc"} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6', 'name': 'android:logcat', 'channel': 'Reads/queries ops for PACKAGE_USAGE_STATS, QUERY_ALL_PACKAGES, BIND_DEVICE_ADMIN, BIND_VPN_SERVICE'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa', 'name': 'android:logcat', 'channel': 'Secure/Global reads of device_policy_manager, accessibility_enabled, default_vpn, always_on_vpn'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'android:logcat', 'channel': 'CREATE/WRITE /data/data//(files|databases)/(security_inventory|policy_audit).*\\\\.(json|txt|db|plist)'}
[AN1785] Analytic 1785 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services could look for the Android perm t Defender correlates app attempts to enumerate or infer secur ission `android.permission.QUERY_ALL_PACKAGES`, and apply ex ity/management tooling (ManagedConfiguration/MDM presence, V tra scrutiny to applications that request it. On iOS, applic PN/NEFilter config, AV/EDR app presence via LaunchServices o ation vetting services could look for usage of the private A r URL-scheme probing, private APIs) with local inventory per PI `LSApplicationWorkspace` and apply extra scrutiny to appl sistence and egress. Chain: probe (MDM/NE/VPN/AV presence) → ications that employ it. burst of LS/canOpenURL/ManagedConfiguration calls → invento ry cache write → small POST.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Max time from probe burst to persist/exfil (e.g., 10–120s).'}, {'field': 'MinProbeCount', 'description': 'Minimum API/probe count to flag (e.g., ≥25/10s).'}, {'field': 'SecurityTargetsList', 'description': 'Schemes/bundle IDs for AV/EDR/MDM/VPN vendors (regex/prefix).'}, {'field': 'PersistPathRegex', 'description': 'Regex for inventory artifacts in app/extension containers.'}, {'field': 'ExfilDomainAllowlist', 'description': 'Known-good analytics/CDN allowlist.'}, {'field': 'JailbreakContext', 'description': 'Escalate severity if private APIs used on non-managed devices.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-02-02 16:21:09.206000+00:00 description Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it. Defender correlates app attempts to enumerate or infer security/management tooling (ManagedConfiguration/MDM presence, VPN/NEFilter config, AV/EDR app presence via LaunchServices or URL-scheme probing, private APIs) with local inventory persistence and egress. Chain: probe (MDM/NE/VPN/AV presence) → burst of LS/canOpenURL/ManagedConfiguration calls → inventory cache write → small POST. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'iOS:unifiedlog', 'channel': 'Queries indicating MDM profile presence, supervised state, restrictions read. LSApplicationWorkspace enumeration or app proxy queries referencing security vendors'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'iOS:unifiedlog', 'channel': 'CREATE/WRITE of /Library/Caches/security_inventory.*\\\\.(json|plist|db)'}
[AN1788] Analytic 1788 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t On Android, the user is presented with a permissions popup w t Defender observes an app (package/UID) issuing high-rate dir hen an application requests access to external device storag ectory or content-index enumerations against external/shared e. storage or other apps’ Documents/Media providers (logcat:Co ntentResolver, logcat:StorageAccessFramework), followed with in a short window by bulk READ handles or stat/list calls ov er many distinct paths (logcat:FileIO). Activity occurs with out foreground UI or exceeds typical per-app baseline, indic ating automated file/dir discovery rather than user-driven b rowsing. Correlate on package/UID/profile and time proximity .
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Time window to correlate API queries with file listings (e.g., 30–300s).'}, {'field': 'MinDistinctPaths', 'description': 'Minimum unique paths accessed to qualify as discovery (e.g., ≥50).'}, {'field': 'BackgroundOnly', 'description': 'Require app to be backgrounded to reduce user-driven noise.'}, {'field': 'TargetPathRegex', 'description': 'Scope to enterprise-relevant locations (e.g., /Documents, /Android/media/).'}, {'field': 'AllowlistedPackages', 'description': 'Backup/DLP/security apps expected to enumerate broadly.'}, {'field': 'ProfileScope', 'description': 'Limit to Work Profile to reduce personal data noise.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-02-18 18:06:39.579000+00:00 description On Android, the user is presented with a permissions popup when an application requests access to external device storage. Defender observes an app (package/UID) issuing high-rate directory or content-index enumerations against external/shared storage or other apps’ Documents/Media providers (logcat:ContentResolver, logcat:StorageAccessFramework), followed within a short window by bulk READ handles or stat/list calls over many distinct paths (logcat:FileIO). Activity occurs without foreground UI or exceeds typical per-app baseline, indicating automated file/dir discovery rather than user-driven browsing. Correlate on package/UID/profile and time proximity. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'android:logcat', 'channel': 'query() against MediaStore/DocumentsContract URIs (Images/Video/Audio/Downloads/DocumentTree)'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa', 'name': 'android:logcat', 'channel': 'ACTION_OPEN_DOCUMENT_TREE / ACTION_OPEN_DOCUMENT invoked without user gesture or repeatedly in background'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71', 'name': 'android:logcat', 'channel': 'READ/LIST/STAT of /sdcard|/storage/emulated/0|/Android/media|/Documents with >N distinct paths in TimeWindow'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:logcat', 'channel': 'READ_EXTERNAL_STORAGE / MANAGE_EXTERNAL_STORAGE permission present or toggled at runtime'}
[AN1789] Analytic 1789 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t On Android, the user is presented with a permissions popup w t Defender observes an app (bundle/process) performing large-s hen an application requests access to external device storag cope directory listings or metadata reads via FileProvider/N e. SFileManager against user-visible containers (Files app loca tions, iCloud/On-My-iPhone) or external providers, with rapi d traversal across many folders while the app is backgrounde d or without corresponding UI activity (unifiedlogs:FileProv ider, unifiedlogs:FileIO). Optional signals include Photo li brary or document picker bulk enumeration absent recent user gesture. Correlate on bundle/process/profile and path volum e within a bounded window.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Correlation window between enumeration API calls and path bursts (e.g., 30–300s).'}, {'field': 'MinDistinctPaths', 'description': 'Minimum number of unique paths to flag discovery (e.g., ≥40).'}, {'field': 'TargetPathRegex', 'description': 'Enterprise-relevant containers/providers to include/exclude.'}, {'field': 'RequireBackgroundState', 'description': 'Set true to require background discovery for higher confidence.'}, {'field': 'AllowlistedBundles', 'description': 'Legitimate backup/DLP/file-management apps to suppress.'}, {'field': 'ManagedProfileScope', 'description': 'Limit to managed devices/profiles.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-02-18 19:33:15.080000+00:00 description On Android, the user is presented with a permissions popup when an application requests access to external device storage. Defender observes an app (bundle/process) performing large-scope directory listings or metadata reads via FileProvider/NSFileManager against user-visible containers (Files app locations, iCloud/On-My-iPhone) or external providers, with rapid traversal across many folders while the app is backgrounded or without corresponding UI activity (unifiedlogs:FileProvider, unifiedlogs:FileIO). Optional signals include Photo library or document picker bulk enumeration absent recent user gesture. Correlate on bundle/process/profile and path volume within a bounded window. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'iOS:unifiedlog', 'channel': 'enumeratorForContainerItemIdentifier / itemForIdentifier across multiple containers/providers'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71', 'name': 'iOS:unifiedlog', 'channel': 'readdir/stat/read of /private/var/mobile/Containers/Shared/AppGroup|/Library/Mobile Documents|/On\\\\ My\\\\ iPhone with >N distinct paths in TimeWindow'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa', 'name': 'iOS:unifiedlog', 'channel': 'UIDocumentPickerViewController presented repeatedly without foreground interaction or with short dwell time'}
[AN1793] Analytic 1793 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Abuse of standard application protocols can be difficult to t A defender observes an application establishing application- detect as many legitimate mobile applications leverage such layer network sessions (e.g., HTTP(S), WebSocket, DNS, SMTP/ protocols for language-specific APIs. Enterprises may be bet IMAP) with destinations and request patterns that deviate fr ter served focusing on detection at other stages of adversar om the enterprise baseline for that app category, especially ial behavior. when sessions occur during background execution or while th e device is locked and exhibit beacon-like periodicity, anom alous SNI/Host patterns, or suspicious request/response size symmetry consistent with command polling and tasking over l egitimate-looking protocols.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_log_source_references [{'x_mitre_data_component_ref': 'x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a', 'name': 'NSM:Flow', 'channel': 'Application-layer protocol traffic exhibiting beacon-like periodicity, anomalous session structure, or protocol misuse patterns'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'NSM:Flow', 'channel': 'Application-layer indicators observable via enterprise network controls (HTTP method, URI path pattern class, TLS SNI, JA3/ALPN when available, DNS qname/type) showing anomalous or low-and-slow command polling behavior'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Framework-based networking usage spikes or uncommon networking stacks observed by agent telemetry (e.g., repeated URLSession/OkHttp-like patterns) without corresponding foreground/user interaction'}] x_mitre_mutable_elements [{'field': 'BeaconIntervalVarianceThreshold', 'description': 'Defines acceptable periodicity variance for network communications'}, {'field': 'ConnectionFrequencyThreshold', 'description': 'Baseline-dependent threshold for anomalous connection rates'}, {'field': 'PayloadEntropyThreshold', 'description': 'Defines anomaly conditions for encoded or structured payload content'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-04 23:55:34.960000+00:00 description Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior. A defender observes an application establishing application-layer network sessions (e.g., HTTP(S), WebSocket, DNS, SMTP/IMAP) with destinations and request patterns that deviate from the enterprise baseline for that app category, especially when sessions occur during background execution or while the device is locked and exhibit beacon-like periodicity, anomalous SNI/Host patterns, or suspicious request/response size symmetry consistent with command polling and tasking over legitimate-looking protocols. x_mitre_version 1.0 1.1
[AN1794] Analytic 1794 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Abuse of standard application protocols can be difficult to t A defender observes an application generating application-la detect as many legitimate mobile applications leverage such yer communications that blend with normal traffic (HTTP(S), protocols for language-specific APIs. Enterprises may be bet WebSocket, DNS, mail protocols) but show deviations from ent ter served focusing on detection at other stages of adversar erprise baselines for that bundle ID—such as persistent back ial behavior. ground network sessions, regular low-volume polling interval s, anomalous SNI/Host destinations, uncommon DNS patterns, o r uniform request/response sizing—suggesting command and con trol over legitimate-looking protocols without relying on to ol signatures.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_log_source_references [{'x_mitre_data_component_ref': 'x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a', 'name': 'NSM:Flow', 'channel': 'Application-layer protocol traffic exhibiting beacon-like periodicity, anomalous session structure, or protocol misuse patterns'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'NSM:Flow', 'channel': 'Application-layer indicators observable via enterprise network controls (HTTP method, URI path pattern class, TLS SNI, JA3/ALPN when available, DNS qname/type) showing anomalous or low-and-slow command polling behavior'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Framework-based networking usage spikes or uncommon networking stacks observed by agent telemetry (e.g., repeated URLSession/OkHttp-like patterns) without corresponding foreground/user interaction'}] x_mitre_mutable_elements [{'field': 'CadenceAnomalyThreshold', 'description': 'Defines acceptable deviation in protocol communication timing'}, {'field': 'SessionPersistenceThreshold', 'description': 'Baseline deviation tolerance for long-lived sessions'}, {'field': 'AppNetworkBehaviorBaseline', 'description': 'Expected mapping of application functionality to protocol usage'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-04 23:56:19.093000+00:00 description Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior. A defender observes an application generating application-layer communications that blend with normal traffic (HTTP(S), WebSocket, DNS, mail protocols) but show deviations from enterprise baselines for that bundle ID—such as persistent background network sessions, regular low-volume polling intervals, anomalous SNI/Host destinations, uncommon DNS patterns, or uniform request/response sizing—suggesting command and control over legitimate-looking protocols without relying on tool signatures. x_mitre_version 1.0 1.1
[AN1797] Analytic 1797 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting can detect many techniques associated wi t Correlates (1) application-driven modification of device sec th impairing device defenses.(Citation: Samsung Knox Mobile urity posture or monitoring capability (e.g., accessibility Threat Defense) Mobile security products integrated with Sam abuse, disabling security app components, altering monitorin sung Knox for Mobile Threat Defense can monitor processes to g configuration), (2) immediate degradation or cessation of see if security tools are killed or stop running. expected telemetry sources such as mobile EDR, sensor visibi lity, or system monitoring, and (3) subsequent application a ctivity continuing with reduced observability. The defender observes a causal chain where defensive visibility or enforc ement is altered first, followed by continued execution unde r reduced monitoring conditions.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between configuration change, telemetry degradation, and subsequent activity'}, {'field': 'ExpectedTelemetrySources', 'description': 'Baseline set of telemetry sources expected to report continuously (EDR, sensor feeds, monitoring services)'}, {'field': 'TelemetryGapThreshold', 'description': 'Duration or volume threshold defining abnormal loss of telemetry'}, {'field': 'AllowedAppList', 'description': 'Applications legitimately capable of modifying device configuration or security posture'}, {'field': 'CriticalControlSet', 'description': 'Set of security-relevant controls considered high-impact if altered (EDR, accessibility, admin APIs)'}, {'field': 'UplinkBytesThreshold', 'description': 'Outbound traffic threshold used to confirm continued activity during telemetry loss'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-24 20:30:37.215000+00:00 description Application vetting can detect many techniques associated with impairing device defenses.(Citation: Samsung Knox Mobile Threat Defense)
+Mobile security products integrated with Samsung Knox for Mobile Threat Defense can monitor processes to see if security tools are killed or stop running. Correlates (1) application-driven modification of device security posture or monitoring capability (e.g., accessibility abuse, disabling security app components, altering monitoring configuration), (2) immediate degradation or cessation of expected telemetry sources such as mobile EDR, sensor visibility, or system monitoring, and (3) subsequent application activity continuing with reduced observability. The defender observes a causal chain where defensive visibility or enforcement is altered first, followed by continued execution under reduced monitoring conditions. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'change to security-relevant device configuration or managed policy (e.g., accessibility enablement, app admin changes, security service state change) preceding telemetry degradation'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f', 'name': 'Process', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'ecurity or monitoring application transitions to disabled, inactive, or non-reporting state while other applications remain active'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'application invokes system framework operations that alter monitoring, accessibility, or execution visibility followed by reduction in expected telemetry generation'}
iterable_item_removed STIX Field Old value New Value external_references {'source_name': 'Samsung Knox Mobile Threat Defense', 'description': 'Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.', 'url': 'https://partner.samsungknox.com/mtd'}
[AN1800] Analytic 1800 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Mobile threat defense agents could detect unauthorized opera t Correlates (1) modification or replacement of system runtime ting system modifications by using attestation. libraries or API resolution paths, (2) repeated invocation of hijacked APIs across multiple applications, and (3) incon sistent or suppressed outputs from those APIs compared to ex pected OS-enforced behavior. The defender observes a causal chain where system-level API behavior is altered, resulting in multiple applications exhibiting consistent anomalies in sensor access, permission checks, or system state reporting.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window across multiple applications invoking affected APIs'}, {'field': 'SensitiveAPISet', 'description': 'Set of APIs monitored for integrity (e.g., location, telephony, permission checks)'}, {'field': 'CrossAppConsistencyThreshold', 'description': 'Number of applications required to exhibit anomalous API behavior to trigger detection'}, {'field': 'ExpectedAPIBaseline', 'description': 'Baseline of expected API return values or behavior patterns per device state'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-13 18:04:23.913000+00:00 description Mobile threat defense agents could detect unauthorized operating system modifications by using attestation. Correlates (1) modification or replacement of system runtime libraries or API resolution paths, (2) repeated invocation of hijacked APIs across multiple applications, and (3) inconsistent or suppressed outputs from those APIs compared to expected OS-enforced behavior. The defender observes a causal chain where system-level API behavior is altered, resulting in multiple applications exhibiting consistent anomalies in sensor access, permission checks, or system state reporting. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'Sensor Health', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'multiple applications invoking core system APIs (e.g., sensor, permission, telephony) with abnormal or inconsistent return values across apps within short interval'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'device integrity degradation + root detected or system partition modification affecting runtime libraries (e.g., /system/lib*, /vendor/lib*)'}
[AN1801] Analytic 1801 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services could look for use of the acces t Correlates (1) a malicious application gaining or using a re sibility service or features that typically require root acc moval-capable control path, such as device owner or delegate ess. The user can see a list of applications that can use ac d app-management authority, accessibility service control ov cessibility services in the device settings. er uninstall UI, or rooted filesystem access, (2) initiation of uninstall or package-removal behavior, and (3) disappear ance of the application from installed-state inventory or ap p runtime immediately afterward, often with a short-lived fi nal burst of local cleanup or outbound communication. The de fender observes a causal chain where the application first e stablishes the ability to remove itself, then triggers unins tall or deletion, and then vanishes from expected app presen ce while device activity continues.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between uninstall-capable control, removal action, and app disappearance'}, {'field': 'RemovalAuthoritySet', 'description': 'Roles or privileges considered capable of enabling silent or assisted uninstall, such as device owner, delegated app-management authority, accessibility, or rooted filesystem access'}, {'field': 'AllowedRemovalApps', 'description': 'Legitimate enterprise or device-management apps allowed to uninstall applications'}, {'field': 'RemovalAttemptSignalSet', 'description': 'Signals used to recognize uninstall initiation, such as package-removal actions, uninstall intent flows, or accessibility-driven confirmation steps'}, {'field': 'DisappearanceThreshold', 'description': 'Maximum time between removal action and loss of installed-state visibility'}, {'field': 'UplinkBytesThreshold', 'description': 'Outbound traffic threshold used to confirm final activity before self-removal'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-24 20:30:17.842000+00:00 description Application vetting services could look for use of the accessibility service or features that typically require root access.
+The user can see a list of applications that can use accessibility services in the device settings. Correlates (1) a malicious application gaining or using a removal-capable control path, such as device owner or delegated app-management authority, accessibility service control over uninstall UI, or rooted filesystem access, (2) initiation of uninstall or package-removal behavior, and (3) disappearance of the application from installed-state inventory or app runtime immediately afterward, often with a short-lived final burst of local cleanup or outbound communication. The defender observes a causal chain where the application first establishes the ability to remove itself, then triggers uninstall or deletion, and then vanishes from expected app presence while device activity continues. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'application holds device-owner, profile-owner, or delegated app-management authority capable of package removal before uninstall event'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'application has accessibility service privileges immediately before package-removal UI flow and subsequent application disappearance'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'device posture indicates rooted, compromised, or non-compliant state before package files disappear without standard managed uninstall workflow'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'application invokes uninstall-related package-management operations, accessibility-driven uninstall confirmation actions, or privileged file-removal operations immediately before installed-state loss'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8', 'name': 'MobileEDR:telemetry', 'channel': 'application deletes package files, cleanup artifacts, or app-local state immediately before disappearance from installed inventory or runtime'}
[AN1802] Analytic 1802 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Mobile security products can often alert the user if their d t Defender correlates a causal chain where a device transition evice is vulnerable to known exploits. s into USB debugging or file transfer mode after a physical connection event, followed by application installation, file replication, or execution originating from the USB interfac e rather than the application store ecosystem.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between USB connection state change and application installation.'}, {'field': 'AllowedDeveloperDevices', 'description': 'List of devices legitimately allowed to use ADB debugging.'}, {'field': 'AllowedSideloadApps', 'description': 'Approved enterprise apps allowed to install outside Google Play.'}, {'field': 'FileReplicationThreshold', 'description': 'Volume of file writes from mounted external storage considered suspicious.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-10 15:33:30.111000+00:00 description Mobile security products can often alert the user if their device is vulnerable to known exploits. Defender correlates a causal chain where a device transitions into USB debugging or file transfer mode after a physical connection event, followed by application installation, file replication, or execution originating from the USB interface rather than the application store ecosystem. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'Sensor Health', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'android:MDMLog', 'channel': 'device USB mode change (charging to file transfer / debugging / accessory)'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'ADB_DEBUGGING_ENABLED'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'MobileEDR:telemetry', 'channel': 'application installed from adb, sideload, or unknown USB source'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'MobileEDR:telemetry', 'channel': 'large file write originating from /mnt/usb or external mounted storage'}
[AN1803] Analytic 1803 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Mobile security products can often alert the user if their d t Defender correlates a chain where a device establishes a new evice is vulnerable to known exploits. trusted USB host pairing or enters developer/debug configur ation state, followed by device data extraction activity, co nfiguration manipulation, or abnormal application behavior s hortly after the pairing event.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'PairingEventWindow', 'description': 'Time window between trusted host pairing and suspicious device behavior.'}, {'field': 'AllowedTrustedHosts', 'description': 'Enterprise-authorized computers permitted to pair with managed devices.'}, {'field': 'DeveloperModePolicy', 'description': 'Whether developer mode is permitted in the organization.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-10 23:16:21.386000+00:00 description Mobile security products can often alert the user if their device is vulnerable to known exploits. Defender correlates a chain where a device establishes a new trusted USB host pairing or enters developer/debug configuration state, followed by device data extraction activity, configuration manipulation, or abnormal application behavior shortly after the pairing event. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'Sensor Health', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2', 'name': 'iOS:MDMLog', 'channel': 'Developer Mode enabled, supervised-device restriction changed, or trust-related protected device posture changed'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'iOS:MDMLog', 'channel': 'Trusted computer / host relationship established or relevant device trust setting changed'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'iOS:MDMLog', 'channel': 'Device risk, compliance, or security posture changes after trusted host pairing or developer-state transition'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Observed device-service, trust-service, backup/service interaction, or other privileged framework activity associated with physical host access'}
[AN1804] Analytic 1804 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Mobile security products can typically detect rooted devices t Defender observes an app/package attempting to enumerate run , which is an indication that Process Discovery is possible. ning processes by triggering restricted process visibility m Application vetting could potentially detect when applicati echanisms (e.g., repeated queries for running tasks/services ons attempt to abuse root access or root the system itself. , rapid iteration over process identifiers, or access attemp Further, application vetting services could look for attempt ts against /proc entries) that are atypical for its declared ed usage of legacy process discovery mechanisms, such as the function and occur without an associated user-facing diagno usage of `ps` or inspection of the `/proc` directory. stic workflow. The detection relies on correlating (1) OS/AP I calls or shell/system utility execution indicative of proc ess listing or /proc traversal, (2) app privilege context (r oot, debug build, device owner/profile owner, accessibility/ IME status), (3) background execution state, and (4) optiona l follow-on behaviors consistent with automated discovery (s hort bursts of local IPC probes, network beacons immediately after enumeration, or rapid targeting of specific high-valu e package/process names). The analytic should describe what is observable: repeated enumeration signals + privilege cont ext + timing relationship, not the adversary’s intent.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Correlation window for enumeration → follow-on activity (e.g., 60–600s).'}, {'field': 'MinEnumerationSignals', 'description': 'Minimum count of process enumeration indicators to alert (tune by OS build and telemetry quality).'}, {'field': 'ProcTraversalThreshold', 'description': 'How many distinct /proc paths opened within the window counts as enumeration (e.g., ≥50).'}, {'field': 'BackgroundOnly', 'description': 'If true, require background state to reduce legitimate in-app diagnostics noise.'}, {'field': 'AllowlistedPackages', 'description': 'Legitimate security/diagnostic/MDM agents expected to inspect processes.'}, {'field': 'HighValueProcessNames', 'description': 'Process/package names of interest (e.g., security agents, banking apps) used only as enrichment, not a signature.'}, {'field': 'NetworkProbePorts', 'description': 'Ports considered a ‘probe/beacon’ after enumeration (53/80/443/etc.).'}, {'field': 'PrivilegeEscalationGate', 'description': 'If true, increase severity when enumeration co-occurs with root/debuggable/jailbreak-like posture.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-02-23 16:59:44.335000+00:00 description Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of `ps` or inspection of the `/proc` directory. Defender observes an app/package attempting to enumerate running processes by triggering restricted process visibility mechanisms (e.g., repeated queries for running tasks/services, rapid iteration over process identifiers, or access attempts against /proc entries) that are atypical for its declared function and occur without an associated user-facing diagnostic workflow. The detection relies on correlating (1) OS/API calls or shell/system utility execution indicative of process listing or /proc traversal, (2) app privilege context (root, debug build, device owner/profile owner, accessibility/IME status), (3) background execution state, and (4) optional follow-on behaviors consistent with automated discovery (short bursts of local IPC probes, network beacons immediately after enumeration, or rapid targeting of specific high-value package/process names). The analytic should describe what is observable: repeated enumeration signals + privilege context + timing relationship, not the adversary’s intent. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'android:logcat', 'channel': 'repeated queries or dumps related to running tasks/services/process state by same package/UID (e.g., getRunningAppProcesses, running services/task inspection)'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'android:logcat', 'channel': 'unexpected spikes in fork/exec/app process start events for helper utilities used for enumeration (ps, toybox/toolbox variants) from same UID'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71', 'name': 'auditd:SYSCALL', 'channel': 'attempts to read /proc/* entries at scale (openat/getdents64/readlink) or access denied for /proc traversal; correlate to app UID'}
[AN1805] Analytic 1805 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Mobile security products can typically detect rooted devices t Defender observes signals consistent with attempted process , which is an indication that Process Discovery is possible. listing on iOS where modern OS protections generally prevent Application vetting could potentially detect when applicati broad process enumeration for non-root apps. Detections the ons attempt to abuse root access or root the system itself. refore focus on: (1) feasibility gating via integrity/jailbr Further, application vetting services could look for attempt eak posture, and (2) observable security/log anomalies consi ed usage of legacy process discovery mechanisms, such as the stent with attempts to query process tables or restricted sy usage of `ps` or inspection of the `/proc` directory. stem interfaces (e.g., repeated sandbox denials, suspicious sysctl-like access attempts, or abnormal use of private fram eworks). Correlate integrity compromise indicators with repe ated restricted-access events and optional follow-on behavio rs (rapid targeting of specific bundles/services or immediat e network beacons) to raise confidence that process discover y is occurring.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'IntegritySignalRequired', 'description': 'If true, alert only when integrity/jailbreak posture indicates process discovery is feasible.'}, {'field': 'MinSandboxDenials', 'description': 'Threshold for sandbox denials within a window to treat as sustained restricted-access attempts.'}, {'field': 'TimeWindowSeconds', 'description': 'Correlation window between integrity signals and sandbox/network events (e.g., 1–24 hours).'}, {'field': 'AllowlistedBundles', 'description': 'Enterprise monitoring/networking apps that may generate benign sandbox noise.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-02-23 17:10:37.953000+00:00 description Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of `ps` or inspection of the `/proc` directory. Defender observes signals consistent with attempted process listing on iOS where modern OS protections generally prevent broad process enumeration for non-root apps. Detections therefore focus on: (1) feasibility gating via integrity/jailbreak posture, and (2) observable security/log anomalies consistent with attempts to query process tables or restricted system interfaces (e.g., repeated sandbox denials, suspicious sysctl-like access attempts, or abnormal use of private frameworks). Correlate integrity compromise indicators with repeated restricted-access events and optional follow-on behaviors (rapid targeting of specific bundles/services or immediate network beacons) to raise confidence that process discovery is occurring. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'MDM:DeviceIntegrity', 'channel': 'jailbreak/root compromise indicators or integrity attestation failures enabling process visibility'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa', 'name': 'iOS:unifiedlog', 'channel': 'repeated sandbox denials related to restricted process/system interfaces consistent with process-table querying attempts'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa', 'name': 'iOS:unifiedlog', 'channel': 'security-relevant kernel log messages indicating restricted system interface access attempts by app process (device-dependent visibility)'}
[AN1806] Analytic 1806 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t The user can view a list of active device administrators in t Correlates (1) application acquisition or use of elevated co the device settings. ntrol paths capable of altering defensive tooling or protect ed system state, such as device administration, root-enabled modification, or security-setting manipulation, (2) direct changes to security-tool configuration, service state, packa ge state, or protected enforcement settings such as SELinux- relevant files or security-app components, and (3) immediate degradation, suppression, or disappearance of expected secu rity telemetry while the device and initiating application r emain active. The defender observes a causal chain where a s ecurity control is modified first, then monitoring or protec tion weakens, and subsequent activity continues under reduce d defensive visibility.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between security-setting change, tool degradation, and subsequent continued activity'}, {'field': 'CriticalToolSet', 'description': 'Security-relevant applications or components expected to remain enabled and reporting, such as mobile EDR, Play Protect-associated controls, or agent services'}, {'field': 'TelemetryGapThreshold', 'description': 'Duration or volume threshold defining abnormal loss of expected security telemetry'}, {'field': 'ProtectedSettingSet', 'description': 'Protected settings or files treated as suspicious if modified, including SELinux-relevant enforcement state or security-app configuration'}, {'field': 'AllowedAdminApps', 'description': 'Legitimate applications or management agents allowed to modify security-relevant posture'}, {'field': 'UplinkBytesThreshold', 'description': 'Outbound traffic threshold used to confirm continued meaningful activity during reduced defensive visibility'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-24 20:30:26.476000+00:00 description The user can view a list of active device administrators in the device settings. Correlates (1) application acquisition or use of elevated control paths capable of altering defensive tooling or protected system state, such as device administration, root-enabled modification, or security-setting manipulation, (2) direct changes to security-tool configuration, service state, package state, or protected enforcement settings such as SELinux-relevant files or security-app components, and (3) immediate degradation, suppression, or disappearance of expected security telemetry while the device and initiating application remain active. The defender observes a causal chain where a security control is modified first, then monitoring or protection weakens, and subsequent activity continues under reduced defensive visibility. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'device posture changes to rooted, non-compliant, weakened security state, or elevated control role becomes active before security-tool degradation'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'security-relevant application package state, enabled status, administrator state, or managed protection setting changes immediately before monitoring degradation'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'application invokes package, settings, or privileged framework operations capable of disabling security software, altering security enforcement, or interfering with reporting before telemetry loss'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'MobileEDR:telemetry', 'channel': 'application modifies protected configuration, local control files, security settings, or tool-related data immediately before security service degradation or non-reporting state'}
[AN1807] Analytic 1807 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Mobile threat defense agents could detect unauthorized opera t Correlates (1) abnormal application or system resource resol ting system modifications by using attestation. ution behavior (e.g., library loading, path resolution, or i ntent redirection), (2) execution of code or resources not a ligned with the originating application’s package identity o r expected runtime context, and (3) follow-on execution or n etwork activity originating from the hijacked flow. The defe nder observes a causal chain where execution is redirected f rom an expected code path to an alternate resource or payloa d, resulting in execution under a trusted context but with u ntrusted origin.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between abnormal resource loading and execution/network activity'}, {'field': 'AllowedLibraryPaths', 'description': 'Baseline of expected library/resource load paths per application'}, {'field': 'TrustedSignatureList', 'description': 'Trusted signing identities for application components'}, {'field': 'AllowedAppList', 'description': 'Applications allowed to dynamically load code or use external resources'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-13 15:50:52.912000+00:00 description Mobile threat defense agents could detect unauthorized operating system modifications by using attestation. Correlates (1) abnormal application or system resource resolution behavior (e.g., library loading, path resolution, or intent redirection), (2) execution of code or resources not aligned with the originating application’s package identity or expected runtime context, and (3) follow-on execution or network activity originating from the hijacked flow. The defender observes a causal chain where execution is redirected from an expected code path to an alternate resource or payload, resulting in execution under a trusted context but with untrusted origin. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'Sensor Health', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'application launches or executes code where loaded library or component path does not match application package path or expected signing context'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71', 'name': 'MobileEDR:telemetry', 'channel': 'application loads executable or library from external or writable directory (e.g., /sdcard/, app cache) prior to execution'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'MobileEDR:telemetry', 'channel': 'application execution triggered with unexpected parent context or via indirect invocation (intent redirection or component hijack)'}
[AN1808] Analytic 1808 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t The user can view which applications have permission to use t The defender correlates Android camera access by an app iden the camera through the device settings screen, where the use tity with app and device context showing that the capture is r can then choose to revoke the permissions. During the vett inconsistent with expected user-driven recording behavior. ing process, applications using the Android permission `andr The strongest Android evidence is camera resource access fol oid.permission.CAMERA`, or the iOS `NSCameraUsageDescription lowed by sustained capture duration, video or image artifact ` plist entry could be given closer scrutiny. creation, buffer or cache growth, and optional outbound tra nsfer, especially when the app is backgrounded, operating as a foreground service without visible user initiation, activ e while the device is locked, or capturing without recent us er interaction. The detection is strengthened when the app i s unmanaged, recently granted camera access, or not approved to record video.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window linking camera access, lifecycle context, artifact creation, and optional network transfer.'}, {'field': 'CaptureDurationThreshold', 'description': 'Minimum sustained camera session duration considered unusual for the app role.'}, {'field': 'AllowedAppList', 'description': 'Approved camera-capable apps vary by organization, device group, and role.'}, {'field': 'ForegroundStateRequired', 'description': 'Some apps should only access the camera while visibly foregrounded.'}, {'field': 'RecentUserInteractionWindow', 'description': 'Defines how close camera activation must be to user interaction to be considered expected.'}, {'field': 'AllowedBackgroundCaptureApps', 'description': 'Specific enterprise or accessibility workflows may legitimately capture while not foregrounded.'}, {'field': 'ArtifactWriteThreshold', 'description': 'Minimum media-buffer or file-write volume indicating probable video or burst-image capture.'}, {'field': 'UplinkBytesThreshold', 'description': 'Threshold for suspicious outbound transfer after capture.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-19 20:20:49.044000+00:00 description The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions.
+During the vetting process, applications using the Android permission `android.permission.CAMERA`, or the iOS `NSCameraUsageDescription` plist entry could be given closer scrutiny. The defender correlates Android camera access by an app identity with app and device context showing that the capture is inconsistent with expected user-driven recording behavior. The strongest Android evidence is camera resource access followed by sustained capture duration, video or image artifact creation, buffer or cache growth, and optional outbound transfer, especially when the app is backgrounded, operating as a foreground service without visible user initiation, active while the device is locked, or capturing without recent user interaction. The detection is strengthened when the app is unmanaged, recently granted camera access, or not approved to record video. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'MobileEDR:telemetry', 'channel': 'Camera sensor access began from app identity and remained active for sustained capture interval in app context not mapped to approved video recording workflow'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'MobileEDR:telemetry', 'channel': 'Camera sensor access occurred while AppState=background, foreground service active without visible user action, or DeviceLockState=locked during capture interval'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'LastUserInteractionDelta exceeded threshold before camera session start and no foreground transition occurred during sustained capture interval'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'MobileEDR:telemetry', 'channel': 'Burst write to media, cache, temp, export, or staging path occurred during or immediately after camera session from same app identity'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'App identity performing camera session was unmanaged, recently granted camera permission, or not approved to use camera for video or interval image capture'}
[AN1809] Analytic 1809 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t The user can view which applications have permission to use t The defender correlates managed-app or supervised-device cam the camera through the device settings screen, where the use era access with app and device context showing that the capt r can then choose to revoke the permissions. During the vett ure is inconsistent with expected user-driven recording beha ing process, applications using the Android permission `andr vior. The strongest iOS evidence is camera access or camera- oid.permission.CAMERA`, or the iOS `NSCameraUsageDescription adjacent capture activity followed by app-state evidence suc ` plist entry could be given closer scrutiny. h as background or low-interaction operation, optional media artifact creation, and optional post-capture network transf er. Because direct low-level runtime visibility is weaker th an Android for many enterprises, the primary iOS analytic sh ould anchor on managed app context, device state, and downst ream effects around camera use, with local subsystem telemet ry treated as enrichment rather than sole proof.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window linking camera access, device state, artifact creation, and optional network transfer.'}, {'field': 'CaptureDurationThreshold', 'description': 'Minimum sustained camera session duration considered unusual for the bundle role.'}, {'field': 'SupervisedRequired', 'description': 'Strongest bundle-baseline and managed-app analytics depend on supervised iOS devices.'}, {'field': 'AllowedManagedApps', 'description': 'Approved managed bundle identities with camera capability vary by organization and device profile.'}, {'field': 'ForegroundStateRequired', 'description': 'Some managed apps should only access the camera during visible foreground use.'}, {'field': 'RecentUserInteractionWindow', 'description': 'Defines how close camera activation must be to user interaction to be considered expected.'}, {'field': 'AllowedBackgroundCaptureApps', 'description': 'Specific approved workflows may legitimately capture media under constrained background-like conditions.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-23 20:54:34.747000+00:00 description The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions.
+During the vetting process, applications using the Android permission `android.permission.CAMERA`, or the iOS `NSCameraUsageDescription` plist entry could be given closer scrutiny. The defender correlates managed-app or supervised-device camera access with app and device context showing that the capture is inconsistent with expected user-driven recording behavior. The strongest iOS evidence is camera access or camera-adjacent capture activity followed by app-state evidence such as background or low-interaction operation, optional media artifact creation, and optional post-capture network transfer. Because direct low-level runtime visibility is weaker than Android for many enterprises, the primary iOS analytic should anchor on managed app context, device state, and downstream effects around camera use, with local subsystem telemetry treated as enrichment rather than sole proof. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'LastUserInteractionDelta exceeded threshold before app-attributed session using non-standard protocol-to-port pairing'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Background activity, low-interaction device state, or DeviceLockState=locked was observed during sustained camera session or immediately before camera access from same bundle context'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'iOS:unifiedlog', 'channel': 'Camera, media capture, app-activation, or background-task subsystem event occurred immediately before or during sustained camera session from same managed-app or device context'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'iOS:MDMLog', 'channel': 'Bundle performing camera session was not present in approved managed-app baseline or was not permitted to use camera for video or interval image capture'}
[AN1812] Analytic 1812 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services can look for applications reque t A defender correlates an application being granted accessibi sting the permissions granting access to accessibility servi lity service control with subsequent consumption of high-vol ces or application overlay. The user can view a list of devi ume accessibility events, interaction with sensitive UI elem ce administrators and applications that have registered Acce ents or text-entry fields, optional overlay/window presentat ssibility services in device settings. Applications that reg ion over other applications, and near-term local buffering o ister an Accessibility service should be scrutinized further r outbound network transmission, indicating abuse of accessi for malicious behavior. bility features for input capture, credential theft, or auto mated interaction.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'AllowedAccessibilityApps', 'description': 'Allow-list of sanctioned accessibility-enabled apps in the environment, such as screen readers or approved assistive tools.'}, {'field': 'AccessibilityEventRateThreshold', 'description': 'Threshold for event volume or sustained event consumption indicating broad UI monitoring rather than limited assistive use.'}, {'field': 'SensitiveFieldCorrelationRequired', 'description': 'Determines whether detection should require correlation to text-entry fields, login screens, or password/credential UI contexts.'}, {'field': 'OverlayCorrelationWindow', 'description': 'Time window correlating accessibility activity with overlay/window presentation over other apps.'}, {'field': 'AccessibilityToNetworkWindow', 'description': 'Time window linking accessibility event capture or text change activity to outbound network communication.'}, {'field': 'BackgroundServiceAllowed', 'description': 'Tuning for whether background accessibility service activity is expected for approved assistive tools.'}, {'field': 'UplinkBytesThreshold', 'description': 'Minimum outbound byte volume or burst count considered suspicious after accessibility event capture.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-06 19:21:56.951000+00:00 description Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay.
+The user can view a list of device administrators and applications that have registered Accessibility services in device settings. Applications that register an Accessibility service should be scrutinized further for malicious behavior. A defender correlates an application being granted accessibility service control with subsequent consumption of high-volume accessibility events, interaction with sensitive UI elements or text-entry fields, optional overlay/window presentation over other applications, and near-term local buffering or outbound network transmission, indicating abuse of accessibility features for input capture, credential theft, or automated interaction. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'MobileEDR:telemetry', 'channel': 'Application remains backgrounded while accessibility service continues to receive events or perform actions across other foreground apps'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Accessibility framework usage patterns such as event subscription, performAction invocation, node traversal, text change observation, or overlay/window presentation correlated to app identity'}
[AN1815] Analytic 1815 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Mobile security products may be able to detect some forms of t Correlates (1) continuous or repeated use of motion or inter user evasion. Otherwise, the act of hiding malicious activi action-inference signals that do not require overt user-faci ty could be difficult to detect, and therefore enterprises m ng privilege prompts, (2) suppression of higher-risk behavio ay be better served focusing on detection at other stages of r while user presence or active handling is inferred, and (3 adversarial behavior. ) resumption of background execution, sensor use, local data handling, or network activity only when device interaction falls below a threshold. The defender observes a causal chai n where an application senses user/device interaction state and intentionally gates malicious behavior to user-inactive periods.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_log_source_references [{'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'application invokes motion-sensor or device-activity framework operations followed by conditional execution of sensitive framework activity only after inferred user absence'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'application reduces or halts operational activity during periods of active user interaction and resumes background execution or periodic work only during low-motion or idle intervals'}] x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between motion-state inference and subsequent deferred execution'}, {'field': 'IdleThreshold', 'description': 'Threshold defining when device motion or interaction is considered low enough to permit hidden execution'}, {'field': 'InteractionSignalSet', 'description': 'Environment-specific set of motion or activity signals used to infer user presence'}, {'field': 'AllowedAppList', 'description': 'Baseline of legitimate applications expected to use motion or activity sensing while also conditionally changing behavior'}, {'field': 'ForegroundStateRequired', 'description': 'Whether suspiciousness increases when deferred activity starts from background or with no recent foreground interaction'}, {'field': 'UplinkBytesThreshold', 'description': 'Minimum outbound traffic threshold used to distinguish meaningful deferred operation from benign maintenance traffic'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-24 20:30:28.435000+00:00 description Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior. Correlates (1) continuous or repeated use of motion or interaction-inference signals that do not require overt user-facing privilege prompts, (2) suppression of higher-risk behavior while user presence or active handling is inferred, and (3) resumption of background execution, sensor use, local data handling, or network activity only when device interaction falls below a threshold. The defender observes a causal chain where an application senses user/device interaction state and intentionally gates malicious behavior to user-inactive periods. x_mitre_version 1.0 1.1
[AN1816] Analytic 1816 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services may provide a list of connectio t The defender correlates repeated inbound retrieval and outbo ns made or received by an application, or a list of domains und submission activity by the same Android app identity to contacted by the application. Many properly configured firew the same legitimate public web-service class within a short alls may naturally block bidirectional command and control t operational window, where the two-way exchange is inconsiste raffic. nt with the app's approved role, interaction model, or backg round behavior baseline. The strongest Android evidence is a pp-attributed communication to collaboration, social, cloud storage, code-hosting, messaging, or generic HTTPS platforms where requests that retrieve content are followed by app-at tributed posts, uploads, document updates, API writes, or re peated small bidirectional exchanges, especially when they o ccur while the app is backgrounded, while the device is lock ed, without recent user interaction, or shortly after local staging or protected-resource access.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between retrieval and outbound write over the same web-service class.'}, {'field': 'AllowedAppList', 'description': 'Approved app identities vary by organization, business unit, and device group.'}, {'field': 'AllowedServiceClasses', 'description': 'Some apps legitimately perform read/write operations against collaboration, storage, or messaging services.'}, {'field': 'AllowedReadWriteMappings', 'description': 'Defines which apps are expected to both retrieve and submit content to a given public service class.'}, {'field': 'RecentUserInteractionWindow', 'description': 'Defines how close the bidirectional exchange must be to user activity to be considered expected.'}, {'field': 'BeaconIntervalTolerance', 'description': 'Allowed recurrence interval for repeated bidirectional exchanges varies by app type.'}, {'field': 'ForegroundStateRequired', 'description': 'Some apps should only perform read/write web interactions while foregrounded.'}, {'field': 'InboundOutboundRatioThreshold', 'description': 'Expected ratio of response size to outbound write size varies by legitimate app workflow.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-18 16:14:55.614000+00:00 description Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.
+Many properly configured firewalls may naturally block bidirectional command and control traffic. The defender correlates repeated inbound retrieval and outbound submission activity by the same Android app identity to the same legitimate public web-service class within a short operational window, where the two-way exchange is inconsistent with the app's approved role, interaction model, or background behavior baseline. The strongest Android evidence is app-attributed communication to collaboration, social, cloud storage, code-hosting, messaging, or generic HTTPS platforms where requests that retrieve content are followed by app-attributed posts, uploads, document updates, API writes, or repeated small bidirectional exchanges, especially when they occur while the app is backgrounded, while the device is locked, without recent user interaction, or shortly after local staging or protected-resource access. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'VPN:MobileProxy', 'channel': 'App-attributed session to public web-service domain included inbound content retrieval followed by outbound POST, PUT, upload, comment, message send, document update, or API write to same service class within TimeWindow'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'Network Traffic', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'VPN:MobileProxy', 'channel': 'Repeated alternating inbound and outbound sessions to same public web-service domain or API endpoint occurred from same app identity with stable recurrence interval'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'VPN:MobileProxy', 'channel': 'Outbound write operation to public web-service domain occurred after small inbound response retrieval from same domain or service class without preceding user-visible foreground activity'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'AppState=background when bidirectional exchange with public web-service domain began and no foreground transition occurred between retrieval and outbound write'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'DeviceLockState=locked during inbound retrieval and subsequent outbound write sequence to public web-service platform'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'LastUserInteractionDelta exceeded threshold before retrieve-then-write exchange to public web-service domain from same app identity'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'MobileEDR:telemetry', 'channel': 'Burst write to cache, buffer, temp, staging, or export path occurred between inbound retrieval and outbound write to same public web-service class'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded retrieve-then-write exchange with public web-service platform'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'App identity performing bidirectional exchange was unmanaged, outside approved app baseline, or not permitted to use detected public web-service class for read/write operations'}
[AN1817] Analytic 1817 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services may provide a list of connectio t The defender correlates repeated retrieval and outbound subm ns made or received by an application, or a list of domains ission activity from a supervised device or managed iOS app contacted by the application. Many properly configured firew to the same legitimate public web-service class where the tw alls may naturally block bidirectional command and control t o-way exchange does not fit the bundle's approved role or ex raffic. pected background-refresh model. The strongest iOS evidence is managed-app or device-attributed communication to collabo ration, storage, messaging, social, or generic HTTPS platfor ms where inbound content fetches are followed by outbound wr ites, uploads, updates, or message submissions within a shor t window, especially when occurring during background refres h, while the device is locked, or without recent user intera ction. Because direct local runtime visibility is weaker tha n Android, the primary analytic is anchored on network direc tionality plus supervised managed-app and device-state conte xt.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between retrieval and outbound write over the same public web-service class.'}, {'field': 'SupervisedRequired', 'description': 'Strongest app-governance and bundle-baseline analytics depend on supervised iOS devices.'}, {'field': 'AllowedManagedApps', 'description': 'Approved managed bundle identities vary by organization and device profile.'}, {'field': 'AllowedServiceClasses', 'description': 'Some managed apps legitimately perform bidirectional exchanges with collaboration, storage, or messaging services.'}, {'field': 'AllowedReadWriteMappings', 'description': 'Defines which bundles are expected to both retrieve and submit content to a given public service class.'}, {'field': 'BackgroundRefreshBaseline', 'description': 'Expected background read/write network behavior differs across managed app categories.'}, {'field': 'RecentUserInteractionWindow', 'description': 'Defines how close the bidirectional exchange must be to user activity to be considered expected.'}, {'field': 'BeaconIntervalTolerance', 'description': 'Allowed recurrence interval for repeated bidirectional exchanges varies by bundle type.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-18 16:25:11.215000+00:00 description Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.
+Many properly configured firewalls may naturally block bidirectional command and control traffic. The defender correlates repeated retrieval and outbound submission activity from a supervised device or managed iOS app to the same legitimate public web-service class where the two-way exchange does not fit the bundle's approved role or expected background-refresh model. The strongest iOS evidence is managed-app or device-attributed communication to collaboration, storage, messaging, social, or generic HTTPS platforms where inbound content fetches are followed by outbound writes, uploads, updates, or message submissions within a short window, especially when occurring during background refresh, while the device is locked, or without recent user interaction. Because direct local runtime visibility is weaker than Android, the primary analytic is anchored on network directionality plus supervised managed-app and device-state context. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'VPN:MobileProxy', 'channel': 'App-attributed session to public web-service domain included inbound content retrieval followed by outbound POST, PUT, upload, comment, message send, document update, or API write to same service class within TimeWindow'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'Network Traffic', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'VPN:MobileProxy', 'channel': 'Repeated alternating inbound and outbound sessions to same public web-service domain or API endpoint occurred from same app identity with stable recurrence interval'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'VPN:MobileProxy', 'channel': 'Outbound write operation to public web-service domain occurred after small inbound response retrieval from same domain or service class without preceding user-visible foreground activity'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'DeviceLockState=locked during inbound retrieval and subsequent outbound write sequence to public web-service platform'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'LastUserInteractionDelta exceeded threshold before retrieve-then-write exchange to public web-service domain from same app identity'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'BackgroundRefresh or background activity was active when retrieve-then-write exchange with public web-service domain occurred'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'iOS:MDMLog', 'channel': 'Bundle performing bidirectional exchange was not present in approved managed-app baseline or was not permitted to use detected public web-service class for read/write operations'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'iOS:unifiedlog', 'channel': 'Background task, networking, or app-activation subsystem event occurred immediately before or during retrieve-then-write exchange with public web-service platform'}
[AN1820] Analytic 1820 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Google sends a notification to the device when Android Devic t Defender observes anomalous access to remote device manageme e Manager is used to locate it. Additionally, Google provide nt or enterprise mobility management control planes followed s the ability for users to view their general account activi by device-state queries, location requests, or management a ty and alerts users when their credentials have been used on ctions inconsistent with user role, historical behavior, or a new device. Apple iCloud also provides notifications to u device ownership context. sers of account activity such as when credentials have been used.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'RoleDeviationThreshold', 'description': 'Defines acceptable variance between user privileges and management actions'}, {'field': 'GeoAccessAnomalyThreshold', 'description': 'Baseline deviation tolerance for management console access locations'}, {'field': 'DeviceOwnershipBaseline', 'description': 'Expected mapping of users to managed devices'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-02-24 17:35:08.607000+00:00 description Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity and alerts users when their credentials have been used on a new device. Apple iCloud also provides notifications to users of account activity such as when credentials have been used. Defender observes anomalous access to remote device management or enterprise mobility management control planes followed by device-state queries, location requests, or management actions inconsistent with user role, historical behavior, or device ownership context. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e', 'name': 'saas:MDM', 'channel': 'Authentication events to device management or enterprise mobility management consoles'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--8c826308-2760-492f-9e36-4f0f7e23bcac', 'name': 'saas:MDM', 'channel': 'Device lookup, location query, or remote management operation'}
[AN1821] Analytic 1821 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Google sends a notification to the device when Android Devic t Defender observes anomalous authentication or session activi e Manager is used to locate it. Additionally, Google provide ty targeting remote device management services followed by d s the ability for users to view their general account activi evice-tracking queries, device-state requests, or remote act ty and alerts users when their credentials have been used on ions inconsistent with established user-device relationships a new device. Apple iCloud also provides notifications to u or operational patterns. sers of account activity such as when credentials have been used.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'UserDeviceRelationshipDeviation', 'description': 'Defines acceptable deviation from known user-device mappings'}, {'field': 'SessionAnomalyThreshold', 'description': 'Baseline deviation tolerance for management sessions'}, {'field': 'QueryFrequencyThreshold', 'description': 'Threshold for excessive device tracking or lookup activity'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-02-24 17:34:54.559000+00:00 description Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity and alerts users when their credentials have been used on a new device. Apple iCloud also provides notifications to users of account activity such as when credentials have been used. Defender observes anomalous authentication or session activity targeting remote device management services followed by device-tracking queries, device-state requests, or remote actions inconsistent with established user-device relationships or operational patterns. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e', 'name': 'saas:MDM', 'channel': 'Authentication events to Apple iCloud or enterprise device management services'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--8c826308-2760-492f-9e36-4f0f7e23bcac', 'name': 'saas:MDM', 'channel': 'Device lookup, location query, or remote management operation'}
[AN1822] Analytic 1822 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t The user can review available call logs for irregularities, t The defender correlates call-control capability or telecom r such as missing or unrecognized calls. The user can view the ole state with subsequent unauthorized call initiation, answ ir default phone app in device settings. er, block, redirect, or concealment behavior by an applicati on outside expected telephony workflows. The analytic priori tizes Android-observable control-plane effects: dangerous or role-gated call-control permissions, default dialer or Conn ectionService-related role changes, telecom framework invoca tion for call placement or handling, write activity against call-log records, and call-control activity occurring from b ackground or locked-device context without recent user inter action.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between permission or role state, call-control action, call-log mutation, and follow-on network communication'}, {'field': 'AllowedAppList', 'description': 'Apps legitimately expected to initiate or manage calls, such as default dialers, carrier tools, enterprise communications apps, or approved call-screening apps'}, {'field': 'AllowedDialerRoles', 'description': 'Approved packages allowed to become default dialer or telecom-managing app on managed devices'}, {'field': 'AllowedDestinationList', 'description': 'Approved network destinations associated with legitimate VoIP, carrier, or enterprise communications workflows'}, {'field': 'ForegroundStateRequired', 'description': 'Whether call-control actions should occur only during active user-driven workflows'}, {'field': 'CallLogModificationThreshold', 'description': 'Number of call-log insert, update, or delete operations within a short interval required before alerting'}, {'field': 'CallActionRateThreshold', 'description': 'Maximum expected rate of call placement, answer, redirect, or block actions for legitimate app behavior'}, {'field': 'HighRiskNumberPatterns', 'description': 'Environment-specific list of suspicious, premium-rate, or adversary-known phone-number patterns'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-09 17:53:31.236000+00:00 description The user can review available call logs for irregularities, such as missing or unrecognized calls.
+The user can view their default phone app in device settings. The defender correlates call-control capability or telecom role state with subsequent unauthorized call initiation, answer, block, redirect, or concealment behavior by an application outside expected telephony workflows. The analytic prioritizes Android-observable control-plane effects: dangerous or role-gated call-control permissions, default dialer or ConnectionService-related role changes, telecom framework invocation for call placement or handling, write activity against call-log records, and call-control activity occurring from background or locked-device context without recent user interaction. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'Managed app granted call-control-relevant permissions or telecom role state inconsistent with approved enterprise function before call-control activity'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'Default phone or telecom-handling role changes to non-baselined application or managed app unexpectedly becomes dialer/call-handling app during call-control phase'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Application invokes call placement, answer, redirect, block, screening, or ConnectionService call-handling APIs during unauthorized call-control phase'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8', 'name': 'MobileEDR:telemetry', 'channel': 'Application inserts, updates, deletes, or rewrites call-log records immediately after call-control action to conceal, alter, or synthesize call history'}
[AN1823] Analytic 1823 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Usage of insecure or malicious third-party libraries could b t A legitimate-seeming application or update is installed thro e detected by application vetting services. Malicious softwa ugh an expected or previously trusted path, but shortly afte re development tools could be detected by enterprises that d r first run or update the application exhibits new runtime b eploy endpoint protection software on computers that are use ehavior, sensor use, file staging, or network communications d to develop mobile apps. Application vetting could detect t inconsistent with its historical baseline, documented role, he usage of insecure or malicious third-party libraries. or prior version. The defender specifically looks for behav iors commonly introduced by compromised third-party librarie s or manipulated build tooling, such as unexpected backgroun d service activation, first-seen framework use, new permissi ons exercised, novel network destinations, or dropped local artifacts not aligned to the app's expected function.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Maximum span between install/update or first launch and the first suspicious behavior drift.'}, {'field': 'AllowedAppList', 'description': 'Apps legitimately expected to add services, libraries, or destinations because of approved releases.'}, {'field': 'AllowedVersionChangeWindow', 'description': 'Grace period after an approved release during which limited behavior drift may be expected.'}, {'field': 'CapabilityDriftThreshold', 'description': 'Threshold for how many new permissions or capabilities are tolerated before behavior is considered suspicious.'}, {'field': 'SensorDriftThreshold', 'description': 'Threshold for newly used sensors or privacy-sensitive resources that are tolerated for a known app.'}, {'field': 'ForegroundStateRequired', 'description': 'Whether certain framework or sensor behaviors should only be treated as suspicious when they occur without visible user interaction.'}, {'field': 'RecentUserInteractionWindow', 'description': 'Time threshold for distinguishing autonomous post-update execution from normal first-run user activity.'}, {'field': 'DestinationAllowList', 'description': 'Expected domains, CDNs, telemetry services, or APIs associated with approved app updates and known SDKs.'}, {'field': 'BehaviorBaselinePopulation', 'description': 'Devices, versions, or user cohorts used to define normal behavior for the app.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-13 23:48:31.416000+00:00 description Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries. A legitimate-seeming application or update is installed through an expected or previously trusted path, but shortly after first run or update the application exhibits new runtime behavior, sensor use, file staging, or network communications inconsistent with its historical baseline, documented role, or prior version. The defender specifically looks for behaviors commonly introduced by compromised third-party libraries or manipulated build tooling, such as unexpected background service activation, first-seen framework use, new permissions exercised, novel network destinations, or dropped local artifacts not aligned to the app's expected function. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2', 'name': 'android:MDMLog', 'channel': 'Managed app distribution, enterprise catalog trust, and update policy remain expected while a known package exhibits materially different post-install or post-update behavior'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'Known application version declares, gains, or first exercises storage, communications, accessibility, advertising, analytics, overlay, or sensor-adjacent capability inconsistent with prior version baseline or business role'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'android:MDMLog', 'channel': 'Newly installed or updated application launches background service, becomes active without recent user interaction, or executes immediately after update in a pattern inconsistent with baseline'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Known application begins first-seen or expanded use of account services, accessibility, content providers, dynamic loading, package services, WebView bridges, crypto/network APIs, or advertising/telemetry-adjacent framework behavior after install or update'}
[AN1824] Analytic 1824 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Usage of insecure or malicious third-party libraries could b t A legitimate-seeming app or update arrives through an expect e detected by application vetting services. Malicious softwa ed or trusted distribution path, but the delivered applicati re development tools could be detected by enterprises that d on begins showing new entitlement exercise, background activ eploy endpoint protection software on computers that are use ity, framework use, sensor access, or network behavior incon d to develop mobile apps. Application vetting could detect t sistent with its prior baseline or documented role. Because he usage of insecure or malicious third-party libraries. direct inspection of compromised dependencies or developer t ooling is weaker on iOS, the defender emphasizes supervised- device app inventory, post-update behavior drift, new first- run or background patterns, and downstream communications th at suggest compromised embedded libraries or manipulated bui ld outputs.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Maximum span between install/version change and first suspicious post-delivery behavior.'}, {'field': 'SupervisedOnly', 'description': 'Whether the analytic should only apply to supervised devices with high-confidence managed app telemetry.'}, {'field': 'AllowedAppList', 'description': 'Approved apps expected to change capabilities, services, or destinations because of legitimate releases.'}, {'field': 'AllowedVersionChangeWindow', 'description': 'Grace period after an approved release during which limited behavior drift may be expected.'}, {'field': 'CapabilityDriftThreshold', 'description': 'Threshold for how much entitlement or capability drift is tolerated for a known app.'}, {'field': 'SensorDriftThreshold', 'description': 'Threshold for newly used sensors or privacy-sensitive resources tolerated for a known app.'}, {'field': 'ForegroundStateRequired', 'description': 'Whether certain behaviors should only be treated as suspicious when they occur without visible user interaction.'}, {'field': 'RecentUserInteractionWindow', 'description': 'Threshold for distinguishing autonomous post-update activity from normal user-driven first-run behavior.'}, {'field': 'DestinationAllowList', 'description': 'Expected domains, telemetry services, or APIs associated with approved app updates and known SDK behavior.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-16 15:56:09.700000+00:00 description Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries. A legitimate-seeming app or update arrives through an expected or trusted distribution path, but the delivered application begins showing new entitlement exercise, background activity, framework use, sensor access, or network behavior inconsistent with its prior baseline or documented role. Because direct inspection of compromised dependencies or developer tooling is weaker on iOS, the defender emphasizes supervised-device app inventory, post-update behavior drift, new first-run or background patterns, and downstream communications that suggest compromised embedded libraries or manipulated build outputs. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2', 'name': 'iOS:MDMLog', 'channel': 'Managed app distribution, supervised install posture, or provisioning trust context remains expected while a known app exhibits materially different behavior after version change'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'iOS:MDMLog', 'channel': 'Known application version declares, activates, or exhibits new entitlements, privacy permissions, or capability use inconsistent with prior baseline or business role'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Updated or newly delivered application wakes, foregrounds, refreshes, or becomes active shortly after version change with weak recent user interaction'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Known application begins first-seen or expanded use of account services, accessibility, content providers, dynamic loading, package services, WebView bridges, crypto/network APIs, or advertising/telemetry-adjacent framework behavior after install or update'}
[AN1825] Analytic 1825 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t The user can view and manage installed third-party keyboards t Defender observes an app gaining input-observation capabilit . Application vetting services can look for applications req y (AccessibilityService enablement, default IME set, draw-ov uesting the permissions granting access to accessibility ser er-apps permission), then creating an intercept surface (ove vices or application overlay. rlay window, accessibility event stream consumption or IME k eystroke callbacks), followed by persistence (local keylog/c lipboard dump) and/or small, frequent network egress. Chain: capability/permission → listener/overlay activation → burst y input read events → local write → near-term exfil.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Max time from input intercept to persist/exfil (e.g., 5–45s).'}, {'field': 'MinInputEventBurst', 'description': 'Minimum count of input events within window to flag harvesting (e.g., ≥5).'}, {'field': 'OverlayRequired', 'description': 'Require overlay creation if Accessibility not present (true/false).'}, {'field': 'PersistPathRegex', 'description': 'Regex for keylog/clipboard dump destinations in app container.'}, {'field': 'ExfilDomainAllowlist', 'description': 'Known-good analytics/CDN endpoints to suppress FPs.'}, {'field': 'UserContext', 'description': 'Foreground/background/Work Profile or Kiosk policy to scope alerts.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-01-29 18:28:31.071000+00:00 description The user can view and manage installed third-party keyboards.
+Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay. Defender observes an app gaining input-observation capability (AccessibilityService enablement, default IME set, draw-over-apps permission), then creating an intercept surface (overlay window, accessibility event stream consumption or IME keystroke callbacks), followed by persistence (local keylog/clipboard dump) and/or small, frequent network egress. Chain: capability/permission → listener/overlay activation → bursty input read events → local write → near-term exfil. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6', 'name': 'android:logcat', 'channel': 'Grant/activation of BIND_ACCESSIBILITY_SERVICE, BIND_INPUT_METHOD, SYSTEM_ALERT_WINDOW, POST_NOTIFICATIONS for '} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'android:logcat', 'channel': 'AccessibilityService connected|TYPE_VIEW_TEXT_CHANGED|TYPE_VIEW_FOCUSED events for other packages'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa', 'name': 'android:logcat', 'channel': 'Default IME changed/active: imeId=, onStartInput/onFinishInput high frequency. TYPE_APPLICATION_OVERLAY|addView .* showing on top of package '} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'android:logcat', 'channel': 'CREATE/WRITE paths like /data/data//files/(keys|inputs)/.*\\\\.db|\\\\.txt|\\\\.log'}
[AN1826] Analytic 1826 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t The user can view and manage installed third-party keyboards t Defender observes an app enabling or using input-capture sur . Application vetting services can look for applications req faces (custom keyboard extension with Full Access, abnormal uesting the permissions granting access to accessibility ser UI text entry interception, pasteboard polling adjacent to l vices or application overlay. ogin screens), then persisting and/or exfiltrating captured input. Chain: capability/consent (TCC for keyboard Full Acce ss or input privacy domains) → intercept behavior (keyboard extension active, repeated text field ‘editingChanged’/secur e entry focus, background pasteboard reads) → local write → near-term egress.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Max time from intercept to persist/exfil (e.g., 5–60s).'}, {'field': 'MinKeyEventBurst', 'description': 'Minimum key/commit or editingChanged count to flag harvesting (e.g., ≥10).'}, {'field': 'KeyboardFullAccessRequired', 'description': 'Require keyboard Full Access to escalate severity (true/false).'}, {'field': 'PersistPathRegex', 'description': 'Regex for keylog/clipboard dump files.'}, {'field': 'ExfilDomainAllowlist', 'description': 'Known-good enterprise/analytics endpoints.'}, {'field': 'UserContext', 'description': 'Foreground state, Focus modes, MDM policy.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-01-29 18:41:55.176000+00:00 description The user can view and manage installed third-party keyboards.
+Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay. Defender observes an app enabling or using input-capture surfaces (custom keyboard extension with Full Access, abnormal UI text entry interception, pasteboard polling adjacent to login screens), then persisting and/or exfiltrating captured input. Chain: capability/consent (TCC for keyboard Full Access or input privacy domains) → intercept behavior (keyboard extension active, repeated text field ‘editingChanged’/secure entry focus, background pasteboard reads) → local write → near-term egress. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6', 'name': 'iOS:unifiedlog', 'channel': 'Keyboard extension Full Access change; privacy grant touching input/keyboard categories for '} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa', 'name': 'iOS:unifiedlog', 'channel': 'UIWindow/UIView events indicating secure text entry focus, editingChanged bursts, unexpected firstResponder cycling'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'iOS:unifiedlog', 'channel': 'CREATE/WRITE clipboard/keylog artifacts (clipboard.db, keys_*.txt) in container'}
[AN1827] Analytic 1827 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Many properly configured firewalls may also naturally block t The defender correlates app-attributed outbound sessions whe command and control traffic over non-standard ports. Applica re protocol indicators such as TLS handshake, HTTP method an tion vetting reports may show network communications perform d header patterns, DNS semantics, or other application-layer ed by the application, including hosts, ports, protocols, an characteristics are observed over a destination port outsid d URLs. Further detection would most likely be at the enterp e the approved baseline for that protocol and app role. The rise level, through packet and/or netflow inspection. strongest Android evidence is repeated or persistent app-att ributed traffic using HTTPS-, HTTP-, DNS-, WebSocket-, or ot her recognizable application behavior over uncommon destinat ion ports, especially when the app is backgrounded, while th e device is locked, without recent user interaction, or when the app is unmanaged or not approved for that protocol-to-p ort pairing.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'AllowedProtocolPortMappings', 'description': 'Approved protocol-to-port pairings vary by app, business workflow, proxy architecture, and enterprise policy.'}, {'field': 'AllowedAppList', 'description': 'Approved app identities vary by organization, role, and device group.'}, {'field': 'AllowedServiceClasses', 'description': 'Expected external service classes differ across app categories and enterprise mobile workflows.'}, {'field': 'TimeWindow', 'description': 'Correlation window linking non-standard-port sessions with lifecycle, framework, or local state changes.'}, {'field': 'RecentUserInteractionWindow', 'description': 'Defines how close a session must be to user activity to be considered expected.'}, {'field': 'BeaconIntervalTolerance', 'description': 'Allowed recurrence interval for benign polling, sync, or persistent sessions differs by app type.'}, {'field': 'ForegroundStateRequired', 'description': 'Some apps should only initiate certain outbound communications while foregrounded.'}, {'field': 'EnterpriseExceptionList', 'description': 'Known developer tools, enterprise proxies, VPNs, relays, and security products may legitimately use uncommon ports.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-19 17:21:51.812000+00:00 description Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.
+Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection. The defender correlates app-attributed outbound sessions where protocol indicators such as TLS handshake, HTTP method and header patterns, DNS semantics, or other application-layer characteristics are observed over a destination port outside the approved baseline for that protocol and app role. The strongest Android evidence is repeated or persistent app-attributed traffic using HTTPS-, HTTP-, DNS-, WebSocket-, or other recognizable application behavior over uncommon destination ports, especially when the app is backgrounded, while the device is locked, without recent user interaction, or when the app is unmanaged or not approved for that protocol-to-port pairing. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a', 'name': 'Network Traffic', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'VPN:MobileProxy', 'channel': 'TLS handshake, HTTP method/header pattern, or WebSocket upgrade was observed on destination port outside approved port set for detected protocol during app-attributed outbound session'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'VPN:MobileProxy', 'channel': 'Repeated app-attributed sessions to same destination or service class used non-standard destination port with stable recurrence interval or persistent connection behavior'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'VPN:MobileProxy', 'channel': 'Destination port was not in approved protocol-to-port mapping for app identity or service class and session did not match known enterprise proxy, relay, or developer tooling exception'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'AppState=background when non-standard-port session began and no foreground transition occurred during repeated or persistent connection sequence'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'DeviceLockState=locked during outbound session using non-standard protocol-to-port pairing'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'LastUserInteractionDelta exceeded threshold before app-attributed session using non-standard protocol-to-port pairing'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded outbound session using non-standard protocol-to-port pairing'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'iOS:MDMLog', 'channel': 'App identity using non-standard protocol-to-port pairing was unmanaged, outside approved app baseline, or not permitted to communicate using detected protocol/service over observed destination port'}
[AN1828] Analytic 1828 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Many properly configured firewalls may also naturally block t The defender correlates managed-app or supervised-device out command and control traffic over non-standard ports. Applica bound sessions where protocol indicators such as TLS handsha tion vetting reports may show network communications perform ke, HTTP semantics, or other application-layer behaviors are ed by the application, including hosts, ports, protocols, an observed over destination ports outside the approved baseli d URLs. Further detection would most likely be at the enterp ne for that protocol and bundle role. The strongest iOS evid rise level, through packet and/or netflow inspection. ence is network telemetry showing repeated or persistent ses sions using recognizable application protocols over uncommon ports, particularly during background refresh, while the de vice is locked, or without recent user interaction. Because direct local runtime attribution is weaker than Android, the primary iOS analytic should be anchored on network protocol -versus-port mismatch plus supervised managed-app context an d device-state enrichment.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'AllowedProtocolPortMappings', 'description': 'Approved protocol-to-port pairings vary by bundle, business workflow, proxy architecture, and enterprise policy.'}, {'field': 'SupervisedRequired', 'description': 'Strongest bundle-governance and protocol-port baseline analytics depend on supervised iOS devices.'}, {'field': 'AllowedManagedApps', 'description': 'Approved managed bundle identities vary by organization and device profile.'}, {'field': 'AllowedServiceClasses', 'description': 'Expected external service classes differ across managed app categories and enterprise mobile workflows.'}, {'field': 'TimeWindow', 'description': 'Correlation window linking non-standard-port sessions with lifecycle or local context signals.'}, {'field': 'RecentUserInteractionWindow', 'description': 'Defines how close a session must be to user activity to be considered expected.'}, {'field': 'BeaconIntervalTolerance', 'description': 'Allowed recurrence interval for benign polling, sync, or persistent sessions differs by bundle type.'}, {'field': 'EnterpriseExceptionList', 'description': 'Known enterprise proxies, relays, developer tooling, and security products may legitimately use uncommon ports.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-19 19:41:30.977000+00:00 description Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.
+Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection. The defender correlates managed-app or supervised-device outbound sessions where protocol indicators such as TLS handshake, HTTP semantics, or other application-layer behaviors are observed over destination ports outside the approved baseline for that protocol and bundle role. The strongest iOS evidence is network telemetry showing repeated or persistent sessions using recognizable application protocols over uncommon ports, particularly during background refresh, while the device is locked, or without recent user interaction. Because direct local runtime attribution is weaker than Android, the primary iOS analytic should be anchored on network protocol-versus-port mismatch plus supervised managed-app context and device-state enrichment. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a', 'name': 'Network Traffic', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'VPN:MobileProxy', 'channel': 'TLS handshake, HTTP method/header pattern, or WebSocket upgrade was observed on destination port outside approved port set for detected protocol during app-attributed outbound session'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'VPN:MobileProxy', 'channel': 'Repeated app-attributed sessions to same destination or service class used non-standard destination port with stable recurrence interval or persistent connection behavior'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'VPN:MobileProxy', 'channel': 'Observed protocol-to-port pairing was outside approved mapping for managed bundle or service class and did not match enterprise proxy, relay, or developer tooling exception'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'DeviceLockState=locked during outbound session using non-standard protocol-to-port pairing'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'LastUserInteractionDelta exceeded threshold before app-attributed session using non-standard protocol-to-port pairing'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'iOS:MDMLog', 'channel': 'App identity using non-standard protocol-to-port pairing was unmanaged, outside approved app baseline, or not permitted to communicate using detected protocol/service over observed destination port'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded outbound session using non-standard protocol-to-port pairing'}
[AN1829] Analytic 1829 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Scheduling tasks/jobs can be difficult to detect, and theref t The defender correlates creation or registration of deferred ore enterprises may be better served focusing on detection a , repeating, or constraint-based background work with later t other stages of adversarial behavior. task execution in the same app context, especially when the task executes without recent user interaction, from backgrou nd state, or with follow-on file, sensor, or network behavio r inconsistent with the app's declared role. The analytic pr ioritizes Android-observable control-plane effects: WorkMana ger enqueue operations, JobScheduler or AlarmManager schedul ing, later wake or execution of the scheduled work, and post -trigger activity such as network sessions, local staging, o r sensor access.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_log_source_references [{'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Application enqueues WorkManager work request or schedules JobScheduler or AlarmManager task with delay, periodic interval, or execution constraints during the persistence/execution setup phase'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3', 'name': 'MobiledEDR:telemetry', 'channel': 'Scheduled task execution creates cache, staged payload, local output, or collected data artifact immediately after wake or job trigger'}] x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between task registration and later execution, and between execution and follow-on behavior'}, {'field': 'AllowedAppList', 'description': 'Apps legitimately expected to use WorkManager, JobScheduler, or AlarmManager such as mail, sync, backup, calendar, or enterprise management apps'}, {'field': 'AllowedConstraintProfiles', 'description': 'Expected charging, network, idle, or timing constraints for legitimate scheduled work'}, {'field': 'AllowedScheduleIntervals', 'description': 'Expected delay or periodic interval ranges for legitimate app behavior'}, {'field': 'ForegroundStateRequired', 'description': 'Whether follow-on activity from a scheduled task should only occur during active user-driven workflows for a given app'}, {'field': 'TriggerToNetworkWindow', 'description': 'Maximum expected delay between scheduled job trigger and outbound communication'}, {'field': 'UplinkBytesThreshold', 'description': 'Minimum outbound volume after scheduled execution to treat network behavior as meaningful'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-09 17:06:45.192000+00:00 description Scheduling tasks/jobs can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior. The defender correlates creation or registration of deferred, repeating, or constraint-based background work with later task execution in the same app context, especially when the task executes without recent user interaction, from background state, or with follow-on file, sensor, or network behavior inconsistent with the app's declared role. The analytic prioritizes Android-observable control-plane effects: WorkManager enqueue operations, JobScheduler or AlarmManager scheduling, later wake or execution of the scheduled work, and post-trigger activity such as network sessions, local staging, or sensor access. x_mitre_version 1.0 1.1
[AN1830] Analytic 1830 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Scheduling tasks/jobs can be difficult to detect, and theref t The defender correlates creation of background scheduler act ore enterprises may be better served focusing on detection a ivity with later execution of repeating or deferred work by t other stages of adversarial behavior. the same managed app, then raises confidence when the trigge red activity produces network, local-write, or other app beh avior that occurs outside expected user context. Because iOS exposes weaker direct scheduling observability in many ente rprise environments, the analytic anchors first on managed a pp posture and lifecycle-to-network or lifecycle-to-file eff ects, with NSBackgroundActivityScheduler-related behavior tr eated as strongest when runtime telemetry can observe backgr ound scheduler usage or execution callbacks.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_log_source_references [{'x_mitre_data_component_ref': 'x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3', 'name': 'MobiledEDR:telemetry', 'channel': 'Scheduled task execution creates cache, staged payload, local output, or collected data artifact immediately after wake or job trigger'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Application creates or executes NSBackgroundActivityScheduler activity with repeating or deferred invocation semantics during the scheduling and trigger phases'}] x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between scheduler creation, later execution, and follow-on file or network behavior'}, {'field': 'AllowedAppList', 'description': 'Managed apps legitimately expected to perform background maintenance or deferred sync behavior'}, {'field': 'AllowedExecutionIntervals', 'description': 'Expected repeating interval or defer window for legitimate background activity'}, {'field': 'ForegroundStateRequired', 'description': 'Whether follow-on behavior from background scheduler execution should require recent user interaction'}, {'field': 'TriggerToNetworkWindow', 'description': 'Maximum expected delay between scheduled execution and outbound communication'}, {'field': 'UplinkBytesThreshold', 'description': 'Minimum outbound volume after scheduled execution to treat network behavior as meaningful'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-09 17:09:39.997000+00:00 description Scheduling tasks/jobs can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior. The defender correlates creation of background scheduler activity with later execution of repeating or deferred work by the same managed app, then raises confidence when the triggered activity produces network, local-write, or other app behavior that occurs outside expected user context. Because iOS exposes weaker direct scheduling observability in many enterprise environments, the analytic anchors first on managed app posture and lifecycle-to-network or lifecycle-to-file effects, with NSBackgroundActivityScheduler-related behavior treated as strongest when runtime telemetry can observe background scheduler usage or execution callbacks. x_mitre_version 1.0 1.1
[AN1837] Analytic 1837 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services can detect which broadcast inte t Correlates (1) application registration or activation of bro nts an application registers for and which permissions it re adcast receivers tied to system or app-generated intents, (2 quests. ) event-triggered execution while the application is not in the foreground, and (3) immediate follow-on actions such as network communication or data access. The defender observes a causal chain where an external event (e.g., BOOT_COMPLETED , SMS_RECEIVED, USER_PRESENT, CONNECTIVITY_CHANGE) triggers application execution that bypasses normal user-driven lifec ycle expectations, followed by background processing or outb ound activity.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Time correlation window between broadcast event and subsequent execution or network activity'}, {'field': 'SensitiveIntentList', 'description': 'List of broadcast intents considered high-risk (e.g., BOOT_COMPLETED, SMS_RECEIVED)'}, {'field': 'AllowedAppList', 'description': 'Baseline of legitimate applications expected to use broadcast receivers for these intents'}, {'field': 'ForegroundStateRequired', 'description': 'Determines whether execution without foreground presence increases detection confidence'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-09 21:18:39.945000+00:00 description Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. Correlates (1) application registration or activation of broadcast receivers tied to system or app-generated intents, (2) event-triggered execution while the application is not in the foreground, and (3) immediate follow-on actions such as network communication or data access. The defender observes a causal chain where an external event (e.g., BOOT_COMPLETED, SMS_RECEIVED, USER_PRESENT, CONNECTIVITY_CHANGE) triggers application execution that bypasses normal user-driven lifecycle expectations, followed by background processing or outbound activity. x_mitre_log_source_references[0]['x_mitre_data_component_ref'] x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43 x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e x_mitre_log_source_references[0]['name'] Application Vetting MobileEDR:telemetry x_mitre_log_source_references[0]['channel'] None application registers or invokes broadcast receiver via registerReceiver() or manifest-declared receiver + intent filter tied to system or app events x_mitre_version 1.0 1.1
[AN1840] Analytic 1840 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Accessing data from the local system can be difficult to det t The defender correlates newly granted or recently exercised ect, and therefore enterprises may be better served focusing storage- or privilege-relevant access with burst reads of lo on detection at other stages of adversarial behavior. cal files, local databases, or protected records from operat ing-system or external-storage locations, especially when th e reads are inconsistent with app role, occur in background or locked-device context, or are followed by temporary data staging or network transmission. The analytic emphasizes And roid-specific observables such as external storage access, a pp-private database reads where visible to the sensor, and r epeated enumeration/read activity against local paths associ ated with media, tokens, caches, or exported application dat a.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_log_source_references [{'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'Managed app granted or retaining storage-related or elevated access inconsistent with declared function prior to local data access activity'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': "Application queries or opens multiple local SQLite or app-associated database stores containing records unrelated to the app's declared function during the collection phase"}, {'x_mitre_data_component_ref': 'x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71', 'name': 'MobileEDR:telemetry', 'channel': 'Application performs burst reads across local system paths, external storage, media directories, cache locations, or local database files within a short interval as the primary collection phase'}] x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between permission state, local data reads, optional staging, and outbound transfer'}, {'field': 'AllowedAppList', 'description': 'Apps legitimately expected to read local files or databases such as backup, sync, file manager, security, or media management apps'}, {'field': 'AllowedPathList', 'description': 'Expected local paths, storage roots, and database locations for legitimate app behavior'}, {'field': 'ForegroundStateRequired', 'description': 'Whether sensitive local data access should happen only during active user-driven workflows'}, {'field': 'BurstReadThreshold', 'description': 'Minimum number of file or record reads within a short interval required to indicate suspicious collection'}, {'field': 'SensitivePathPatterns', 'description': 'Environment-specific list of high-value local paths such as external media roots, app export folders, token stores, or browser data locations'}, {'field': 'UplinkBytesThreshold', 'description': 'Minimum upload size expected if collection is followed by exfiltration'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-08 20:08:28.641000+00:00 description Accessing data from the local system can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior. The defender correlates newly granted or recently exercised storage- or privilege-relevant access with burst reads of local files, local databases, or protected records from operating-system or external-storage locations, especially when the reads are inconsistent with app role, occur in background or locked-device context, or are followed by temporary data staging or network transmission. The analytic emphasizes Android-specific observables such as external storage access, app-private database reads where visible to the sensor, and repeated enumeration/read activity against local paths associated with media, tokens, caches, or exported application data. x_mitre_version 1.0 1.1
[AN1841] Analytic 1841 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Accessing data from the local system can be difficult to det t The defender correlates supervised-device app posture and li ect, and therefore enterprises may be better served focusing fecycle context with repeated local file or local-database a on detection at other stages of adversarial behavior. ccess effects, especially when a managed app reads browser, messaging, keychain-adjacent, or application-container data outside its expected role and then stages or uploads the res ult. Because direct low-level local system access visibility is weaker on iOS, the primary analytic is effect-based: man aged app identity, file/database access where visible to the mobile sensor, background execution context, and near-term outbound communication.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_log_source_references [{'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'iOS:MDMLog', 'channel': 'Supervised managed app without expected local export, sync, or forensic role accesses or stages local records inconsistent with policy baseline'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Application performs repeated record access, container traversal, or local data extraction processing against local stores before staging or transmission'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71', 'name': 'MobileEDR:telemetry', 'channel': 'Application reads multiple local container files, browser-history artifacts, messaging artifacts, or local records in rapid sequence during the collection phase'}] x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between managed app posture, local access activity, optional staging, and upload'}, {'field': 'AllowedAppList', 'description': 'Managed apps expected to access local records such as enterprise sync, backup, or approved investigation tools'}, {'field': 'AllowedContainerPatterns', 'description': 'Expected app-container or local artifact locations for legitimate workflows'}, {'field': 'ForegroundStateRequired', 'description': 'Whether local record access should happen only during active user interaction'}, {'field': 'BurstReadThreshold', 'description': 'Minimum number of local file or record reads in a short interval required for alerting'}, {'field': 'SensitiveArtifactPatterns', 'description': 'Environment-specific list of high-value browser, messaging, token, or local record artifacts'}, {'field': 'UplinkBytesThreshold', 'description': 'Minimum outbound volume consistent with recent local data collection'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-08 20:07:42.093000+00:00 description Accessing data from the local system can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior. The defender correlates supervised-device app posture and lifecycle context with repeated local file or local-database access effects, especially when a managed app reads browser, messaging, keychain-adjacent, or application-container data outside its expected role and then stages or uploads the result. Because direct low-level local system access visibility is weaker on iOS, the primary analytic is effect-based: managed app identity, file/database access where visible to the mobile sensor, background execution context, and near-term outbound communication. x_mitre_version 1.0 1.1
[AN1842] Analytic 1842 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t The user can examine the list of all installed applications, t Correlates (1) suppression or disablement of launcher-visibl including those with a suppressed icon, in the device setti e application components or effective reduction of user-faci ngs. If the user is redirected to the device settings when t ng launcher presence, (2) persistence of installed applicati apping an application’s icon, they should inspect the applic on state after icon suppression, and (3) continued runtime a ation to ensure it is genuine. Application vetting services ctivity such as background execution, framework use, sensor could potentially detect the usage of APIs intended for supp access, or network communication after the icon becomes unav ressing the application’s icon. ailable or is replaced by reduced-discoverability launcher b ehavior. The defender observes a causal chain where an app r emoves or reduces its launcher visibility while remaining op erational and continuing meaningful activity.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between icon suppression and later runtime activity'}, {'field': 'AllowedAppList', 'description': 'Baseline of legitimate apps permitted to reduce launcher visibility, such as managed agents, work-profile utilities, or system applications'}, {'field': 'ForegroundStateRequired', 'description': 'Whether post-suppression behavior is only suspicious when no recent foreground interaction is present'}, {'field': 'SuppressionMode', 'description': 'Environment-specific handling of hidden, disabled, or synthesized launcher behavior depending on Android version and management posture'}, {'field': 'UplinkBytesThreshold', 'description': 'Minimum outbound traffic volume used to distinguish meaningful hidden operation from benign background maintenance'}, {'field': 'SensorAfterSuppressionThreshold', 'description': 'Threshold for sensor access frequency after launcher visibility is reduced'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-24 20:30:29.495000+00:00 description The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings. If the user is redirected to the device settings when tapping an application’s icon, they should inspect the application to ensure it is genuine.
+Application vetting services could potentially detect the usage of APIs intended for suppressing the application’s icon. Correlates (1) suppression or disablement of launcher-visible application components or effective reduction of user-facing launcher presence, (2) persistence of installed application state after icon suppression, and (3) continued runtime activity such as background execution, framework use, sensor access, or network communication after the icon becomes unavailable or is replaced by reduced-discoverability launcher behavior. The defender observes a causal chain where an app removes or reduces its launcher visibility while remaining operational and continuing meaningful activity. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6', 'name': 'User Interface', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'installed application remains present while launcher-visible activity or component discoverability changes to hidden, disabled, or synthesized-settings-entry state prior to later runtime activity'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'application invokes package or component state changes affecting launcher-facing activity availability and subsequently continues operational framework activity after icon suppression'}
[AN1847] Analytic 1847 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t This is abuse of standard OS-level APIs and are therefore ty t The defender correlates application loading or invoking nati pically undetectable to the end user. ve libraries through JNI or NDK-backed execution paths with subsequent lower-level activity such as native thread creati on, sensor access, file operations, or outbound network comm unication that is inconsistent with the app's declared role or recent user interaction. The analytic prioritizes defende r-observable control-plane effects: native library load or J NI bridge use, transition into native execution context, and immediate post-load behavior occurring from background stat e, locked-device state, or non-baselined app categories.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_log_source_references [{'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Application loads or resolves native shared library (.so) or JNI bridge immediately before suspicious native execution phase'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Application transitions from managed code into JNI/native function execution or attaches native thread to runtime during the execution phase'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Native library load or JNI-backed execution occurs while app_state=background or device_locked=true or recent_user_interaction=false during the execution phase'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'Managed application without approved native-code role or expected high-performance/native dependency exhibits native execution behavior inconsistent with enterprise policy baseline'}] x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between native library load, JNI/native execution, and follow-on behavior'}, {'field': 'AllowedAppList', 'description': 'Apps legitimately expected to use native code, such as games, media, enterprise VPN, security tools, or performance-intensive apps'}, {'field': 'AllowedLibraryPatterns', 'description': 'Expected native library names, paths, signing attributes, or packaging patterns for approved applications'}, {'field': 'ForegroundStateRequired', 'description': 'Whether native execution should only occur during active user-driven workflows for a given app role'}, {'field': 'LibraryPathPatterns', 'description': 'Environment-specific list of suspicious temporary, extracted, or dynamically staged native library locations'}, {'field': 'PostLoadBehaviorThreshold', 'description': 'Minimum number or severity of suspicious actions after native load required to elevate confidence'}, {'field': 'UplinkBytesThreshold', 'description': 'Minimum outbound volume after native execution to treat network activity as meaningful follow-on behavior'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-09 16:13:11.156000+00:00 description This is abuse of standard OS-level APIs and are therefore typically undetectable to the end user. The defender correlates application loading or invoking native libraries through JNI or NDK-backed execution paths with subsequent lower-level activity such as native thread creation, sensor access, file operations, or outbound network communication that is inconsistent with the app's declared role or recent user interaction. The analytic prioritizes defender-observable control-plane effects: native library load or JNI bridge use, transition into native execution context, and immediate post-load behavior occurring from background state, locked-device state, or non-baselined app categories. x_mitre_version 1.0 1.1
[AN1848] Analytic 1848 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services could look for connections to u t The defender correlates an application establishing outbound nknown domains or IP addresses. Application vetting service retrieval to a non-baselined external source with immediate s may indicate precisely what content was requested during a local creation of a new executable, module, staged payload, pplication execution. overlay asset, or secondary file in app-controlled or share d storage, followed by optional load, invocation, handoff, o r repeat retrieval behavior. The analytic prioritizes Androi d-observable effects: network download activity, DownloadMan ager or direct HTTP retrieval, file creation in package-spec ific or external paths, and execution context inconsistent w ith recent user interaction or the app’s declared role.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between remote retrieval, local write, and any follow-on load or transfer completion'}, {'field': 'AllowedAppList', 'description': 'Apps legitimately expected to download files such as browsers, enterprise app stores, backup/sync tools, or content delivery apps'}, {'field': 'AllowedDestinationList', 'description': 'Approved software distribution, CDN, MDM, and enterprise update endpoints'}, {'field': 'AllowedPathList', 'description': 'Expected local download, cache, and update paths for legitimate app behavior'}, {'field': 'IngressBytesThreshold', 'description': 'Minimum inbound transfer size consistent with a staged secondary tool or payload'}, {'field': 'ForegroundStateRequired', 'description': 'Whether file retrieval should occur only during active user-driven workflows'}, {'field': 'FileTypeRiskPatterns', 'description': 'Environment-specific set of retrieved file classes considered suspicious such as apk, dex, jar, so, zip, html overlay, or opaque blob'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-09 15:57:30.214000+00:00 description Application vetting services could look for connections to unknown domains or IP addresses.
+Application vetting services may indicate precisely what content was requested during application execution. The defender correlates an application establishing outbound retrieval to a non-baselined external source with immediate local creation of a new executable, module, staged payload, overlay asset, or secondary file in app-controlled or shared storage, followed by optional load, invocation, handoff, or repeat retrieval behavior. The analytic prioritizes Android-observable effects: network download activity, DownloadManager or direct HTTP retrieval, file creation in package-specific or external paths, and execution context inconsistent with recent user interaction or the app’s declared role. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'NSM:Flow', 'channel': 'Application retrieves remote content from non-baselined domain or IP and the transfer direction is inbound to device during the file acquisition phase'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Application invokes direct file retrieval, DownloadManager usage, or streaming write from network response to local storage immediately after remote session establishment'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'MobileEDR:telemetry', 'channel': 'Application writes newly retrieved binary, archive, script-like asset, overlay content, library, or opaque payload to app-private, cache, temp, or shared external path as the primary local effect of transfer'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Ingress transfer and local file creation occur while app_state=background or device_locked=true or recent_user_interaction=false during the acquisition phase'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'Managed app without approved content-download, update, browser, or file-sync role performs remote payload retrieval and local tool staging'}
[AN1849] Analytic 1849 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services could look for connections to u t The defender correlates managed-app network retrieval from a nknown domains or IP addresses. Application vetting service non-baselined external source with immediate creation of a s may indicate precisely what content was requested during a new local artifact, staged resource, module-like file, or op pplication execution. aque payload inside the app container, followed by optional dynamic loading, handoff, or repeat retrieval behavior. Beca use iOS offers weaker direct visibility into tool staging in ternals than Android in many environments, the analytic anch ors first on network acquisition plus managed app identity a nd then strengthens confidence with file creation or process -activity effects where mobile telemetry is available.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between remote retrieval, local staging, and any follow-on file handling'}, {'field': 'AllowedAppList', 'description': 'Managed apps legitimately expected to download secondary content or updates'}, {'field': 'AllowedDestinationList', 'description': 'Approved content, MDM, enterprise, and application-update endpoints'}, {'field': 'AllowedContainerPatterns', 'description': 'Expected app-container paths for legitimate downloaded assets'}, {'field': 'IngressBytesThreshold', 'description': 'Minimum inbound transfer volume consistent with secondary tool or payload retrieval'}, {'field': 'ForegroundStateRequired', 'description': 'Whether retrieval should happen only in active user-driven workflows'}, {'field': 'ArtifactRiskPatterns', 'description': 'Environment-specific file or content patterns considered suspicious such as staged dylib-like resources, html overlays, archives, or opaque blobs'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-09 16:02:15.040000+00:00 description Application vetting services could look for connections to unknown domains or IP addresses.
+Application vetting services may indicate precisely what content was requested during application execution. The defender correlates managed-app network retrieval from a non-baselined external source with immediate creation of a new local artifact, staged resource, module-like file, or opaque payload inside the app container, followed by optional dynamic loading, handoff, or repeat retrieval behavior. Because iOS offers weaker direct visibility into tool staging internals than Android in many environments, the analytic anchors first on network acquisition plus managed app identity and then strengthens confidence with file creation or process-activity effects where mobile telemetry is available. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'NSM:Flow', 'channel': 'Managed iOS app retrieves remote content from non-baselined domain or IP with inbound payload transfer during the acquisition phase'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'MobileEDR:telemetry', 'channel': 'Managed app writes newly retrieved container-local asset, dylib-like resource, archive, or opaque payload shortly after remote retrieval as the strongest local effect'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Managed app performs post-download unpacking, dynamic resource handling, or module preparation immediately after local payload creation'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Ingress retrieval and staging occur while app_state=background or device_locked=true or recent_user_interaction=false during the acquisition phase'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'iOS:MDMLog', 'channel': 'Supervised managed app without approved update, browser, sync, or enterprise-content role retrieves and stages secondary content inconsistent with policy baseline'}
[AN1850] Analytic 1850 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Hooking can be difficult to detect, and therefore enterprise t Correlates (1) device posture changes indicating root or ele s may be better served focusing on detection at other stages vated privilege state, (2) runtime framework manipulation or of adversarial behavior. injection into application processes, and (3) anomalous API behavior or suppressed security signals. The defender obser ves a causal chain where an application gains privileged exe cution context, interacts with system frameworks (e.g., ART/ Zygote), and modifies expected API outputs or suppresses sec urity-relevant signals such as permission checks, sensor acc ess reporting, or process visibility.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_log_source_references [{'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'device transitions to non-compliant state + root detected or integrity attestation failure (SafetyNet/Play Integrity)'}, {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'application process loads external code modules or injects into runtime (zygote/app_process) + abnormal library loading or method interception behavior'}] x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Defines correlation window between root detection, runtime manipulation, and anomalous API behavior'}, {'field': 'AllowedAppList', 'description': 'Baseline of known applications that legitimately use instrumentation or debugging frameworks'}, {'field': 'ForegroundStateRequired', 'description': 'Determines whether suspicious API manipulation must occur in background to increase fidelity'}, {'field': 'IntegritySignalSource', 'description': 'Defines which attestation signals (Play Integrity, OEM attestation) are trusted in the environment'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-09 19:56:13.060000+00:00 description Hooking can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior. Correlates (1) device posture changes indicating root or elevated privilege state, (2) runtime framework manipulation or injection into application processes, and (3) anomalous API behavior or suppressed security signals. The defender observes a causal chain where an application gains privileged execution context, interacts with system frameworks (e.g., ART/Zygote), and modifies expected API outputs or suppresses security-relevant signals such as permission checks, sensor access reporting, or process visibility. x_mitre_version 1.0 1.1
[AN1851] Analytic 1851 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Dynamic analysis, when used in application vetting, may in s t Defender correlates a sandboxed app writing high-entropy or ome cases be able to identify malicious code in obfuscated o encoded artifacts (often in app-private or shared storage), r encrypted form by detecting the code at execution time (af performing decode/decompress/reassembly, then dynamically lo ter it is deobfuscated or decrypted). Some application vetti ading/execing the resulting code (DexClassLoader/JNI dlopen) ng techniques apply reputation analysis of the application d or spawning a helper process. Sequence: high-entropy file w eveloper and can alert to potentially suspicious application rites → decode/unpack bursts → new .dex/.so/.jar creation in s without actual examination of application code. temp/obfuscated paths → dynamic load or shell spawn within a tight window.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Max interval to correlate write→decode→load stages (e.g., 5–60s depending on device performance).'}, {'field': 'PayloadEntropyThreshold', 'description': 'Shannon entropy threshold to flag likely obfuscated blobs (e.g., ≥ 7.2).'}, {'field': 'SuspiciousWriteDirs', 'description': 'Directories to monitor (e.g., app /files, cache, /sdcard/Download). OEMs vary.'}, {'field': 'ChunkCountThreshold', 'description': 'Minimum count of small sequential writes (split payload reassembly).'}, {'field': 'NetworkCDNAllowlist', 'description': 'Benign CDNs/hosts for large opaque downloads to reduce FPs.'}, {'field': 'ExecPathRegex', 'description': 'Regex for newly loaded .dex/.so/.jar/temp artifacts.'}, {'field': 'UserContext', 'description': 'Foreground/background or developer mode context to suppress test noise.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-01-16 16:27:24.678000+00:00 description Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code. Defender correlates a sandboxed app writing high-entropy or encoded artifacts (often in app-private or shared storage), performing decode/decompress/reassembly, then dynamically loading/execing the resulting code (DexClassLoader/JNI dlopen) or spawning a helper process. Sequence: high-entropy file writes → decode/unpack bursts → new .dex/.so/.jar creation in temp/obfuscated paths → dynamic load or shell spawn within a tight window. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'android:logcat', 'channel': 'App UID writes new file with suspicious extension/location (.tmp, .dat, .enc, /data/data//files/, /sdcard/Download/) and high estimated entropy'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1', 'name': 'android:logcat', 'channel': 'DexClassLoader/PathClassLoader load attempt from non-standard path or recently created file'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1', 'name': 'android:logcat', 'channel': 'Short burst of file I/O followed by JNI/dlopen of a newly created .so'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'android:logcat', 'channel': 'SELinux AVC related to execute_no_trans/execmem after decode/unpack activity by the same app UID'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'NSM:Flow', 'channel': 'TLS/HTTP download with atypical MIME (application/octet-stream, application/x-zip, application/x-gzip) followed by local decode/write'}
[AN1852] Analytic 1852 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Dynamic analysis, when used in application vetting, may in s t Defender correlates a sandboxed app downloading or receiving ome cases be able to identify malicious code in obfuscated o opaque/encoded blobs, writing high-entropy content into con r encrypted form by detecting the code at execution time (af tainer/tmp, performing decode/decompress/reassembly, and the ter it is deobfuscated or decrypted). Some application vetti n executing/loaded as Mach-O or bundle (dlopen) or leveragin ng techniques apply reputation analysis of the application d g JIT/RWX pages to run the decoded payload. Sequence: opaque eveloper and can alert to potentially suspicious application download or IPC → high-entropy writes/split-file bursts → d s without actual examination of application code. ecode/unarchive → new Mach-O/bundle in tmp → dlopen/posix_sp awn or RWX region activity.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindowSeconds', 'description': 'Max interval to link write→decode→load/exec (e.g., 5–45s depending on device and iOS version).'}, {'field': 'PayloadEntropyThreshold', 'description': 'Entropy threshold to consider a file obfuscated/packed (e.g., ≥ 7.3).'}, {'field': 'SplitWriteBurstMin', 'description': 'Minimum count of small sequential writes to flag reassembly behaviors.'}, {'field': 'AppContainerPaths', 'description': 'Container subpaths to monitor (tmp, Library/Caches, Documents) vary by policy.'}, {'field': 'KnownGoodBundles', 'description': 'Allowlist of legitimate dynamically loaded bundles/plugins to reduce FPs.'}, {'field': 'PerAppVPNAllowlist', 'description': 'Known enterprise services carrying opaque archives to avoid false alerts.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-01-29 17:05:14.514000+00:00 description Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code. Defender correlates a sandboxed app downloading or receiving opaque/encoded blobs, writing high-entropy content into container/tmp, performing decode/decompress/reassembly, and then executing/loaded as Mach-O or bundle (dlopen) or leveraging JIT/RWX pages to run the decoded payload. Sequence: opaque download or IPC → high-entropy writes/split-file bursts → decode/unarchive → new Mach-O/bundle in tmp → dlopen/posix_spawn or RWX region activity. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'iOS:unifiedlog', 'channel': 'NSFileHandle/NSFileManager writes creating high-entropy files within app container (/var/mobile/Containers/Data/Application//tmp|Library/Caches)'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6', 'name': 'iOS:unifiedlog', 'channel': 'Code signing validation events referencing newly written local Mach-O/bundle prior to exec or dlopen'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1', 'name': 'iOS:unifiedlog', 'channel': 'dyld: dlopen/dyld_cache load from non-standard app-writable path'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c', 'name': 'iOS:unifiedlog', 'channel': 'Per-app VPN flow logging indicating opaque/archived payload transfer preceding local decode'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'iOS:unifiedlog', 'channel': 'mmap/mprotect transitions to PROT_EXEC for pages associated with recently written files'}
[AN1853] Analytic 1853 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services can detect malicious code in ap t The defender correlates the arrival, installation, or update plications. System partition integrity checking mechanisms c of a trusted or expected application with a subsequent devi an detect unauthorized or malicious code contained in the sy ation in package trust characteristics, permission posture, stem partition. protected-resource use, framework behavior, or network commu nication that is inconsistent with the known-good role of th at app. The strongest Android evidence is a managed or trust ed package whose first-run or post-update behavior introduce s unexpected special access, sensitive sensor use, unusual b ackground execution, privileged framework interaction, or ou tbound communication to destinations outside the app's basel ine shortly after installation or update.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between install/update and subsequent runtime/network effects.'}, {'field': 'AllowedAppList', 'description': 'Approved managed or trusted applications vary by organization and device group.'}, {'field': 'AllowedInstallerSources', 'description': 'Permitted installer source or app delivery mechanism differs by fleet and policy.'}, {'field': 'AllowedSigningBaseline', 'description': 'Expected signing lineage, certificate relationship, or integrity metadata vary by package.'}, {'field': 'ForegroundStateRequired', 'description': 'Some protected-resource use is legitimate only when an app is foregrounded.'}, {'field': 'RecentUserInteractionWindow', 'description': 'Defines how close behavior must be to user interaction to be considered expected.'}, {'field': 'AllowedDestinations', 'description': 'Expected app destinations, CDNs, APIs, and service providers vary by app and tenant.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-17 15:44:07.335000+00:00 description Application vetting services can detect malicious code in applications.
+System partition integrity checking mechanisms can detect unauthorized or malicious code contained in the system partition. The defender correlates the arrival, installation, or update of a trusted or expected application with a subsequent deviation in package trust characteristics, permission posture, protected-resource use, framework behavior, or network communication that is inconsistent with the known-good role of that app. The strongest Android evidence is a managed or trusted package whose first-run or post-update behavior introduces unexpected special access, sensitive sensor use, unusual background execution, privileged framework interaction, or outbound communication to destinations outside the app's baseline shortly after installation or update. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'android:MDMLog', 'channel': 'Managed or trusted app is newly installed or updated and presents changed package identity, signing relationship, version lineage, installer source, or permission posture inconsistent with approved baseline'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'Sensor Health', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Recently installed or updated trusted app begins background execution, persistent service activity, overlay-like behavior, or lock-state activity inconsistent with its historical baseline or expected first-run sequence'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'MobileEDR:telemetry', 'channel': 'Recently installed or updated trusted app invokes Android framework paths or special access patterns inconsistent with its role, including accessibility-like behavior, overlay behavior, package visibility expansion, protected settings access, device policy interaction, or unusual IPC/provider access'} x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c', 'name': 'MobileEDR:telemetry', 'channel': 'Recently installed or updated trusted app writes staging, cache, buffer, or export artifacts inconsistent with its approved function, especially when temporally adjacent to sensitive resource access or outbound transfer'}
[AN1854] Analytic 1854 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Application vetting services can detect malicious code in ap t Anchor on supervised managed-app install/update or version d plications. System partition integrity checking mechanisms c rift, then correlate with unexpected background activity, ma an detect unauthorized or malicious code contained in the sy naged-app state changes, or egress inconsistent with the app stem partition. 's historical and policy baseline.
+
Details dictionary_item_added STIX Field Old value New Value x_mitre_mutable_elements [{'field': 'TimeWindow', 'description': 'Correlation window between app install/update and subsequent lifecycle or network anomalies.'}, {'field': 'SupervisedRequired', 'description': 'Strongest app inventory and managed state analytics depend on supervised iOS devices.'}, {'field': 'AllowedManagedApps', 'description': 'Approved managed app set varies by organization, business unit, and device profile.'}, {'field': 'ExpectedVersionTransitionPolicy', 'description': 'Allowed upgrade paths, release rings, and phased rollout patterns vary by environment.'}, {'field': 'AllowedDestinations', 'description': 'Expected app destinations, enterprise backends, Apple services, and CDNs differ by app.'}, {'field': 'BackgroundRefreshBaseline', 'description': 'Legitimate background activity differs by app category and policy.'}, {'field': 'RecentUserInteractionWindow', 'description': 'Defines how close runtime/network activity must be to user action to be considered expected.'}, {'field': 'UplinkBytesThreshold', 'description': 'Threshold for suspicious post-update outbound transfer volume.'}]
values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-03-17 17:55:46.302000+00:00 description Application vetting services can detect malicious code in applications.
+System partition integrity checking mechanisms can detect unauthorized or malicious code contained in the system partition. Anchor on supervised managed-app install/update or version drift, then correlate with unexpected background activity, managed-app state changes, or egress inconsistent with the app's historical and policy baseline. x_mitre_version 1.0 1.1 x_mitre_log_source_references[0] {'x_mitre_data_component_ref': 'x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962', 'name': 'Application Vetting', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43', 'name': 'iOS:MDMLog', 'channel': 'Supervised managed app is newly installed or updated and presents unexpected version transition, inventory drift, managed-state change, or app attribute mismatch against approved procurement and release baseline'} x_mitre_log_source_references[1] {'x_mitre_data_component_ref': 'x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6', 'name': 'Sensor Health', 'channel': 'None'} {'x_mitre_data_component_ref': 'x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9', 'name': 'MobileEDR:telemetry', 'channel': 'Recently installed or updated managed app begins background activity, persistent refresh, or lock-state-adjacent activity inconsistent with expected first-run behavior, user interaction timing, or historical baseline'}
iterable_item_added STIX Field Old value New Value x_mitre_log_source_references {'x_mitre_data_component_ref': 'x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e', 'name': 'iOS:unifiedlog', 'channel': 'Supplemental managed app or system subsystem anomalies near install/update, launch services, extension handling, app activation, or background execution temporally adjacent to suspicious network or lifecycle behavior'}
ics-attack New Analytics [AN2045] Analytic 2045 Current version : 1.0
Description :
Unauthorized messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Unauthorized messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for benign reasons. Monitor messages for changes in how they are constructed.
+Monitor for anomalous or unexpected messages that may result in changes to the process operation observable via asset application logs (e.g., discrete write, logic and device configuration, mode changes, safety triggers).
+Consider monitoring for Rogue Master and Adversary-in-the-Middle activity which may precede this technique.
[AN2046] Analytic 2046 Current version : 1.0
Description :
Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.
+Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.
+Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.
+Monitor for a loss of network communications, which may indicate this technique is being used.
+Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if messages are blocked.
[AN2047] Analytic 2047 Current version : 1.0
Description :
Monitor for firmware changes which may be observable via operational alarms from devices.
+Monitor device application logs for firmware changes, although not all devices will produce such logs.
+Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.
+Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog)(Citation: Github CHIPSEC)(Citation: Intel HackingTeam UEFI Rootkit)
[AN2048] Analytic 2048 Current version : 1.0
Description :
Monitor network traffic for insecure credential use in protocols that allow unencrypted authentication.
+Monitor logon sessions for insecure credential use, when feasible.
[AN2049] Analytic 2049 Current version : 1.0
Description :
Monitor for unexpected changes to project files, although if the malicious modification occurs in tandem with legitimate changes it will be difficult to isolate the unintended changes by analyzing only file systems modifications.
[AN2050] Analytic 2050 Current version : 1.0
Description :
Monitor for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.
+Monitor for hosts enumerating network connected resources using non-ICS enterprise protocols.
[AN2051] Analytic 2051 Current version : 1.0
Description :
Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations.
+Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM). For added context on adversary enterprise procedures and background see Remote System Discovery .
[AN2052] Analytic 2052 Current version : 1.0
Description :
Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations.
+Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM). For added context on adversary enterprise procedures and background see Remote System Discovery .
[AN2053] Analytic 2053 Current version : 1.0
Description :
Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist, alarms may still be visible even if messages are blocked.
+Monitor for a loss of network communications, which may indicate this technique is being used.
+Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution but instead may provide additional evidence that the technique has been used and may complement other detections.
+Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.
+Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.
[AN2054] Analytic 2054 Current version : 1.0
Description :
Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist, alarms may still be visible even if Ethernet messages are blocked.
+Monitor for a loss of network communications, which may indicate this technique is being used.
+Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution but instead may provide additional evidence that the technique has been used and may complement other detections.
+Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.
+Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.
[AN2055] Analytic 2055 Current version : 1.0
Description :
Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist, alarms may still be visible even if Wi-Fi messages are blocked.
+Monitor for a loss of network communications, which may indicate this technique is being used.
+Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.
+Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.
+Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.
[AN2056] Analytic 2056 Current version : 1.0
Description :
Monitor device alarms for program downloads, although not all devices produce such alarms.
+Monitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.
+Consult asset management systems to understand expected program versions.
+Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.
[AN2057] Analytic 2057 Current version : 1.0
Description :
Monitor device alarms for program downloads, although not all devices produce such alarms.
+Monitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.
+Consult asset management systems to understand expected program versions.
+Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.
[AN2058] Analytic 2058 Current version : 1.0
Description :
Monitor device alarms for program downloads, although not all devices produce such alarms.
+Monitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.
+Consult asset management systems to understand expected program versions.
+Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.
Minor Version Changes [AN1864] Analytic 1864 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Monitor for firmware changes which may be observable via ope t Monitor for firmware changes which may be observable via ope rational alarms from devices. Monitor device application log rational alarms from devices. Monitor device application log s for firmware changes, although not all devices will produc s for firmware changes, although not all devices will produc e such logs. Monitor firmware for unexpected changes. Asset e such logs. Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-g management systems should be consulted to understand known-g ood firmware versions. Dump and inspect BIOS images on vulne ood firmware versions. Dump and inspect BIOS images on vulne rable systems and compare against known good images.(Citatio rable systems and compare against known good images.(Citatio n: MITRE Copernicus) Analyze differences to determine if mal n: MITRE Copernicus) Analyze differences to determine if mal icious changes have occurred. Log attempts to read/write to icious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-cl EFI modules can be collected and compared against a known-cl ean list of EFI executable binaries to detect potentially ma ean list of EFI executable binaries to detect potentially ma licious modules. The CHIPSEC framework can be used for analy licious modules. The CHIPSEC framework can be used for analy sis to determine if firmware modifications have been perform sis to determine if firmware modifications have been perform ed.(Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC ed.(Citation: McAfee CHIPSEC Blog)(Citation: Github CHIPSEC) ) (Citation: Intel HackingTeam UEFI Rootkit) Monitor ICS man (Citation: Intel HackingTeam UEFI Rootkit) Monitor ICS manag agement protocols / file transfer protocols for protocol fun ement protocols / file transfer protocols for protocol funct ctions related to firmware changes. ions related to firmware changes.
+
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-24 20:33:55.812000+00:00 description Monitor for firmware changes which may be observable via operational alarms from devices.
+Monitor device application logs for firmware changes, although not all devices will produce such logs.
+Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)
+Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes. Monitor for firmware changes which may be observable via operational alarms from devices.
+Monitor device application logs for firmware changes, although not all devices will produce such logs.
+Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog)(Citation: Github CHIPSEC)(Citation: Intel HackingTeam UEFI Rootkit)
+Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes. x_mitre_version 1.0 1.1
[AN1922] Analytic 1922 Current version : 1.1
Version changed from : 1.0 → 1.1
+
+
+ t Monitor for firmware changes which may be observable via ope t Monitor for firmware changes which may be observable via ope rational alarms from devices. Monitor device application log rational alarms from devices. Monitor device application log s for firmware changes, although not all devices will produc s for firmware changes, although not all devices will produc e such logs. Monitor ICS management protocols / file transfe e such logs. Monitor ICS management protocols / file transfe r protocols for protocol functions related to firmware chang r protocols for protocol functions related to firmware chang es. Monitor firmware for unexpected changes. Asset managemen es. Monitor firmware for unexpected changes. Asset managemen t systems should be consulted to understand known-good firmw t systems should be consulted to understand known-good firmw are versions. Dump and inspect BIOS images on vulnerable sys are versions. Dump and inspect BIOS images on vulnerable sys tems and compare against known good images.(Citation: MITRE tems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious ch Copernicus) Analyze differences to determine if malicious ch anges have occurred. Log attempts to read/write to BIOS and anges have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modul compare against known patching behavior. Likewise, EFI modul es can be collected and compared against a known-clean list es can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious m of EFI executable binaries to detect potentially malicious m odules. The CHIPSEC framework can be used for analysis to de odules. The CHIPSEC framework can be used for analysis to de termine if firmware modifications have been performed.(Citat termine if firmware modifications have been performed.(Citat ion: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citati ion: McAfee CHIPSEC Blog)(Citation: Github CHIPSEC)(Citation on: Intel HackingTeam UEFI Rootkit) : Intel HackingTeam UEFI Rootkit)
+
Details values_changed STIX Field Old value New Value modified 2025-10-21 15:10:28.402000+00:00 2026-04-24 20:33:58.916000+00:00 description Monitor for firmware changes which may be observable via operational alarms from devices.
+Monitor device application logs for firmware changes, although not all devices will produce such logs.
+Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.
+Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit) Monitor for firmware changes which may be observable via operational alarms from devices.
+Monitor device application logs for firmware changes, although not all devices will produce such logs.
+Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.
+Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog)(Citation: Github CHIPSEC)(Citation: Intel HackingTeam UEFI Rootkit) x_mitre_version 1.0 1.1
Patches [AN1879] Analytic 1879 Current version : 1.0
+
+
+ t Various techniques enable spoofing a reporting message. Cons t Various techniques enable spoofing a reporting message. Cons ider monitoring for [Rogue Master](https://attack.mitre.org/ ider monitoring for [Rogue Master](https://attack.mitre.org/ techniques/T0848) and [Adversary-in-the-Middle](https://atta techniques/T0848) and [Adversary-in-the-Middle](https://atta ck.mitre.org/techniques/T0830) activity which may precede th ck.mitre.org/techniques/T0830) activity which may precede th is technique. Monitor asset logs for alarms or other informa is technique. Monitor asset logs for alarms or other informa tion the adversary is unable to directly suppress. Relevant tion the adversary is unable to directly suppress. Relevant alarms include those from a loss of communications due to [A alarms include those from a loss of communications due to [A dversary-in-the-Middle](https://attack.mitre.org/techniques/ dversary-in-the-Middle](https://attack.mitre.org/techniques/ T0830) activity. Various techniques enable spoofing a report T0830) activity. Various techniques enable spoofing a report ing message. Monitor for LLMNR/NBT-NS poisoning via new serv ing message. Monitor for LLMNR/NBT-NS poisoning via new serv ices/daemons which may be used to enable this technique. For ices/daemons which may be used to enable this technique. For added context on adversary procedures and background see [L added context on adversary procedures and background see [N LM NR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.orame Resolution Poisoning and SMB Relay](https://attack.mitreg/techniques/T1557/001). Spoofed reporting messages may be d .org/techniques/T1557/001). Spoofed reporting messages may b etected by reviewing the content of automation protocols, ei e detected by reviewing the content of automation protocols, ther through detecting based on expected values or comparing either through detecting based on expected values or compar to other out of band process data sources. Spoofed messages ing to other out of band process data sources. Spoofed messa may not precisely match legitimate messages which may lead ges may not precisely match legitimate messages which may le to malformed traffic, although traffic may be malformed for ad to malformed traffic, although traffic may be malformed f many benign reasons. Monitor reporting messages for changes or many benign reasons. Monitor reporting messages for chang in how they are constructed. Various techniques enable spoo es in how they are constructed. Various techniques enable s fing a reporting message. Consider monitoring for [Rogue Mas poofing a reporting message. Consider monitoring for [Rogue ter](https://attack.mitre.org/techniques/T0848) and [Adversa Master](https://attack.mitre.org/techniques/T0848) and [Adve ry-in-the-Middle](https://attack.mitre.org/techniques/T0830) rsary-in-the-Middle](https://attack.mitre.org/techniques/T08 activity. 30) activity.
+
Details values_changed STIX Field Old value New Value description Various techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity which may precede this technique.
+Monitor asset logs for alarms or other information the adversary is unable to directly suppress. Relevant alarms include those from a loss of communications due to [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.
+Various techniques enable spoofing a reporting message. Monitor for LLMNR/NBT-NS poisoning via new services/daemons which may be used to enable this technique. For added context on adversary procedures and background see [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001).
+Spoofed reporting messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Spoofed messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for many benign reasons. Monitor reporting messages for changes in how they are constructed.
+
+Various techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity. Various techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity which may precede this technique.
+Monitor asset logs for alarms or other information the adversary is unable to directly suppress. Relevant alarms include those from a loss of communications due to [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.
+Various techniques enable spoofing a reporting message. Monitor for LLMNR/NBT-NS poisoning via new services/daemons which may be used to enable this technique. For added context on adversary procedures and background see [Name Resolution Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001).
+Spoofed reporting messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Spoofed messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for many benign reasons. Monitor reporting messages for changes in how they are constructed.
+
+Various techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.
\n \n t Adversaries may circumvent mechanisms designed to control el t Adversaries may circumvent mechanisms designed to control pr evate privileges to gain higher-level permissions. Most modeivilege elevation to gain higher-level permissions. Most modrn systems contain native elevation control mechanisms that ern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users a machine. Authorization has to be granted to specific user in order to perform tasks that can be considered of higher s in order to perform tasks that can be considered of higher risk.(Citation: TechNet How UAC Works)(Citation: sudo man pa risk.(Citation: TechNet How UAC Works)(Citation: sudo man p ge 2018) An adversary can perform several methods to take ad age 2018) An adversary can perform several methods to take a vantage of built-in control mechanisms in order to escalate dvantage of built-in control mechanisms in order to escalate privileges on a system.(Citation: OSX Keydnap malware)(Citat privileges on a system.(Citation: OSX Keydnap malware)(Cita ion: Fortinet Fareit) tion: Fortinet Fareit) \n
",
+ "changelog_mitigations": {
+ "shared": [
+ "M1018: User Account Management",
+ "M1022: Restrict File and Directory Permissions",
+ "M1026: Privileged Account Management",
+ "M1028: Operating System Configuration",
+ "M1038: Execution Prevention",
+ "M1047: Audit",
+ "M1051: Update Software",
+ "M1052: User Account Control"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0345: Detection Strategy for Abuse Elevation Control Mechanism (T1548)"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-01-30 14:24:34.977000+00:00",
+ "modified": "2026-04-15 19:51:31.419000+00:00",
+ "name": "Bypass User Account Control",
+ "description": "Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)\n\nIf the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box.(Citation: TechNet Inside UAC)(Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)\n\nMany methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:\n\n* eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)\n\nAnother bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1548/002",
+ "external_id": "T1548.002"
+ },
+ {
+ "source_name": "Davidson Windows",
+ "description": "Davidson, L. (n.d.). Windows 7 UAC whitelist. Retrieved November 12, 2014.",
+ "url": "http://www.pretentiousname.com/misc/win7_uac_whitelist2.html"
+ },
+ {
+ "source_name": "TechNet How UAC Works",
+ "description": "Lich, B. (2016, May 31). How User Account Control Works. Retrieved June 3, 2016.",
+ "url": "https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works"
+ },
+ {
+ "source_name": "SANS UAC Bypass",
+ "description": "Medin, T. (2013, August 8). PsExec UAC Bypass. Retrieved June 3, 2016.",
+ "url": "http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass"
+ },
+ {
+ "source_name": "MSDN COM Elevation",
+ "description": "Microsoft. (n.d.). The COM Elevation Moniker. Retrieved July 26, 2016.",
+ "url": "https://msdn.microsoft.com/en-us/library/ms679687.aspx"
+ },
+ {
+ "source_name": "enigma0x3 Fileless UAC Bypass",
+ "description": "Nelson, M. (2016, August 15). \"Fileless\" UAC Bypass using eventvwr.exe and Registry Hijacking. Retrieved December 27, 2016.",
+ "url": "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/"
+ },
+ {
+ "source_name": "TechNet Inside UAC",
+ "description": "Russinovich, M. (2009, July). User Account Control: Inside Windows 7 User Account Control. Retrieved July 26, 2016.",
+ "url": "https://technet.microsoft.com/en-US/magazine/2009.07.uac.aspx"
+ },
+ {
+ "source_name": "Fortinet Fareit",
+ "description": "Salvio, J., Joven, R. (2016, December 16). Malicious Macro Bypasses UAC to Elevate Privilege for Fareit Malware. Retrieved December 27, 2016.",
+ "url": "https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware"
+ },
+ {
+ "source_name": "Github UACMe",
+ "description": "UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.",
+ "url": "https://github.com/hfiref0x/UACME"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Stefan Kanthak",
+ "Casey Smith"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_version": "3.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:51:31.419000+00:00\", \"old_value\": \"2025-10-24 17:48:25.823000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.2\"}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][1]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}, \"root['external_references'][6]\": {\"source_name\": \"enigma0x3 sdclt app paths\", \"description\": \"Nelson, M. (2017, March 14). Bypassing UAC using App Paths. Retrieved May 25, 2017.\", \"url\": \"https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/\"}, \"root['external_references'][7]\": {\"source_name\": \"enigma0x3 sdclt bypass\", \"description\": \"Nelson, M. (2017, March 17). \\\"Fileless\\\" UAC Bypass Using sdclt.exe. Retrieved May 25, 2017.\", \"url\": \"https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/\"}}}",
+ "previous_version": "2.2",
+ "version_change": "2.2 \u2192 3.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1026: Privileged Account Management",
+ "M1047: Audit",
+ "M1051: Update Software",
+ "M1052: User Account Control"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0388: Detection Strategy for T1548.002 \u2013 Bypass User Account Control (UAC)"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--b84903f0-c7d5-435d-a69e-de47cc3578c0",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-01-30 14:40:20.187000+00:00",
+ "modified": "2026-04-15 19:51:53.527000+00:00",
+ "name": "Elevated Execution with Prompt",
+ "description": "Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified. \n\nAlthough this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.\n\nAdversaries may abuse AuthorizationExecuteWithPrivileges to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019)(Citation: OSX Coldroot RAT) This technique may be combined with [Masquerading](https://attack.mitre.org/techniques/T1036) to trick the user into granting escalated privileges to malicious code.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019) This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.(Citation: Death by 1000 installers; it's all broken!)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1548/004",
+ "external_id": "T1548.004"
+ },
+ {
+ "source_name": "AppleDocs AuthorizationExecuteWithPrivileges",
+ "description": "Apple. (n.d.). Apple Developer Documentation - AuthorizationExecuteWithPrivileges. Retrieved August 8, 2019.",
+ "url": "https://developer.apple.com/documentation/security/1540038-authorizationexecutewithprivileg"
+ },
+ {
+ "source_name": "Carbon Black Shlayer Feb 2019",
+ "description": "Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.",
+ "url": "https://blogs.vmware.com/security/2020/02/vmware-carbon-black-tau-threat-analysis-shlayer-macos.html"
+ },
+ {
+ "source_name": "Death by 1000 installers; it's all broken!",
+ "description": "Patrick Wardle. (2017). Death by 1000 installers; it's all broken!. Retrieved August 8, 2019.",
+ "url": "https://speakerdeck.com/patrickwardle/defcon-2017-death-by-1000-installers-its-all-broken?slide=8"
+ },
+ {
+ "source_name": "OSX Coldroot RAT",
+ "description": "Patrick Wardle. (2018, February 17). Tearing Apart the Undetected (OSX)Coldroot RAT. Retrieved August 8, 2019.",
+ "url": "https://objective-see.com/blog/blog_0x2A.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Jimmy Astle, @AstleJimmy, Carbon Black",
+ "Erika Noerenberg, @gutterchurl, Carbon Black"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "macOS"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:51:53.527000+00:00\", \"old_value\": \"2025-10-24 17:49:16.860000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][1]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1038: Execution Prevention"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0395: macOS AuthorizationExecuteWithPrivileges Elevation Prompt Detection"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--6831414d-bb70-42b7-8030-d4e06b2660c9",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-01-30 14:11:41.212000+00:00",
+ "modified": "2026-04-15 19:52:13.675000+00:00",
+ "name": "Setuid and Setgid",
+ "description": "An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user\u2019s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user\u2019s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.\n\nInstead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac Permissions](https://attack.mitre.org/techniques/T1222/002)). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgid bit, chmod 2775 and chmod g+s can be used.\n\nAdversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware) This abuse is often part of a \"shell escape\" or other actions to bypass an execution environment with restricted permissions.\n\nAlternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)). The setuid and setguid bits are indicated with an \"s\" instead of an \"x\" when viewing a file's attributes via ls -l. The find command can also be used to search for such files. For example, find / -perm +4000 2>/dev/null can be used to find files with setuid set and find / -perm +2000 2>/dev/null may be used for setgid. Binaries that have these bits set may then be abused by adversaries.(Citation: GTFOBins Suid)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1548/001",
+ "external_id": "T1548.001"
+ },
+ {
+ "source_name": "GTFOBins Suid",
+ "description": "Emilio Pinna, Andrea Cardaci. (n.d.). GTFOBins. Retrieved January 28, 2022.",
+ "url": "https://gtfobins.github.io/#+suid"
+ },
+ {
+ "source_name": "OSX Keydnap malware",
+ "description": "Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.",
+ "url": "https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/"
+ },
+ {
+ "source_name": "setuid man page",
+ "description": "Michael Kerrisk. (2017, September 15). Linux Programmer's Manual. Retrieved September 21, 2018.",
+ "url": "http://man7.org/linux/man-pages/man2/setuid.2.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:52:13.675000+00:00\", \"old_value\": \"2025-10-24 17:48:53.456000+00:00\"}, \"root['description']\": {\"new_value\": \"An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user\\u2019s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user\\u2019s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.\\n\\nInstead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac Permissions](https://attack.mitre.org/techniques/T1222/002)). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgid bit, chmod 2775 and chmod g+s can be used.\\n\\nAdversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware) This abuse is often part of a \\\"shell escape\\\" or other actions to bypass an execution environment with restricted permissions.\\n\\nAlternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)). The setuid and setguid bits are indicated with an \\\"s\\\" instead of an \\\"x\\\" when viewing a file's attributes via ls -l. The find command can also be used to search for such files. For example, find / -perm +4000 2>/dev/null can be used to find files with setuid set and find / -perm +2000 2>/dev/null may be used for setgid. Binaries that have these bits set may then be abused by adversaries.(Citation: GTFOBins Suid)\", \"old_value\": \"An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user\\u2019s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user\\u2019s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.\\n\\nInstead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222/002)). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgid bit, chmod 2775 and chmod g+s can be used.\\n\\nAdversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware) This abuse is often part of a \\\"shell escape\\\" or other actions to bypass an execution environment with restricted permissions.\\n\\nAlternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)). The setuid and setguid bits are indicated with an \\\"s\\\" instead of an \\\"x\\\" when viewing a file's attributes via ls -l. The find command can also be used to search for such files. For example, find / -perm +4000 2>/dev/null can be used to find files with setuid set and find / -perm +2000 2>/dev/null may be used for setgid. Binaries that have these bits set may then be abused by adversaries.(Citation: GTFOBins Suid)\", \"diff\": \"--- \\n+++ \\n@@ -1,6 +1,6 @@\\n An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user\\u2019s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user\\u2019s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.\\n \\n-Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222/002)). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgid bit, chmod 2775 and chmod g+s can be used.\\n+Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac Permissions](https://attack.mitre.org/techniques/T1222/002)). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgid bit, chmod 2775 and chmod g+s can be used.\\n \\n Adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware) This abuse is often part of a \\\"shell escape\\\" or other actions to bypass an execution environment with restricted permissions.\\n \"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][1]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "description_change_table": "\n \n \n t An adversary may abuse configurations where an application h t An adversary may abuse configurations where an application h as the setuid or setgid bits set in order to get code runnin as the setuid or setgid bits set in order to get code runnin g in a different (and possibly more privileged) user\u2019s conte g in a different (and possibly more privileged) user\u2019s conte xt. On Linux or macOS, when the setuid or setgid bits are se xt. On Linux or macOS, when the setuid or setgid bits are se t for an application binary, the application will run with t t for an application binary, the application will run with t he privileges of the owning user or group respectively.(Cita he privileges of the owning user or group respectively.(Cita tion: setuid man page) Normally an application is run in the tion: setuid man page) Normally an application is run in the current user\u2019s context, regardless of which user or group o current user\u2019s context, regardless of which user or group o wns the application. However, there are instances where prog wns the application. However, there are instances where prog rams need to be executed in an elevated context to function rams need to be executed in an elevated context to function properly, but the user running them may not have the specifi properly, but the user running them may not have the specifi c required privileges. Instead of creating an entry in the c required privileges. Instead of creating an entry in the sudoers file, which must be done by root, any user can speci sudoers file, which must be done by root, any user can speci fy the setuid or setgid flag to be set for their own applica fy the setuid or setgid flag to be set for their own applica tions (i.e. [Linux and Mac File and Directory Permissions Mo tions (i.e. [Linux and Mac Permissions](https://attack.mitre dification ](https://attack.mitre.org/techniques/T1222/002))..org/techniques/T1222/002)). The <code>chmod</code> command The <code>chmod</code> command can set these bits with bitm can set these bits with bitmasking, <code>chmod 4777 [file]< asking, <code>chmod 4777 [file]</code> or via shorthand nami /code> or via shorthand naming, <code>chmod u+s [file]</code ng, <code>chmod u+s [file]</code>. This will enable the setu >. This will enable the setuid bit. To enable the setgid bit id bit. To enable the setgid bit, <code>chmod 2775</code> an , <code>chmod 2775</code> and <code>chmod g+s</code> can be d <code>chmod g+s</code> can be used. Adversaries can use t used. Adversaries can use this mechanism on their own malwa his mechanism on their own malware to make sure they're able re to make sure they're able to execute in elevated contexts to execute in elevated contexts in the future.(Citation: OS in the future.(Citation: OSX Keydnap malware) This abuse is X Keydnap malware) This abuse is often part of a \"shell esca often part of a \"shell escape\" or other actions to bypass a pe\" or other actions to bypass an execution environment with n execution environment with restricted permissions. Altern restricted permissions. Alternatively, adversaries may cho atively, adversaries may choose to find and target vulnerabl ose to find and target vulnerable binaries with the setuid o e binaries with the setuid or setgid bits already enabled (i r setgid bits already enabled (i.e. [File and Directory Disc .e. [File and Directory Discovery](https://attack.mitre.org/ overy](https://attack.mitre.org/techniques/T1083)). The setu techniques/T1083)). The setuid and setguid bits are indicate id and setguid bits are indicated with an \"s\" instead of an d with an \"s\" instead of an \"x\" when viewing a file's attrib \"x\" when viewing a file's attributes via <code>ls -l</code>. utes via <code>ls -l</code>. The <code>find</code> command c The <code>find</code> command can also be used to search fo an also be used to search for such files. For example, <code r such files. For example, <code>find / -perm +4000 2>/dev/n >find / -perm +4000 2>/dev/null</code> can be used to find f ull</code> can be used to find files with setuid set and <co iles with setuid set and <code>find / -perm +2000 2>/dev/nul de>find / -perm +2000 2>/dev/null</code> may be used for set l</code> may be used for setgid. Binaries that have these bi gid. Binaries that have these bits set may then be abused by ts set may then be abused by adversaries.(Citation: GTFOBins adversaries.(Citation: GTFOBins Suid) Suid) \n
",
+ "changelog_mitigations": {
+ "shared": [
+ "M1028: Operating System Configuration"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0110: Setuid/Setgid Privilege Abuse Detection (Linux/macOS)"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-01-30 14:34:44.992000+00:00",
+ "modified": "2026-04-15 19:52:35.310000+00:00",
+ "name": "Sudo and Sudo Caching",
+ "description": "Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.\n\nWithin Linux and MacOS systems, sudo (sometimes referred to as \"superuser do\") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command \"allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.\"(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).\n\nThe sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL.(Citation: OSX.Dok Malware) Elevated privileges are required to edit this file though.\n\nAdversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user.\n\nIn the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \\'Defaults !tty_tickets\\' >> /etc/sudoers.(Citation: cybereason osx proton) In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1548/003",
+ "external_id": "T1548.003"
+ },
+ {
+ "source_name": "cybereason osx proton",
+ "description": "Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually Does. Retrieved March 19, 2018.",
+ "url": "https://www.cybereason.com/blog/labs-proton-b-what-this-mac-malware-actually-does"
+ },
+ {
+ "source_name": "OSX.Dok Malware",
+ "description": "Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web traffic. Retrieved July 10, 2017.",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/"
+ },
+ {
+ "source_name": "sudo man page 2018",
+ "description": "Todd C. Miller. (2018). Sudo Man Page. Retrieved March 19, 2018.",
+ "url": "https://www.sudo.ws/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:52:35.310000+00:00\", \"old_value\": \"2025-10-24 17:48:26.105000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][1]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1022: Restrict File and Directory Permissions",
+ "M1026: Privileged Account Management",
+ "M1028: Operating System Configuration"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0052: Behavioral Detection Strategy for Abuse of Sudo and Sudo Caching"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--e8a0a025-3601-4755-abfb-8d08283329fb",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2024-03-21 21:10:57.322000+00:00",
+ "modified": "2026-04-15 19:52:55.058000+00:00",
+ "name": "TCC Manipulation",
+ "description": "Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).\n\nWhen an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)\n\nAdversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)\n\n",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1548/006",
+ "external_id": "T1548.006"
+ },
+ {
+ "source_name": "welivesecurity TCC",
+ "description": "Marc-Etienne M.L\u00e9veill\u00e9. (2022, July 19). I see what you did there: A look at the CloudMensis macOS spyware. Retrieved March 21, 2024.",
+ "url": "https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/"
+ },
+ {
+ "source_name": "TCC Database",
+ "description": "Marina Liang. (2024, April 23). Return of the mac(OS): Transparency, Consent, and Control (TCC) Database Manipulation. Retrieved March 28, 2024.",
+ "url": "https://web.archive.org/web/20240411112413/https://interpressecurity.com/resources/return-of-the-macos-tcc/"
+ },
+ {
+ "source_name": "TCC macOS bypass",
+ "description": "Phil Stokes. (2021, July 1). Bypassing macOS TCC User Privacy Protections By Accident and Design. Retrieved March 21, 2024.",
+ "url": "https://www.sentinelone.com/labs/bypassing-macos-tcc-user-privacy-protections-by-accident-and-design/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Marina Liang",
+ "Wojciech Regu\u0142a @_r3ggi",
+ "Csaba Fitzl @theevilbit of Kandji"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "macOS"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:52:55.058000+00:00\", \"old_value\": \"2025-04-15 23:14:58.393000+00:00\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://web.archive.org/web/20240411112413/https://interpressecurity.com/resources/return-of-the-macos-tcc/\", \"old_value\": \"https://interpressecurity.com/resources/return-of-the-macos-tcc/\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][0]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1022: Restrict File and Directory Permissions",
+ "M1026: Privileged Account Management",
+ "M1047: Audit"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0534: TCC Database Manipulation via Launchctl and Unprotected SIP"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--6fa224c7-5091-4595-bf15-3fc9fe2f2c7c",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2023-07-10 16:37:15.672000+00:00",
+ "modified": "2026-04-15 19:53:18.398000+00:00",
+ "name": "Temporary Elevated Cloud Access",
+ "description": "Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, pass roles onto resources and services, or otherwise gain short-term access to a set of privileges that may be distinct from their own. \n\nJust-in-time access is a mechanism for granting additional roles to cloud accounts in a granular, temporary manner. This allows accounts to operate with only the permissions they need on a daily basis, and to request additional permissions as necessary. Sometimes just-in-time access requests are configured to require manual approval, while other times the desired permissions are automatically granted.(Citation: Azure Just in Time Access 2023)\n\nAccount impersonation allows user or service accounts to temporarily act with the permissions of another account. For example, in GCP users with the `iam.serviceAccountTokenCreator` role can create temporary access tokens or sign arbitrary payloads with the permissions of a service account, while service accounts with domain-wide delegation permission are permitted to impersonate Google Workspace accounts.(Citation: Google Cloud Service Account Authentication Roles)(Citation: Hunters Domain Wide Delegation Google Workspace 2023)(Citation: Google Cloud Just in Time Access 2023)(Citation: Palo Alto Unit 42 Google Workspace Domain Wide Delegation 2023) In Exchange Online, the `ApplicationImpersonation` role allows a service account to use the permissions associated with specified user accounts.(Citation: Microsoft Impersonation and EWS in Exchange) \n\nMany cloud environments also include mechanisms for users to pass roles to resources that allow them to perform tasks and authenticate to other services. While the user that creates the resource does not directly assume the role they pass to it, they may still be able to take advantage of the role's access -- for example, by configuring the resource to perform certain actions with the permissions it has been granted. In AWS, users with the `PassRole` permission can allow a service they create to assume a given role, while in GCP, users with the `iam.serviceAccountUser` role can attach a service account to a resource.(Citation: AWS PassRole)(Citation: Google Cloud Service Account Authentication Roles)\n\nWhile users require specific role assignments in order to use any of these features, cloud administrators may misconfigure permissions. This could result in escalation paths that allow adversaries to gain access to resources beyond what was originally intended.(Citation: Rhino Google Cloud Privilege Escalation)(Citation: Rhino Security Labs AWS Privilege Escalation)\n\n**Note:** this technique is distinct from [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003), which involves assigning permanent roles to accounts rather than abusing existing permissions structures to gain temporarily elevated access to resources. However, adversaries that compromise a sufficiently privileged account may grant another account they control [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) that would allow them to also abuse these features. This may also allow for greater stealth than would be had by directly using the highly privileged account, especially when logs do not clarify when role impersonation is taking place.(Citation: CrowdStrike StellarParticle January 2022)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1548/005",
+ "external_id": "T1548.005"
+ },
+ {
+ "source_name": "AWS PassRole",
+ "description": "AWS. (n.d.). Granting a user permissions to pass a role to an AWS service. Retrieved July 10, 2023.",
+ "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html"
+ },
+ {
+ "source_name": "CrowdStrike StellarParticle January 2022",
+ "description": "CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.",
+ "url": "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/"
+ },
+ {
+ "source_name": "Google Cloud Just in Time Access 2023",
+ "description": "Google Cloud. (n.d.). Manage just-in-time privileged access to projects. Retrieved September 21, 2023.",
+ "url": "https://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project"
+ },
+ {
+ "source_name": "Google Cloud Service Account Authentication Roles",
+ "description": "Google Cloud. (n.d.). Roles for service account authentication. Retrieved July 10, 2023.",
+ "url": "https://cloud.google.com/iam/docs/service-account-permissions"
+ },
+ {
+ "source_name": "Microsoft Impersonation and EWS in Exchange",
+ "description": "Microsoft. (2022, September 13). Impersonation and EWS in Exchange. Retrieved July 10, 2023.",
+ "url": "https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/impersonation-and-ews-in-exchange"
+ },
+ {
+ "source_name": "Azure Just in Time Access 2023",
+ "description": "Microsoft. (2023, August 29). Configure and approve just-in-time access for Azure Managed Applications. Retrieved September 21, 2023.",
+ "url": "https://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/approve-just-in-time-access"
+ },
+ {
+ "source_name": "Rhino Security Labs AWS Privilege Escalation",
+ "description": "Spencer Gietzen. (n.d.). AWS IAM Privilege Escalation \u2013 Methods and Mitigation. Retrieved May 27, 2022.",
+ "url": "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/"
+ },
+ {
+ "source_name": "Rhino Google Cloud Privilege Escalation",
+ "description": "Spencer Gietzen. (n.d.). Privilege Escalation in Google Cloud Platform \u2013 Part 1 (IAM). Retrieved September 21, 2023.",
+ "url": "https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/"
+ },
+ {
+ "source_name": "Hunters Domain Wide Delegation Google Workspace 2023",
+ "description": "Yonatan Khanashvilli. (2023, November 28). DeleFriend: Severe design flaw in Domain Wide Delegation could leave Google Workspace vulnerable for takeover. Retrieved January 16, 2024.",
+ "url": "https://www.hunters.security/en/blog/delefriend-a-newly-discovered-design-flaw-in-domain-wide-delegation-could-leave-google-workspace-vulnerable-for-takeover"
+ },
+ {
+ "source_name": "Palo Alto Unit 42 Google Workspace Domain Wide Delegation 2023",
+ "description": "Zohar Zigdon. (2023, November 30). Exploring a Critical Risk in Google Workspace's Domain-Wide Delegation Feature. Retrieved January 16, 2024.",
+ "url": "https://unit42.paloaltonetworks.com/critical-risk-in-google-workspace-delegation-feature/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Arad Inbar, Fidelis Security"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "IaaS",
+ "Office Suite",
+ "Identity Provider"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:53:18.398000+00:00\", \"old_value\": \"2025-04-15 23:15:17.608000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][1]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1018: User Account Management"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0393: Detection Strategy for Temporary Elevated Cloud Access Abuse (T1548.005)"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2017-12-14 16:46:06.044000+00:00",
+ "modified": "2026-04-15 19:53:44.334000+00:00",
+ "name": "Access Token Manipulation",
+ "description": "Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.\n\nAn adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001)) or used to spawn a new process (i.e. [Create Process with Token](https://attack.mitre.org/techniques/T1134/002)). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.(Citation: Pentestlab Token Manipulation)\n\nAny standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1134",
+ "external_id": "T1134"
+ },
+ {
+ "source_name": "Pentestlab Token Manipulation",
+ "description": "netbiosX. (2017, April 3). Token Manipulation. Retrieved April 21, 2017.",
+ "url": "https://pentestlab.blog/2017/04/03/token-manipulation/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Tom Ueltschi @c_APT_ure",
+ "Travis Smith, Tripwire",
+ "Robby Winchester, @robwinchester3",
+ "Jared Atkinson, @jaredcatkinson"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_version": "3.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:53:44.334000+00:00\", \"old_value\": \"2025-10-24 17:49:29.051000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"BlackHat Atkinson Winchester Token Manipulation\", \"description\": \"Atkinson, J., Winchester, R. (2017, December 7). A Process is No One: Hunting for Token Manipulation. Retrieved December 21, 2017.\", \"url\": \"https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf\"}, \"root['external_references'][2]\": {\"source_name\": \"Microsoft Command-line Logging\", \"description\": \"Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.\", \"url\": \"https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing\"}, \"root['external_references'][3]\": {\"source_name\": \"Microsoft LogonUser\", \"description\": \"Microsoft TechNet. (n.d.). Retrieved April 25, 2017.\", \"url\": \"https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx\"}, \"root['external_references'][4]\": {\"source_name\": \"Microsoft DuplicateTokenEx\", \"description\": \"Microsoft TechNet. (n.d.). Retrieved April 25, 2017.\", \"url\": \"https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx\"}, \"root['external_references'][5]\": {\"source_name\": \"Microsoft ImpersonateLoggedOnUser\", \"description\": \"Microsoft TechNet. (n.d.). Retrieved April 25, 2017.\", \"url\": \"https://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx\"}}}",
+ "previous_version": "2.1",
+ "version_change": "2.1 \u2192 3.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1018: User Account Management",
+ "M1026: Privileged Account Management"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0283: Behavior-chain detection for T1134 Access Token Manipulation on Windows"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--677569f9-a8b0-459e-ab24-7f18091fa7bf",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-02-18 16:48:56.582000+00:00",
+ "modified": "2026-04-15 19:55:37.484000+00:00",
+ "name": "Create Process with Token",
+ "description": "Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.(Citation: Microsoft RunAs)\n\nCreating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used. For example, the token could be duplicated via [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or created via [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) before being used to create a process.\n\nWhile this technique is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001), the techniques can be used in conjunction where a token is duplicated and then used to create a new process.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1134/002",
+ "external_id": "T1134.002"
+ },
+ {
+ "source_name": "Microsoft RunAs",
+ "description": "Microsoft. (2016, August 31). Runas. Retrieved October 1, 2021.",
+ "url": "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771525(v=ws.11)"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Jonny Johnson",
+ "Vadim Khrykov"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:55:37.484000+00:00\", \"old_value\": \"2025-10-24 17:48:53.370000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.3\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"Microsoft Command-line Logging\", \"description\": \"Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.\", \"url\": \"https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing\"}}}",
+ "previous_version": "1.3",
+ "version_change": "1.3 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1018: User Account Management",
+ "M1026: Privileged Account Management"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0456: Behavior-chain detection for T1134.002 Create Process with Token (Windows)"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--8cdeb020-e31e-4f88-a582-f53dcfbda819",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-02-18 18:03:37.481000+00:00",
+ "modified": "2026-04-15 19:56:16.233000+00:00",
+ "name": "Make and Impersonate Token",
+ "description": "Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function.(Citation: LogonUserW function) The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread.\n\nThis behavior is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) in that this refers to creating a new user token instead of stealing or duplicating an existing one.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1134/003",
+ "external_id": "T1134.003"
+ },
+ {
+ "source_name": "LogonUserW function",
+ "description": "Microsoft. (2023, March 10). LogonUserW function (winbase.h). Retrieved January 8, 2024.",
+ "url": "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonuserw"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Jonny Johnson"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:56:16.233000+00:00\", \"old_value\": \"2025-10-24 17:49:05.200000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"Microsoft Command-line Logging\", \"description\": \"Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.\", \"url\": \"https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1018: User Account Management",
+ "M1026: Privileged Account Management"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0498: Behavior\u2011chain detection for T1134.003 Make and Impersonate Token (Windows)"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--93591901-3172-4e94-abf8-6034ab26f44a",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-02-18 18:22:41.448000+00:00",
+ "modified": "2026-04-15 19:54:42.976000+00:00",
+ "name": "Parent PID Spoofing",
+ "description": "Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018)\n\nAdversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be explorer.exe rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)\n\nExplicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1134/004",
+ "external_id": "T1134.004"
+ },
+ {
+ "source_name": "XPNSec PPID Nov 2017",
+ "description": "Chester, A. (2017, November 20). Alternative methods of becoming SYSTEM. Retrieved June 4, 2019.",
+ "url": "https://blog.xpnsec.com/becoming-system/"
+ },
+ {
+ "source_name": "CounterCept PPID Spoofing Dec 2018",
+ "description": "Loh, I. (2018, December 21). Detecting Parent PID Spoofing. Retrieved June 3, 2019.",
+ "url": "https://web.archive.org/web/20200726110643/https://blog.f-secure.com/detecting-parent-pid-spoofing/"
+ },
+ {
+ "source_name": "Microsoft UAC Nov 2018",
+ "description": "Montemayor, D. et al.. (2018, November 15). How User Account Control works. Retrieved June 3, 2019.",
+ "url": "https://docs.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works"
+ },
+ {
+ "source_name": "DidierStevens SelectMyParent Nov 2009",
+ "description": "Stevens, D. (2009, November 22). Quickpost: SelectMyParent or Playing With the Windows Process Tree. Retrieved June 3, 2019.",
+ "url": "https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/"
+ },
+ {
+ "source_name": "CTD PPID Spoofing Macro Mar 2019",
+ "description": "Tafani-Dereeper, C. (2019, March 12). Building an Office macro to spoof parent processes and command line arguments. Retrieved June 3, 2019.",
+ "url": "https://blog.christophetd.fr/building-an-office-macro-to-spoof-process-parent-and-command-line/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Wayne Silva, F-Secure Countercept"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:54:42.976000+00:00\", \"old_value\": \"2025-10-24 17:49:06.759000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://web.archive.org/web/20200726110643/https://blog.f-secure.com/detecting-parent-pid-spoofing/\", \"old_value\": \"https://www.countercept.com/blog/detecting-parent-pid-spoofing/\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}, \"iterable_item_removed\": {\"root['external_references'][4]\": {\"source_name\": \"Microsoft Process Creation Flags May 2018\", \"description\": \"Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags. Retrieved June 4, 2019.\", \"url\": \"https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags\"}, \"root['external_references'][5]\": {\"source_name\": \"Secuirtyinbits Ataware3 May 2019\", \"description\": \"Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2) Ataware Ransomware Part 3. Retrieved June 6, 2019.\", \"url\": \"https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0489: Behavior-chain detection for T1134.004 Access Token Manipulation: Parent PID Spoofing (Windows)"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--b7dc639b-24cd-482d-a7f1-8897eda21023",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-02-18 18:34:49.414000+00:00",
+ "modified": "2026-04-15 19:55:14.114000+00:00",
+ "name": "SID-History Injection",
+ "description": "Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).\n\nWith Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as [Remote Services](https://attack.mitre.org/techniques/T1021), [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002), or [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1134/005",
+ "external_id": "T1134.005"
+ },
+ {
+ "source_name": "Microsoft Well Known SIDs Jun 2017",
+ "description": "Microsoft. (2017, June 23). Well-known security identifiers in Windows operating systems. Retrieved November 30, 2017.",
+ "url": "https://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems"
+ },
+ {
+ "source_name": "Microsoft SID-History Attribute",
+ "description": "Microsoft. (n.d.). Active Directory Schema - SID-History attribute. Retrieved November 30, 2017.",
+ "url": "https://msdn.microsoft.com/library/ms679833.aspx"
+ },
+ {
+ "source_name": "Microsoft SID",
+ "description": "Microsoft. (n.d.). Security Identifiers. Retrieved November 30, 2017.",
+ "url": "https://msdn.microsoft.com/library/windows/desktop/aa379571.aspx"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Alain Homewood, Insomnia Security",
+ "Vincent Le Toux"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:55:14.114000+00:00\", \"old_value\": \"2025-10-24 17:49:16.316000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}, \"iterable_item_removed\": {\"root['external_references'][4]\": {\"source_name\": \"Microsoft Get-ADUser\", \"description\": \"Microsoft. (n.d.). Active Directory Cmdlets - Get-ADUser. Retrieved November 30, 2017.\", \"url\": \"https://technet.microsoft.com/library/ee617241.aspx\"}, \"root['external_references'][5]\": {\"source_name\": \"AdSecurity SID History Sept 2015\", \"description\": \"Metcalf, S. (2015, September 19). Sneaky Active Directory Persistence #14: SID History. Retrieved November 30, 2017.\", \"url\": \"https://adsecurity.org/?p=1772\"}, \"root['external_references'][6]\": {\"source_name\": \"Microsoft DsAddSidHistory\", \"description\": \"Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November 30, 2017.\", \"url\": \"https://msdn.microsoft.com/library/ms677982.aspx\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1015: Active Directory Configuration"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0136: Behavior-chain detection for T1134.005 Access Token Manipulation: SID-History Injection (Windows)"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-02-18 16:39:06.289000+00:00",
+ "modified": "2026-04-15 19:54:20.663000+00:00",
+ "name": "Token Impersonation/Theft",
+ "description": "Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`.(Citation: DuplicateToken function) The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.\n\nAn adversary may perform [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.\n\nWhen an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally [Create Process with Token](https://attack.mitre.org/techniques/T1134/002) using `CreateProcessWithTokenW` or `CreateProcessAsUserW`. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) is also distinct from [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) in that it refers to duplicating an existing token, rather than creating a new one.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1134/001",
+ "external_id": "T1134.001"
+ },
+ {
+ "source_name": "DuplicateToken function",
+ "description": "Microsoft. (2021, October 12). DuplicateToken function (securitybaseapi.h). Retrieved January 8, 2024.",
+ "url": "https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetoken"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Jonny Johnson"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:54:20.663000+00:00\", \"old_value\": \"2025-10-24 17:49:04.117000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.3\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"Microsoft Command-line Logging\", \"description\": \"Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.\", \"url\": \"https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing\"}}}",
+ "previous_version": "1.3",
+ "version_change": "1.3 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1018: User Account Management",
+ "M1026: Privileged Account Management"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0482: Behavior-chain detection for T1134.001 Access Token Manipulation: Token Impersonation/Theft on Windows"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--650c784b-7504-4df7-ab2c-4ea882384d1e",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-02-11 19:08:51.677000+00:00",
+ "modified": "2026-02-03 16:53:09.295000+00:00",
+ "name": "Name Resolution Poisoning and SMB Relay",
+ "description": "By responding to LLMNR/NBT-NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system.(Citation: BlackCat ransomware) This activity may be used to collect or relay authentication materials. \n\nLink-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name.(Citation: Wikipedia LLMNR)(Citation: TechNet NetBIOS)\n\nMulticast Domain Name System(mDNS) is a zero-configuration service used to resolve hostnames to IP addresses with \u201c.local\u201d as a top-level domain. MDNS is based upon Domain Name System (DNS) format and allows hosts on the same network segment to perform name resolution for other hosts, using multicast.(Citation: mDNS RFC)\n\nAdversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137)/mDNS (UDP 5353) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords.\n\nIn some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv1/v2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Additionally, adversaries may encapsulate the NTLMv1/v2 hashes into various other protocols, such as LDAP, MSSQL and HTTP, to expand and use multiple services with the valid NTLM response.\u00a0\n\nSeveral tools may be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174).(Citation: GitHub NBNSpoof)(Citation: Rapid7 LLMNR Spoofer)(Citation: GitHub Responder)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "credential-access"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "collection"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1557/001",
+ "external_id": "T1557.001"
+ },
+ {
+ "source_name": "Rapid7 LLMNR Spoofer",
+ "description": "Francois, R. (n.d.). LLMNR Spoofer. Retrieved November 17, 2017.",
+ "url": "https://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response"
+ },
+ {
+ "source_name": "GitHub Responder",
+ "description": "Gaffie, L. (2016, August 25). Responder. Retrieved November 17, 2017.",
+ "url": "https://github.com/SpiderLabs/Responder"
+ },
+ {
+ "source_name": "Secure Ideas SMB Relay",
+ "description": "Kuehn, E. (2018, April 11). Ever Run a Relay? Why SMB Relays Should Be On Your Mind. Retrieved February 7, 2019.",
+ "url": "https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html"
+ },
+ {
+ "source_name": "BlackCat ransomware",
+ "description": "Lucas Silva, Leandro Froes. (2022, April 18). An Investigation of the BlackCat Ransomware via Trend Micro Vision One. Retrieved February 2, 2026.",
+ "url": "https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html"
+ },
+ {
+ "source_name": "TechNet NetBIOS",
+ "description": "Microsoft. (n.d.). NetBIOS Name Resolution. Retrieved November 17, 2017.",
+ "url": "https://technet.microsoft.com/library/cc958811.aspx"
+ },
+ {
+ "source_name": "GitHub NBNSpoof",
+ "description": "Nomex. (2014, February 7). NBNSpoof. Retrieved November 17, 2017.",
+ "url": "https://github.com/nomex/nbnspoof"
+ },
+ {
+ "source_name": "mDNS RFC",
+ "description": "S. Cheshire, M. Krochmal. (2013, February). Multicast DNS. Retrieved February 2, 2026.",
+ "url": "https://datatracker.ietf.org/doc/html/rfc6762"
+ },
+ {
+ "source_name": "byt3bl33d3r NTLM Relaying",
+ "description": "Salvati, M. (2017, June 2). Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes). Retrieved February 7, 2019.",
+ "url": "https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html"
+ },
+ {
+ "source_name": "Wikipedia LLMNR",
+ "description": "Wikipedia. (2016, July 7). Link-Local Multicast Name Resolution. Retrieved November 17, 2017.",
+ "url": "https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Eric Kuehn, Secure Ideas",
+ "Matthew Demaske, Adaptforward",
+ "Andrew Allen, @whitehat_zero",
+ "Arad Inbar"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-02-03 16:53:09.295000+00:00\", \"old_value\": \"2025-10-24 17:48:52.462000+00:00\"}, \"root['name']\": {\"new_value\": \"Name Resolution Poisoning and SMB Relay\", \"old_value\": \"LLMNR/NBT-NS Poisoning and SMB Relay\"}, \"root['description']\": {\"new_value\": \"By responding to LLMNR/NBT-NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system.(Citation: BlackCat ransomware) This activity may be used to collect or relay authentication materials. \\n\\nLink-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name.(Citation: Wikipedia LLMNR)(Citation: TechNet NetBIOS)\\n\\nMulticast Domain Name System(mDNS) is a zero-configuration service used to resolve hostnames to IP addresses with \\u201c.local\\u201d as a top-level domain. MDNS is based upon Domain Name System (DNS) format and allows hosts on the same network segment to perform name resolution for other hosts, using multicast.(Citation: mDNS RFC)\\n\\nAdversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137)/mDNS (UDP 5353) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords.\\n\\nIn some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv1/v2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Additionally, adversaries may encapsulate the NTLMv1/v2 hashes into various other protocols, such as LDAP, MSSQL and HTTP, to expand and use multiple services with the valid NTLM response.\\u00a0\\n\\nSeveral tools may be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174).(Citation: GitHub NBNSpoof)(Citation: Rapid7 LLMNR Spoofer)(Citation: GitHub Responder)\", \"old_value\": \"By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials. \\n\\nLink-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR)(Citation: TechNet NetBIOS)\\n\\nAdversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords.\\n\\nIn some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv1/v2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Additionally, adversaries may encapsulate the NTLMv1/v2 hashes into various protocols, such as LDAP, SMB, MSSQL and HTTP, to expand and use multiple services with the valid NTLM response.\\u00a0\\n\\nSeveral tools may be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174).(Citation: GitHub NBNSpoof)(Citation: Rapid7 LLMNR Spoofer)(Citation: GitHub Responder)\", \"diff\": \"--- \\n+++ \\n@@ -1,9 +1,11 @@\\n-By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials. \\n+By responding to LLMNR/NBT-NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system.(Citation: BlackCat ransomware) This activity may be used to collect or relay authentication materials. \\n \\n-Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR)(Citation: TechNet NetBIOS)\\n+Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name.(Citation: Wikipedia LLMNR)(Citation: TechNet NetBIOS)\\n \\n-Adversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords.\\n+Multicast Domain Name System(mDNS) is a zero-configuration service used to resolve hostnames to IP addresses with \\u201c.local\\u201d as a top-level domain. MDNS is based upon Domain Name System (DNS) format and allows hosts on the same network segment to perform name resolution for other hosts, using multicast.(Citation: mDNS RFC)\\n \\n-In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv1/v2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Additionally, adversaries may encapsulate the NTLMv1/v2 hashes into various protocols, such as LDAP, SMB, MSSQL and HTTP, to expand and use multiple services with the valid NTLM response.\\u00a0\\n+Adversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137)/mDNS (UDP 5353) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords.\\n+\\n+In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv1/v2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Additionally, adversaries may encapsulate the NTLMv1/v2 hashes into various other protocols, such as LDAP, MSSQL and HTTP, to expand and use multiple services with the valid NTLM response.\\u00a0\\n \\n Several tools may be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174).(Citation: GitHub NBNSpoof)(Citation: Rapid7 LLMNR Spoofer)(Citation: GitHub Responder)\"}, \"root['external_references'][6]['source_name']\": {\"new_value\": \"mDNS RFC\", \"old_value\": \"GitHub Conveigh\", \"new_path\": \"root['external_references'][7]['source_name']\"}, \"root['external_references'][6]['description']\": {\"new_value\": \"S. Cheshire, M. Krochmal. (2013, February). Multicast DNS. Retrieved February 2, 2026.\", \"old_value\": \"Robertson, K. (2016, August 28). Conveigh. Retrieved November 17, 2017.\", \"new_path\": \"root['external_references'][7]['description']\"}, \"root['external_references'][6]['url']\": {\"new_value\": \"https://datatracker.ietf.org/doc/html/rfc6762\", \"old_value\": \"https://github.com/Kevin-Robertson/Conveigh\", \"new_path\": \"root['external_references'][7]['url']\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.4\"}}, \"iterable_item_added\": {\"root['external_references'][4]\": {\"source_name\": \"BlackCat ransomware\", \"description\": \"Lucas Silva, Leandro Froes. (2022, April 18). An Investigation of the BlackCat Ransomware via Trend Micro Vision One. Retrieved February 2, 2026.\", \"url\": \"https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html\"}, \"root['x_mitre_contributors'][3]\": \"Arad Inbar\"}, \"iterable_item_removed\": {\"root['external_references'][8]\": {\"source_name\": \"Sternsecurity LLMNR-NBTNS\", \"description\": \"Sternstein, J. (2013, November). Local Network Attacks: LLMNR and NBT-NS Poisoning. Retrieved November 17, 2017.\", \"url\": \"https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning\"}}}",
+ "previous_version": "1.4",
+ "version_change": "1.4 \u2192 2.0",
+ "description_change_table": "\n \n \n t By responding to LLMNR/NBT-NS network traffic, adversaries m t By responding to LLMNR/NBT-NS/mDNS network traffic, adversar ay spoof an authoritative source for name resolution to forc ies may spoof an authoritative source for name resolution to e communication with an adversary controlled system. This ac force communication with an adversary controlled system.(Ci tivity may be used to collect or relay authentication materi tation: BlackCat ransomware) This activity may be used to coals. Link-Local Multicast Name Resolution (LLMNR) and NetB llect or relay authentication materials. Link-Local Multic IOS Name Service (NBT-NS) are Microsoft Windows components t ast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS hat serve as alternate methods of host identification. LLMNR ) are Microsoft Windows components that serve as alternate m is based upon the Domain Name System (DNS) format and allow ethods of host identification. LLMNR is based upon the Domai s hosts on the same local link to perform name resolution fo n Name System (DNS) format and allows hosts on the same loca r other hosts. NBT-NS identifies systems on a local network l link to perform name resolution for other hosts. NBT-NS id by their NetBIOS name. (Citation: Wikipedia LLMNR)(Citation: entifies systems on a local network by their NetBIOS name.(C TechNet NetBIOS) Adversaries can spoof an authoritative so itation: Wikipedia LLMNR)(Citation: TechNet NetBIOS) Multic urce for name resolution on a victim network by responding t ast Domain Name System(mDNS) is a zero-configuration service o LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know used to resolve hostnames to IP addresses with \u201c.local\u201d as the identity of the requested host, effectively poisoning th a top-level domain. MDNS is based upon Domain Name System (D e service so that the victims will communicate with the adve NS) format and allows hosts on the same network segment to p rsary controlled system. If the requested host belongs to a erform name resolution for other hosts, using multicast.(Cit resource that requires identification/authentication, the us ation: mDNS RFC) Adversaries can spoof an authoritative souername and NTLMv2 hash will then be sent to the adversary co rce for name resolution on a victim network by responding to ntrolled system. The adversary can then collect the hash inf LLMNR (UDP 5355)/NBT-NS (UDP 137)/mDNS (UDP 5353) traffic a ormation sent over the wire through tools that monitor the p s if they know the identity of the requested host, effectiveorts for traffic or through [Network Sniffing](https://attac ly poisoning the service so that the victims will communicat k.mitre.org/techniques/T1040) and crack the hashes offline t e with the adversary controlled system. If the requested hos hrough [Brute Force](https://attack.mitre.org/techniques/T11 t belongs to a resource that requires identification/authent 10) to obtain the plaintext passwords. In some cases where ication, the username and NTLMv2 hash will then be sent to t an adversary has access to a system that is in the authentic he adversary controlled system. The adversary can then colle ation path between systems or when automated scans that use ct the hash information sent over the wire through tools tha credentials attempt to authenticate to an adversary controll t monitor the ports for traffic or through [Network Sniffing ed system, the NTLMv1/v2 hashes can be intercepted and relay ](https://attack.mitre.org/techniques/T1040) and crack the h ed to access and execute code against a target system. The r ashes offline through [Brute Force](https://attack.mitre.org elay step can happen in conjunction with poisoning but may a /techniques/T1110) to obtain the plaintext passwords. In so lso be independent of it.(Citation: byt3bl33d3r NTLM Relayin me cases where an adversary has access to a system that is i g)(Citation: Secure Ideas SMB Relay) Additionally, adversari n the authentication path between systems or when automated es may encapsulate the NTLMv1/v2 hashes into various protoco scans that use credentials attempt to authenticate to an adv ls, such as LDAP, SMB, MSSQL and HTTP, to expand and use mul ersary controlled system, the NTLMv1/v2 hashes can be interc tiple services with the valid NTLM response.\u00a0 Several tools epted and relayed to access and execute code against a targe may be used to poison name services within local networks s t system. The relay step can happen in conjunction with pois uch as NBNSpoof, Metasploit, and [Responder](https://attack. oning but may also be independent of it.(Citation: byt3bl33d mitre.org/software/S0174).(Citation: GitHub NBNSpoof)(Citati 3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Addition on: Rapid7 LLMNR Spoofer)(Citation: GitHub Responder) ally, adversaries may encapsulate the NTLMv1/v2 hashes into various other protocols, such as LDAP, MSSQL and HTTP, to ex pand and use multiple services with the valid NTLM response. \u00a0 Several tools may be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder] (https://attack.mitre.org/software/S0174).(Citation: GitHub NBNSpoof)(Citation: Rapid7 LLMNR Spoofer)(Citation: GitHub R esponder) \n
",
+ "changelog_mitigations": {
+ "shared": [
+ "M1030: Network Segmentation",
+ "M1031: Network Intrusion Prevention",
+ "M1037: Filter Network Traffic",
+ "M1042: Disable or Remove Feature or Program"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0462: Detect LLMNR/NBT-NS Poisoning and SMB Relay on Windows"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--c8e87b83-edbb-48d4-9295-4974897525b7",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2018-04-18 17:59:24.739000+00:00",
+ "modified": "2026-04-15 19:57:02.003000+00:00",
+ "name": "BITS Jobs",
+ "description": "Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.\n\nThe interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin)\n\nAdversaries may abuse BITS to download (e.g. [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)), execute, and even clean up after running malicious code (e.g. [Indicator Removal](https://attack.mitre.org/techniques/T1070)). BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware June 2016)\n\nBITS upload functionalities can also be used to perform [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).(Citation: CTU BITS Malware June 2016)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1197",
+ "external_id": "T1197"
+ },
+ {
+ "source_name": "CTU BITS Malware June 2016",
+ "description": "Counter Threat Unit Research Team. (2016, June 6). Malware Lingers with BITS. Retrieved January 12, 2018.",
+ "url": "https://www.secureworks.com/blog/malware-lingers-with-bits"
+ },
+ {
+ "source_name": "Symantec BITS May 2007",
+ "description": "Florio, E. (2007, May 9). Malware Update with Windows Update. Retrieved January 12, 2018.",
+ "url": "https://www.symantec.com/connect/blogs/malware-update-windows-update"
+ },
+ {
+ "source_name": "PaloAlto UBoatRAT Nov 2017",
+ "description": "Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.",
+ "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/"
+ },
+ {
+ "source_name": "Microsoft BITS",
+ "description": "Microsoft. (n.d.). Background Intelligent Transfer Service. Retrieved January 12, 2018.",
+ "url": "https://msdn.microsoft.com/library/windows/desktop/bb968799.aspx"
+ },
+ {
+ "source_name": "Microsoft BITSAdmin",
+ "description": "Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018.",
+ "url": "https://msdn.microsoft.com/library/aa362813.aspx"
+ },
+ {
+ "source_name": "Microsoft COM",
+ "description": "Microsoft. (n.d.). Component Object Model (COM). Retrieved November 22, 2017.",
+ "url": "https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx"
+ },
+ {
+ "source_name": "Mondok Windows PiggyBack BITS May 2007",
+ "description": "Mondok, M. (2007, May 11). Malware piggybacks on Windows\u2019 Background Intelligent Transfer Service. Retrieved January 12, 2018.",
+ "url": "https://arstechnica.com/information-technology/2007/05/malware-piggybacks-on-windows-background-intelligent-transfer-service/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Brent Murphy, Elastic",
+ "David French, Elastic",
+ "Red Canary",
+ "Ricardo Dias"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_remote_support": false,
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:57:02.003000+00:00\", \"old_value\": \"2025-10-24 17:49:22.711000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"execution\", \"old_value\": \"defense-evasion\", \"new_path\": \"root['kill_chain_phases'][2]['phase_name']\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.5\"}}, \"iterable_item_added\": {\"root['kill_chain_phases'][0]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"stealth\"}}, \"iterable_item_removed\": {\"root['external_references'][3]\": {\"source_name\": \"Elastic - Hunting for Persistence Part 1\", \"description\": \"French, D., Murphy, B. (2020, March 24). Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1). Retrieved December 21, 2020.\", \"url\": \"https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1\"}, \"root['external_references'][5]\": {\"source_name\": \"Microsoft Issues with BITS July 2011\", \"description\": \"Microsoft. (2011, July 19). Issues with BITS. Retrieved January 12, 2018.\", \"url\": \"https://technet.microsoft.com/library/dd939934.aspx\"}}}",
+ "previous_version": "1.5",
+ "version_change": "1.5 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1018: User Account Management",
+ "M1028: Operating System Configuration",
+ "M1037: Filter Network Traffic"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0098: Detect abuse of Windows BITS Jobs for download, execution and persistence"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--800f9819-7007-4540-a520-40e655876800",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2021-03-30 17:54:03.944000+00:00",
+ "modified": "2026-04-15 19:56:51.027000+00:00",
+ "name": "Build Image on Host",
+ "description": "Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)\n\nAn adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it\u2019s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment. ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1612",
+ "external_id": "T1612"
+ },
+ {
+ "source_name": "Aqua Build Images on Hosts",
+ "description": "Assaf Morag. (2020, July 15). Threat Alert: Attackers Building Malicious Images on Your Hosts. Retrieved March 29, 2021.",
+ "url": "https://blog.aquasec.com/malicious-container-image-docker-container-host"
+ },
+ {
+ "source_name": "Docker Build Image",
+ "description": "Docker. ( null). Docker Engine API v1.41 Reference - Build an Image. Retrieved March 30, 2021.",
+ "url": "https://docs.docker.com/engine/api/v1.41/#operation/ImageBuild"
+ },
+ {
+ "source_name": "Aqua Security Cloud Native Threat Report June 2021",
+ "description": "Team Nautilus. (2021, June). Attacks in the Wild on the Container Supply Chain and Infrastructure. Retrieved August 26, 2021.",
+ "url": "https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Assaf Morag, @MoragAssaf, Team Nautilus Aqua Security",
+ "Roi Kol, @roykol1, Team Nautilus Aqua Security",
+ "Michael Katchinskiy, @michael64194968, Team Nautilus Aqua Security",
+ "Vishwas Manral, McAfee"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Containers"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:56:51.027000+00:00\", \"old_value\": \"2025-10-24 17:49:01.646000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.3\"}}}",
+ "previous_version": "1.3",
+ "version_change": "1.3 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1026: Privileged Account Management",
+ "M1030: Network Segmentation",
+ "M1035: Limit Access to Resource Over Network",
+ "M1047: Audit"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0459: Detection Strategy for Build Image on Host"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2022-04-01 17:59:46.156000+00:00",
+ "modified": "2026-04-15 19:57:49.208000+00:00",
+ "name": "Debugger Evasion",
+ "description": "Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.(Citation: ProcessHacker Github)\n\nDebugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497), if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.\n\nSpecific checks will vary based on the target and/or adversary. On Windows, this may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as IsDebuggerPresent() and NtQueryInformationProcess(), or manually checking the BeingDebugged flag of the Process Environment Block (PEB). On Linux, this may involve querying `/proc/self/status` for the `TracerPID` field, which indicates whether or not the process is being traced by dynamic analysis tools.(Citation: Cado Security P2PInfect 2023)(Citation: Positive Technologies Hellhounds 2023) Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would \u201cswallow\u201d or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)\n\nMalware may also leverage Structured Exception Handling (SEH) to detect debuggers by throwing an exception and detecting whether the process is suspended. SEH handles both hardware and software expectations, providing control over the exceptions including support for debugging. If a debugger is present, the program\u2019s control will be transferred to the debugger, and the execution of the code will be suspended. If the debugger is not present, control will be transferred to the SEH handler, which will automatically handle the exception and allow the program\u2019s execution to continue.(Citation: Apriorit)\n\nAdversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as OutputDebugStringW().(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "discovery"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1622",
+ "external_id": "T1622"
+ },
+ {
+ "source_name": "Apriorit",
+ "description": "Apriorit. (2024, June 4). Anti Debugging Protection Techniques with Examples. Retrieved March 4, 2025.",
+ "url": "https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software"
+ },
+ {
+ "source_name": "Checkpoint Dridex Jan 2021",
+ "description": "Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.",
+ "url": "https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/"
+ },
+ {
+ "source_name": "hasherezade debug",
+ "description": "hasherezade. (2021, June 30). Module 3 - Understanding and countering malware's evasion and self-defence. Retrieved April 1, 2022.",
+ "url": "https://github.com/hasherezade/malware_training_vol1/blob/main/slides/module3/Module3_2_fingerprinting.pdf"
+ },
+ {
+ "source_name": "Cado Security P2PInfect 2023",
+ "description": "jbowen. (2023, December 4). P2Pinfect - New Variant Targets MIPS Devices. Retrieved March 18, 2025.",
+ "url": "https://www.cadosecurity.com/blog/p2pinfect-new-variant-targets-mips-devices"
+ },
+ {
+ "source_name": "AlKhaser Debug",
+ "description": "Noteworthy. (2019, January 6). Al-Khaser. Retrieved April 1, 2022.",
+ "url": "https://github.com/LordNoteworthy/al-khaser/tree/master/al-khaser/AntiDebug"
+ },
+ {
+ "source_name": "wardle evilquest partii",
+ "description": "Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.",
+ "url": "https://objective-see.com/blog/blog_0x60.html"
+ },
+ {
+ "source_name": "ProcessHacker Github",
+ "description": "ProcessHacker. (2009, October 27). Process Hacker. Retrieved April 11, 2022.",
+ "url": "https://github.com/processhacker/processhacker"
+ },
+ {
+ "source_name": "Positive Technologies Hellhounds 2023",
+ "description": "PT Expert Security Center. (2023, November 29). Hellhounds: operation Lahat. Retrieved March 18, 2025.",
+ "url": "https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat"
+ },
+ {
+ "source_name": "vxunderground debug",
+ "description": "vxunderground. (2021, June 30). VX-API. Retrieved April 1, 2022.",
+ "url": "https://web.archive.org/web/20250904153443/https://github.com/vxunderground/VX-API/tree/main#anti-debug"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Joas Antonio dos Santos, @C0d3Cr4zy",
+ "TruKno"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:57:49.208000+00:00\", \"old_value\": \"2025-10-24 17:49:32.196000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['external_references'][9]['url']\": {\"new_value\": \"https://web.archive.org/web/20250904153443/https://github.com/vxunderground/VX-API/tree/main#anti-debug\", \"old_value\": \"https://github.com/vxunderground/VX-API/tree/main/Anti%20Debug\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0371: Detection Strategy for Debugger Evasion (T1622)"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--a1df809c-7d0e-459f-8fe5-25474bab770b",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2025-09-24 18:03:15.021000+00:00",
+ "modified": "2026-04-15 19:57:37.301000+00:00",
+ "name": "Delay Execution",
+ "description": "Adversaries may employ various time-based methods to evade detection and analysis. These techniques often exploit system clocks, delays, or timing mechanisms to obscure malicious activity, blend in with benign activity, and avoid scrutiny. Adversaries can perform this behavior within virtualization/sandbox environments or natively on host systems. \n\nAdversaries may utilize programmatic `sleep` commands or native system scheduling functionality, for example [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053). Benign commands or other operations may also be used to delay malware execution or ensure prior commands have had time to execute properly. Loops or otherwise needless repetitions of commands, such as `ping`, may be used to delay malware execution and potentially exceed time thresholds of automated analysis environments.(Citation: Revil Independence Day)(Citation: Netskope Nitol) Another variation, commonly referred to as API hammering, involves making various calls to Native API functions in order to delay execution (while also potentially overloading analysis environments with junk data).(Citation: Joe Sec Nymaim)(Citation: Joe Sec Trickbot)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1678",
+ "external_id": "T1678"
+ },
+ {
+ "source_name": "Joe Sec Nymaim",
+ "description": "Joe Security. (2016, April 21). Nymaim - evading Sandboxes with API hammering. Retrieved September 30, 2021.",
+ "url": "https://www.joesecurity.org/blog/3660886847485093803"
+ },
+ {
+ "source_name": "Joe Sec Trickbot",
+ "description": "Joe Security. (2020, July 13). TrickBot's new API-Hammering explained. Retrieved September 30, 2021.",
+ "url": "https://www.joesecurity.org/blog/498839998833561473"
+ },
+ {
+ "source_name": "Revil Independence Day",
+ "description": "Loman, M. et al. (2021, July 4). Independence Day: REvil uses supply chain exploit to attack hundreds of businesses. Retrieved September 30, 2021.",
+ "url": "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/"
+ },
+ {
+ "source_name": "Netskope Nitol",
+ "description": "Malik, A. (2016, October 14). Nitol Botnet makes a resurgence with evasive sandbox analysis technique. Retrieved September 30, 2021.",
+ "url": "https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Deloitte Threat Library Team",
+ "Jeff Felling, Red Canary",
+ "Jorge Orchilles, SCYTHE",
+ "Ruben Dodge, @shotgunner101"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:57:37.301000+00:00\", \"old_value\": \"2025-10-21 23:58:09.956000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
+ "previous_version": "1.0",
+ "version_change": "1.0 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0372: Multi-Platform Detection Strategy for T1678 - Delay Execution"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2017-12-14 16:46:06.044000+00:00",
+ "modified": "2026-04-15 19:58:25.069000+00:00",
+ "name": "Deobfuscate/Decode Files or Information",
+ "description": "Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.\n\nOne such example is the use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b or type command to reassemble binary fragments into a malicious payload.(Citation: Carbon Black Obfuscation Sept 2016)(Citation: Sentinel One Tainted Love 2023)\n\nSometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.(Citation: Volexity PowerDuke November 2016)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1140",
+ "external_id": "T1140"
+ },
+ {
+ "source_name": "Volexity PowerDuke November 2016",
+ "description": "Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.",
+ "url": "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/"
+ },
+ {
+ "source_name": "Sentinel One Tainted Love 2023",
+ "description": "Aleksandar Milenkoski, Juan Andres Guerrero-Saade, and Joey Chen. (2023, March 23). Operation Tainted Love | Chinese APTs Target Telcos in New Attacks. Retrieved March 18, 2025.",
+ "url": "https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/"
+ },
+ {
+ "source_name": "Malwarebytes Targeted Attack against Saudi Arabia",
+ "description": "Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017.",
+ "url": "https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/"
+ },
+ {
+ "source_name": "Carbon Black Obfuscation Sept 2016",
+ "description": "Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.",
+ "url": "https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Crist\u00f3bal Mart\u00ednez Mart\u00edn",
+ "Matthew Demaske, Adaptforward",
+ "Red Canary"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "ESXi",
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:58:25.069000+00:00\", \"old_value\": \"2025-10-24 17:48:40.925000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.4\"}}}",
+ "previous_version": "1.4",
+ "version_change": "1.4 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0275: Detect Adversary Deobfuscation or Decoding of Files and Payloads"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--56e0d8b8-3e25-49dd-9050-3aa252f5aa92",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2021-03-29 16:51:26.020000+00:00",
+ "modified": "2026-04-15 19:59:11.024000+00:00",
+ "name": "Deploy Container",
+ "description": "Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)\n\nContainers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow. (Citation: Docker Container)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) In Kubernetes environments, containers may be deployed through workloads such as ReplicaSets or DaemonSets, which can allow containers to be deployed across multiple nodes.(Citation: Kubernetes Workload Management) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1610",
+ "external_id": "T1610"
+ },
+ {
+ "source_name": "AppSecco Kubernetes Namespace Breakout 2020",
+ "description": "Abhisek Datta. (2020, March 18). Kubernetes Namespace Breakout using Insecure Host Path Volume \u2014 Part 1. Retrieved January 16, 2024.",
+ "url": "https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216"
+ },
+ {
+ "source_name": "Aqua Build Images on Hosts",
+ "description": "Assaf Morag. (2020, July 15). Threat Alert: Attackers Building Malicious Images on Your Hosts. Retrieved March 29, 2021.",
+ "url": "https://blog.aquasec.com/malicious-container-image-docker-container-host"
+ },
+ {
+ "source_name": "Docker Container",
+ "description": "DockerDocs. (n.d.). Retrieved December 8, 2025.",
+ "url": "https://docs.docker.com/reference/cli/docker/container/create/"
+ },
+ {
+ "source_name": "Kubernetes Workload Management",
+ "description": "Kubernetes. (n.d.). Workload Management. Retrieved March 28, 2024.",
+ "url": "https://kubernetes.io/docs/concepts/workloads/controllers/"
+ },
+ {
+ "source_name": "Kubeflow Pipelines",
+ "description": "The Kubeflow Authors. (n.d.). Overview of Kubeflow Pipelines. Retrieved March 29, 2021.",
+ "url": "https://www.kubeflow.org/docs/components/pipelines/overview/pipelines-overview/"
+ },
+ {
+ "source_name": "Kubernetes Dashboard",
+ "description": "The Kubernetes Authors. (n.d.). Kubernetes Web UI (Dashboard). Retrieved March 29, 2021.",
+ "url": "https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Alfredo Oliveira, Trend Micro",
+ "Ariel Shuper, Cisco",
+ "Center for Threat-Informed Defense (CTID)",
+ "Idan Frimark, Cisco",
+ "Joas Antonio dos Santos, @C0d3Cr4zy",
+ "Magno Logan, @magnologan, Trend Micro",
+ "Pawan Kinger, @kingerpawan, Trend Micro",
+ "Vishwas Manral, McAfee",
+ "Yossi Weizman, Azure Defender Research Team"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Containers"
+ ],
+ "x_mitre_remote_support": false,
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:59:11.024000+00:00\", \"old_value\": \"2025-10-24 17:48:49.017000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)\\n\\nContainers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow. (Citation: Docker Container)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) In Kubernetes environments, containers may be deployed through workloads such as ReplicaSets or DaemonSets, which can allow containers to be deployed across multiple nodes.(Citation: Kubernetes Workload Management) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)\", \"old_value\": \"Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)\\n\\nContainers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow. (Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) In Kubernetes environments, containers may be deployed through workloads such as ReplicaSets or DaemonSets, which can allow containers to be deployed across multiple nodes.(Citation: Kubernetes Workload Management) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)\\n \\n-Containers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow. (Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) In Kubernetes environments, containers may be deployed through workloads such as ReplicaSets or DaemonSets, which can allow containers to be deployed across multiple nodes.(Citation: Kubernetes Workload Management) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)\\n+Containers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow. (Citation: Docker Container)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) In Kubernetes environments, containers may be deployed through workloads such as ReplicaSets or DaemonSets, which can allow containers to be deployed across multiple nodes.(Citation: Kubernetes Workload Management) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"Docker Container\", \"old_value\": \"Docker Containers API\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"DockerDocs. (n.d.). Retrieved December 8, 2025.\", \"old_value\": \"Docker. (n.d.). Docker Engine API v1.41 Reference - Container. Retrieved March 29, 2021.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://docs.docker.com/reference/cli/docker/container/create/\", \"old_value\": \"https://docs.docker.com/engine/api/v1.41/#tag/Container\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.4\"}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][0]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
+ "previous_version": "1.4",
+ "version_change": "1.4 \u2192 2.0",
+ "description_change_table": "\n \n \n t Adversaries may deploy a container into an environment to fa t Adversaries may deploy a container into an environment to fa cilitate execution or evade defenses. In some cases, adversa cilitate execution or evade defenses. In some cases, adversa ries may deploy a new container to execute processes associa ries may deploy a new container to execute processes associa ted with a particular image or deployment, such as processes ted with a particular image or deployment, such as processes that execute or download malware. In others, an adversary m that execute or download malware. In others, an adversary m ay deploy a new container configured without network rules, ay deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within th user limitations, etc. to bypass existing defenses within th e environment. In Kubernetes environments, an adversary may e environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack. a specific node in order to [Escape to Host](https://attack. mitre.org/techniques/T1611) and access other containers runn mitre.org/techniques/T1611) and access other containers runn ing on the node. (Citation: AppSecco Kubernetes Namespace Br ing on the node. (Citation: AppSecco Kubernetes Namespace Br eakout 2020) Containers can be deployed by various means, s eakout 2020) Containers can be deployed by various means, s uch as via Docker's <code>create</code> and <code>start</cod uch as via Docker's <code>create</code> and <code>start</cod e> APIs or via a web application such as the Kubernetes dash e> APIs or via a web application such as the Kubernetes dash board or Kubeflow. (Citation: Docker Containers API )(Citatio board or Kubeflow. (Citation: Docker Container)(Citation: Ku n: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) In Ku bernetes Dashboard)(Citation: Kubeflow Pipelines) In Kuberne bernetes environments, containers may be deployed through wo tes environments, containers may be deployed through workloa rkloads such as ReplicaSets or DaemonSets, which can allow c ds such as ReplicaSets or DaemonSets, which can allow contai ontainers to be deployed across multiple nodes.(Citation: Ku ners to be deployed across multiple nodes.(Citation: Kuberne bernetes Workload Management) Adversaries may deploy contain tes Workload Management) Adversaries may deploy containers b ers based on retrieved or built malicious images or from ben ased on retrieved or built malicious images or from benign i ign images that download and execute malicious payloads at r mages that download and execute malicious payloads at runtim untime.(Citation: Aqua Build Images on Hosts) e.(Citation: Aqua Build Images on Hosts) \n
",
+ "changelog_mitigations": {
+ "shared": [
+ "M1018: User Account Management",
+ "M1030: Network Segmentation",
+ "M1035: Limit Access to Resource Over Network",
+ "M1047: Audit"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0249: Behavior-chain detection for T1610 Deploy Container across Docker & Kubernetes control/node planes"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--0c8ab3eb-df48-4b9c-ace7-beacaac81cc5",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2017-05-31 21:30:20.934000+00:00",
+ "modified": "2026-04-15 19:59:05.018000+00:00",
+ "name": "Direct Volume Access",
+ "description": "Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)\n\nUtilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1006",
+ "external_id": "T1006"
+ },
+ {
+ "source_name": "Github PowerSploit Ninjacopy",
+ "description": "Bialek, J. (2015, December 16). Invoke-NinjaCopy.ps1. Retrieved June 2, 2016.",
+ "url": "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1"
+ },
+ {
+ "source_name": "Hakobyan 2009",
+ "description": "Hakobyan, A. (2009, January 8). FDump - Dumping File Sectors Directly from Disk using Logical Offsets. Retrieved November 12, 2014.",
+ "url": "http://www.codeproject.com/Articles/32169/FDump-Dumping-File-Sectors-Directly-from-Disk-usin"
+ },
+ {
+ "source_name": "LOLBAS Esentutl",
+ "description": "LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.",
+ "url": "https://lolbas-project.github.io/lolbas/Binaries/Esentutl/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Tom Simpson, CrowdStrike Falcon OverWatch"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Network Devices",
+ "Windows"
+ ],
+ "x_mitre_version": "3.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 19:59:05.018000+00:00\", \"old_value\": \"2025-10-24 17:48:23.015000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.3\"}}}",
+ "previous_version": "2.3",
+ "version_change": "2.3 \u2192 3.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1018: User Account Management",
+ "M1040: Behavior Prevention on Endpoint"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0426: Detection of Direct Volume Access for File System Evasion"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--ebb42bbe-62d7-47d7-a55f-3b08b61d792d",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2019-03-07 14:10:32.650000+00:00",
+ "modified": "2026-04-16 20:07:53.114000+00:00",
+ "name": "Domain or Tenant Policy Modification",
+ "description": "Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation.\n\nModifications to domain or tenant settings may include altering domain Group Policy Objects (GPOs) in Microsoft Active Directory (AD) or changing trust settings for domains, including federation trusts relationships between domains or tenants.\n\nWith sufficient permissions, adversaries can modify domain or tenant policy settings. Since configuration settings for these services apply to a large number of identity resources, there are a great number of potential attacks malicious outcomes that can stem from this abuse. Examples of such abuse include: \n\n* modifying GPOs to push a malicious [Scheduled Task](https://attack.mitre.org/techniques/T1053/005) to computers throughout the domain environment(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)\n* modifying domain trusts to include an adversary-controlled domain, allowing adversaries to forge access tokens that will subsequently be accepted by victim domain resources(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)\n* changing configuration settings within the AD environment to implement a [Rogue Domain Controller](https://attack.mitre.org/techniques/T1207).\n* adding new, adversary-controlled federated identity providers to identity tenants, allowing adversaries to authenticate as any user managed by the victim tenant (Citation: Okta Cross-Tenant Impersonation 2023)\n\nAdversaries may temporarily modify domain or tenant policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1484",
+ "external_id": "T1484"
+ },
+ {
+ "source_name": "ADSecurity GPO Persistence 2016",
+ "description": "Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence #17: Group Policy. Retrieved March 5, 2019.",
+ "url": "https://adsecurity.org/?p=2716"
+ },
+ {
+ "source_name": "Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks",
+ "description": "MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.",
+ "url": "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/"
+ },
+ {
+ "source_name": "Okta Cross-Tenant Impersonation 2023",
+ "description": "Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved February 15, 2024.",
+ "url": "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"
+ },
+ {
+ "source_name": "Wald0 Guide to GPOs",
+ "description": "Robbins, A. (2018, April 2). A Red Teamer\u2019s Guide to GPOs and OUs. Retrieved March 5, 2019.",
+ "url": "https://wald0.com/?p=179"
+ },
+ {
+ "source_name": "Harmj0y Abusing GPO Permissions",
+ "description": "Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved September 23, 2024.",
+ "url": "https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Obsidian Security"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows",
+ "Identity Provider"
+ ],
+ "x_mitre_version": "4.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:53.114000+00:00\", \"old_value\": \"2025-10-24 17:49:33.897000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"4.0\", \"old_value\": \"3.2\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"CISA SolarWinds Cloud Detection\", \"description\": \"CISA. (2021, January 8). Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments. Retrieved January 8, 2021.\", \"url\": \"https://us-cert.cisa.gov/ncas/alerts/aa21-008a\"}, \"root['external_references'][3]\": {\"source_name\": \"Microsoft 365 Defender Solorigate\", \"description\": \"Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021.\", \"url\": \"https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/\"}, \"root['external_references'][4]\": {\"source_name\": \"Microsoft - Azure Sentinel ADFSDomainTrustMods\", \"description\": \"Microsoft. (2020, December). Azure Sentinel Detections. Retrieved December 30, 2020.\", \"url\": \"https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml\"}, \"root['external_references'][5]\": {\"source_name\": \"Microsoft - Update or Repair Federated domain\", \"description\": \"Microsoft. (2020, September 14). Update or repair the settings of a federated domain in Office 365, Azure, or Intune. Retrieved December 30, 2020.\", \"url\": \"https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365\"}, \"root['external_references'][10]\": {\"source_name\": \"Sygnia Golden SAML\", \"description\": \"Sygnia. (2020, December). Detection and Hunting of Golden SAML Attack. Retrieved November 17, 2024.\", \"url\": \"https://www.sygnia.co/threat-reports-and-advisories/golden-saml-attack/\"}}}",
+ "previous_version": "3.2",
+ "version_change": "3.2 \u2192 4.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1018: User Account Management",
+ "M1026: Privileged Account Management",
+ "M1047: Audit"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0270: Detection of Domain or Tenant Policy Modifications via AD and Identity Provider"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--5d2be8b9-d24c-4e98-83bf-2f5f79477163",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-12-28 21:50:59.844000+00:00",
+ "modified": "2026-04-16 20:07:52.883000+00:00",
+ "name": "Group Policy Modification",
+ "description": "Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path `\\\\SYSVOL\\\\Policies\\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) \n\nLike other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.\n\nMalicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1685), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)\n\nFor example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1484/001",
+ "external_id": "T1484.001"
+ },
+ {
+ "source_name": "Mandiant M Trends 2016",
+ "description": "Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved November 17, 2024.",
+ "url": "https://web.archive.org/web/20211024160454/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf"
+ },
+ {
+ "source_name": "ADSecurity GPO Persistence 2016",
+ "description": "Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence #17: Group Policy. Retrieved March 5, 2019.",
+ "url": "https://adsecurity.org/?p=2716"
+ },
+ {
+ "source_name": "Microsoft Hacking Team Breach",
+ "description": "Microsoft Secure Team. (2016, June 1). Hacking Team Breach: A Cyber Jurassic Park. Retrieved March 5, 2019.",
+ "url": "https://www.microsoft.com/security/blog/2016/06/01/hacking-team-breach-a-cyber-jurassic-park/"
+ },
+ {
+ "source_name": "Wald0 Guide to GPOs",
+ "description": "Robbins, A. (2018, April 2). A Red Teamer\u2019s Guide to GPOs and OUs. Retrieved March 5, 2019.",
+ "url": "https://wald0.com/?p=179"
+ },
+ {
+ "source_name": "Harmj0y Abusing GPO Permissions",
+ "description": "Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved September 23, 2024.",
+ "url": "https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/"
+ },
+ {
+ "source_name": "Harmj0y SeEnableDelegationPrivilege Right",
+ "description": "Schroeder, W. (2017, January 10). The Most Dangerous User Right You (Probably) Have Never Heard Of. Retrieved September 23, 2024.",
+ "url": "https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/"
+ },
+ {
+ "source_name": "TechNet Group Policy Basics",
+ "description": "srachui. (2012, February 13). Group Policy Basics \u2013 Part 1: Understanding the Structure of a Group Policy Object. Retrieved March 5, 2019.",
+ "url": "https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Itamar Mizrahi, Cymptom",
+ "Tristan Bennett, Seamless Intelligence"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:52.883000+00:00\", \"old_value\": \"2025-10-24 17:48:50.475000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path `\\\\\\\\SYSVOL\\\\\\\\Policies\\\\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) \\n\\nLike other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.\\n\\nMalicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1685), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)\\n\\nFor example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\\\\Machine\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\\\MACHINE\\\\Microsoft\\\\Windows NT\\\\SecEdit\\\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)\", \"old_value\": \"Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path `\\\\\\\\SYSVOL\\\\\\\\Policies\\\\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) \\n\\nLike other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.\\n\\nMalicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)\\n\\nFor example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\\\\Machine\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\\\MACHINE\\\\Microsoft\\\\Windows NT\\\\SecEdit\\\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)\", \"diff\": \"--- \\n+++ \\n@@ -2,6 +2,6 @@\\n \\n Like other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.\\n \\n-Malicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)\\n+Malicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1685), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)\\n \\n For example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\\\\Machine\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\\\MACHINE\\\\Microsoft\\\\Windows NT\\\\SecEdit\\\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "description_change_table": "\n \n \n t Adversaries may modify Group Policy Objects (GPOs) to subver t Adversaries may modify Group Policy Objects (GPOs) to subver t the intended discretionary access controls for a domain, u t the intended discretionary access controls for a domain, u sually with the intention of escalating privileges on the do sually with the intention of escalating privileges on the do main. Group policy allows for centralized management of user main. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are co and computer settings in Active Directory (AD). GPOs are co ntainers for group policy settings made up of files stored w ntainers for group policy settings made up of files stored w ithin a predictable network path `\\<DOMAIN>\\SYSVOL\\<DOMAIN>\\ ithin a predictable network path `\\<DOMAIN>\\SYSVOL\\<DOMAIN>\\ Policies\\`.(Citation: TechNet Group Policy Basics)(Citation: Policies\\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) Like other objects in AD ADSecurity GPO Persistence 2016) Like other objects in AD , GPOs have access controls associated with them. By default , GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPO all user accounts in the domain have permission to read GPO s. It is possible to delegate GPO access control permissions s. It is possible to delegate GPO access control permissions , e.g. write access, to specific users or groups in the doma , e.g. write access, to specific users or groups in the doma in. Malicious GPO modifications can be used to implement ma in. Malicious GPO modifications can be used to implement ma ny other malicious behaviors such as [Scheduled Task/Job](ht ny other malicious behaviors such as [Scheduled Task/Job](ht tps://attack.mitre.org/techniques/T1053), [Disable or Modify tps://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001 ), [Ing Tools](https://attack.mitre.org/techniques/T168 5), [Ingress ress Tool Transfer](https://attack.mitre.org/techniques/T110 Tool Transfer](https://attack.mitre.org/techniques/T1105), 5), [Create Account](https://attack.mitre.org/techniques/T11 [Create Account](https://attack.mitre.org/techniques/T1136), 36), [Service Execution](https://attack.mitre.org/techniques [Service Execution](https://attack.mitre.org/techniques/T15 /T1569/002), and more.(Citation: ADSecurity GPO Persistence 69/002), and more.(Citation: ADSecurity GPO Persistence 201 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abus 6)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing ing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citat GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: ion: Microsoft Hacking Team Breach) Since GPOs can control s Microsoft Hacking Team Breach) Since GPOs can control so ma o many user and machine settings in the AD environment, ther ny user and machine settings in the AD environment, there ar e are a great number of potential attacks that can stem from e a great number of potential attacks that can stem from thi this GPO abuse.(Citation: Wald0 Guide to GPOs) For example s GPO abuse.(Citation: Wald0 Guide to GPOs) For example, pu , publicly available scripts such as <code>New-GPOImmediateT blicly available scripts such as <code>New-GPOImmediateTask< ask</code> can be leveraged to automate the creation of a ma /code> can be leveraged to automate the creation of a malici licious [Scheduled Task/Job](https://attack.mitre.org/techni ous [Scheduled Task/Job](https://attack.mitre.org/techniques ques/T1053) by modifying GPO settings, in this case modifyin /T1053) by modifying GPO settings, in this case modifying <c g <code><GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ ode><GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\Sche ScheduledTasks.xml</code>.(Citation: Wald0 Guide to GPOs)(Ci duledTasks.xml</code>.(Citation: Wald0 Guide to GPOs)(Citati tation: Harmj0y Abusing GPO Permissions) In some cases an ad on: Harmj0y Abusing GPO Permissions) In some cases an advers versary might modify specific user rights like SeEnableDeleg ary might modify specific user rights like SeEnableDelegatio ationPrivilege, set in <code><GPO_PATH>\\MACHINE\\Micros nPrivilege, set in <code><GPO_PATH>\\MACHINE\\Microsoft\\ oft\\Windows NT\\SecEdit\\GptTmpl.inf</code>, to achieve a subt Windows NT\\SecEdit\\GptTmpl.inf</code>, to achieve a subtle A le AD backdoor with complete control of the domain because t D backdoor with complete control of the domain because the u he user account under the adversary's control would then be ser account under the adversary's control would then be able able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPri to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivile vilege Right) ge Right) \n
",
+ "changelog_mitigations": {
+ "shared": [
+ "M1018: User Account Management",
+ "M1047: Audit"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0305: Detection of Group Policy Modifications via AD Object Changes and File Activity"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--24769ab5-14bd-4f4e-a752-cfb185da53ee",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-12-28 21:59:02.181000+00:00",
+ "modified": "2026-04-16 20:07:52.987000+00:00",
+ "name": "Trust Modification",
+ "description": "Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow authentication and authorization properties to apply between domains or tenants for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.\n\nManipulating these trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, in Microsoft Active Directory (AD) environments, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002) without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert an AD domain to a federated domain using Active Directory Federation Services (AD FS), which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.(Citation: AADInternals zure AD Federated Domain) \n\nAn adversary may also add a new federated identity provider to an identity tenant such as Okta or AWS IAM Identity Center, which may enable the adversary to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to gain broad access into a variety of cloud-based services that leverage the identity tenant. For example, in AWS environments, an adversary that creates a new identity provider for an AWS Organization will be able to federate into all of the AWS Organization member accounts without creating identities for each of the member accounts.(Citation: AWS re Inforce Trust Mod)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1484/002",
+ "external_id": "T1484.002"
+ },
+ {
+ "source_name": "AWS re Inforce Trust Mod",
+ "description": "AWS re Inforce. (2024, June). Retrieved April 15, 2026.",
+ "url": "https://d1.awsstatic.com/onedam/marketing-channels/website/aws/en_US/events/approved/reinforce-2025/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
+ },
+ {
+ "source_name": "AADInternals zure AD Federated Domain",
+ "description": "Dr. Nestori Syynimaa. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved September 28, 2022.",
+ "url": "https://o365blog.com/post/federation-vulnerability/"
+ },
+ {
+ "source_name": "Microsoft - Azure AD Federation",
+ "description": "Microsoft. (2018, November 28). What is federation with Azure AD?. Retrieved December 30, 2020.",
+ "url": "https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed"
+ },
+ {
+ "source_name": "Okta Cross-Tenant Impersonation 2023",
+ "description": "Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved February 15, 2024.",
+ "url": "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Blake Strom, Microsoft 365 Defender",
+ "Praetorian",
+ "Obsidian Security"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Identity Provider",
+ "Windows"
+ ],
+ "x_mitre_version": "3.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:52.987000+00:00\", \"old_value\": \"2025-10-24 17:48:32.244000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow authentication and authorization properties to apply between domains or tenants for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.\\n\\nManipulating these trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, in Microsoft Active Directory (AD) environments, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002) without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert an AD domain to a federated domain using Active Directory Federation Services (AD FS), which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.(Citation: AADInternals zure AD Federated Domain) \\n\\nAn adversary may also add a new federated identity provider to an identity tenant such as Okta or AWS IAM Identity Center, which may enable the adversary to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to gain broad access into a variety of cloud-based services that leverage the identity tenant. For example, in AWS environments, an adversary that creates a new identity provider for an AWS Organization will be able to federate into all of the AWS Organization member accounts without creating identities for each of the member accounts.(Citation: AWS re Inforce Trust Mod)\", \"old_value\": \"Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow authentication and authorization properties to apply between domains or tenants for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.\\n\\nManipulating these trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, in Microsoft Active Directory (AD) environments, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002) without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert an AD domain to a federated domain using Active Directory Federation Services (AD FS), which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.(Citation: AADInternals zure AD Federated Domain) \\n\\nAn adversary may also add a new federated identity provider to an identity tenant such as Okta or AWS IAM Identity Center, which may enable the adversary to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to gain broad access into a variety of cloud-based services that leverage the identity tenant. For example, in AWS environments, an adversary that creates a new identity provider for an AWS Organization will be able to federate into all of the AWS Organization member accounts without creating identities for each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)\", \"diff\": \"--- \\n+++ \\n@@ -2,4 +2,4 @@\\n \\n Manipulating these trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, in Microsoft Active Directory (AD) environments, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002) without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert an AD domain to a federated domain using Active Directory Federation Services (AD FS), which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.(Citation: AADInternals zure AD Federated Domain) \\n \\n-An adversary may also add a new federated identity provider to an identity tenant such as Okta or AWS IAM Identity Center, which may enable the adversary to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to gain broad access into a variety of cloud-based services that leverage the identity tenant. For example, in AWS environments, an adversary that creates a new identity provider for an AWS Organization will be able to federate into all of the AWS Organization member accounts without creating identities for each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)\\n+An adversary may also add a new federated identity provider to an identity tenant such as Okta or AWS IAM Identity Center, which may enable the adversary to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to gain broad access into a variety of cloud-based services that leverage the identity tenant. For example, in AWS environments, an adversary that creates a new identity provider for an AWS Organization will be able to federate into all of the AWS Organization member accounts without creating identities for each of the member accounts.(Citation: AWS re Inforce Trust Mod)\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"AWS re Inforce Trust Mod\", \"old_value\": \"AWS RE:Inforce Threat Detection 2024\"}, \"root['external_references'][1]['description']\": {\"new_value\": \"AWS re Inforce. (2024, June). Retrieved April 15, 2026.\", \"old_value\": \"Ben Fletcher and Steve de Vera. (2024, June). New tactics and techniques for proactive threat detection. Retrieved September 25, 2024.\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://d1.awsstatic.com/onedam/marketing-channels/website/aws/en_US/events/approved/reinforce-2025/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf\", \"old_value\": \"https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.2\"}}, \"iterable_item_removed\": {\"root['external_references'][2]\": {\"source_name\": \"CISA SolarWinds Cloud Detection\", \"description\": \"CISA. (2021, January 8). Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments. Retrieved January 8, 2021.\", \"url\": \"https://us-cert.cisa.gov/ncas/alerts/aa21-008a\"}, \"root['external_references'][5]\": {\"source_name\": \"Microsoft - Azure Sentinel ADFSDomainTrustMods\", \"description\": \"Microsoft. (2020, December). Azure Sentinel Detections. Retrieved December 30, 2020.\", \"url\": \"https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml\"}, \"root['external_references'][6]\": {\"source_name\": \"Microsoft - Update or Repair Federated domain\", \"description\": \"Microsoft. (2020, September 14). Update or repair the settings of a federated domain in Office 365, Azure, or Intune. Retrieved December 30, 2020.\", \"url\": \"https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365\"}, \"root['external_references'][8]\": {\"source_name\": \"Sygnia Golden SAML\", \"description\": \"Sygnia. (2020, December). Detection and Hunting of Golden SAML Attack. Retrieved November 17, 2024.\", \"url\": \"https://www.sygnia.co/threat-reports-and-advisories/golden-saml-attack/\"}}}",
+ "previous_version": "2.2",
+ "version_change": "2.2 \u2192 3.0",
+ "description_change_table": "\n \n \n t Adversaries may add new domain trusts, modify the properties t Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configur of existing domain trusts, or otherwise change the configur ation of trust relationships between domains and tenants to ation of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow auth as whether or not user identities are federated, allow auth entication and authorization properties to apply between dom entication and authorization properties to apply between dom ains or tenants for the purpose of accessing shared resource ains or tenants for the purpose of accessing shared resource s.(Citation: Microsoft - Azure AD Federation) These trust ob s.(Citation: Microsoft - Azure AD Federation) These trust ob jects may include accounts, credentials, and other authentic jects may include accounts, credentials, and other authentic ation material applied to servers, tokens, and domains. Man ation material applied to servers, tokens, and domains. Man ipulating these trusts may allow an adversary to escalate pr ipulating these trusts may allow an adversary to escalate pr ivileges and/or evade defenses by modifying settings to add ivileges and/or evade defenses by modifying settings to add objects which they control. For example, in Microsoft Active objects which they control. For example, in Microsoft Active Directory (AD) environments, this may be used to forge [SAM Directory (AD) environments, this may be used to forge [SAM L Tokens](https://attack.mitre.org/techniques/T1606/002) wit L Tokens](https://attack.mitre.org/techniques/T1606/002) wit hout the need to compromise the signing certificate to forge hout the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domai new credentials. Instead, an adversary can manipulate domai n trusts to add their own signing certificate. An adversary n trusts to add their own signing certificate. An adversary may also convert an AD domain to a federated domain using Ac may also convert an AD domain to a federated domain using Ac tive Directory Federation Services (AD FS), which may enable tive Directory Federation Services (AD FS), which may enable malicious trust modifications such as altering the claim is malicious trust modifications such as altering the claim is suance rules to log in any valid set of credentials as a spe suance rules to log in any valid set of credentials as a spe cified user.(Citation: AADInternals zure AD Federated Domain cified user.(Citation: AADInternals zure AD Federated Domain ) An adversary may also add a new federated identity provi ) An adversary may also add a new federated identity provi der to an identity tenant such as Okta or AWS IAM Identity C der to an identity tenant such as Okta or AWS IAM Identity C enter, which may enable the adversary to authenticate as any enter, which may enable the adversary to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonati user of the tenant.(Citation: Okta Cross-Tenant Impersonati on 2023) This may enable the threat actor to gain broad acce on 2023) This may enable the threat actor to gain broad acce ss into a variety of cloud-based services that leverage the ss into a variety of cloud-based services that leverage the identity tenant. For example, in AWS environments, an advers identity tenant. For example, in AWS environments, an advers ary that creates a new identity provider for an AWS Organiza ary that creates a new identity provider for an AWS Organiza tion will be able to federate into all of the AWS Organizati tion will be able to federate into all of the AWS Organizati on member accounts without creating identities for each of t on member accounts without creating identities for each of t he member accounts.(Citation: AWS RE: Inforce Threat Detectio he member accounts.(Citation: AWS re Inforce Trust Mod ) n 2024 ) \n
",
+ "changelog_mitigations": {
+ "shared": [
+ "M1018: User Account Management",
+ "M1026: Privileged Account Management"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0458: Detection of Trust Relationship Modifications in Domain or Tenant Policies"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2019-01-31 02:10:08.261000+00:00",
+ "modified": "2026-04-15 20:03:40.312000+00:00",
+ "name": "Execution Guardrails",
+ "description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary\u2019s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.\n\nAdversaries may identify and block certain user-agents to evade defenses and narrow the scope of their attack to victims and platforms on which it will be most effective. A user-agent self-identifies data such as a user's software application, operating system, vendor, and version. Adversaries may check user-agents for operating system identification and then only serve malware for the exploitable software while ignoring all other operating systems.(Citation: Trellix-Qakbot)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1480",
+ "external_id": "T1480"
+ },
+ {
+ "source_name": "FireEye Outlook Dec 2019",
+ "description": "McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020.",
+ "url": "https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html"
+ },
+ {
+ "source_name": "Trellix-Qakbot",
+ "description": "Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware Distribution. Retrieved June 7, 2024.",
+ "url": "https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/"
+ },
+ {
+ "source_name": "FireEye Kevin Mandia Guardrails",
+ "description": "Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says U.S. malware is more restrained than adversaries'. Retrieved January 17, 2019.",
+ "url": "https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Nick Carr, Mandiant"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "ESXi",
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:03:40.312000+00:00\", \"old_value\": \"2025-10-24 17:49:03.764000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.3\"}}}",
+ "previous_version": "1.3",
+ "version_change": "1.3 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1055: Do Not Mitigate"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0562: Multi-Platform Execution Guardrails Environmental Validation Detection Strategy"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--f244b8dd-af6c-4391-a497-fc03627ce995",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-06-23 22:28:28.041000+00:00",
+ "modified": "2026-04-15 20:07:10.470000+00:00",
+ "name": "Environmental Keying",
+ "description": "Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)\n\nValues can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).\n\nSimilar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.\n\nLike other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1480/001",
+ "external_id": "T1480.001"
+ },
+ {
+ "source_name": "Proofpoint Router Malvertising",
+ "description": "Kafeine. (2016, December 13). Home Routers Under Attack via Malvertising on Windows, Android Devices. Retrieved January 16, 2019.",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices"
+ },
+ {
+ "source_name": "Kaspersky Gauss Whitepaper",
+ "description": "Kaspersky Lab. (2012, August). Gauss: Abnormal Distribution. Retrieved January 17, 2019.",
+ "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134940/kaspersky-lab-gauss.pdf"
+ },
+ {
+ "source_name": "EK Clueless Agents",
+ "description": "Riordan, J., Schneier, B. (1998, June 18). Environmental Key Generation towards Clueless Agents. Retrieved January 18, 2019.",
+ "url": "https://www.schneier.com/academic/paperfiles/paper-clueless-agents.pdf"
+ },
+ {
+ "source_name": "EK Impeding Malware Analysis",
+ "description": "Song, C., et al. (2012, August 7). Impeding Automated Malware Analysis with Environment-sensitive Malware. Retrieved January 18, 2019.",
+ "url": "https://pdfs.semanticscholar.org/2721/3d206bc3c1e8c229fb4820b6af09e7f975da.pdf"
+ },
+ {
+ "source_name": "Demiguise Guardrail Router Logo",
+ "description": "Warren, R. (2017, August 2). Demiguise: virginkey.js. Retrieved January 17, 2019.",
+ "url": "https://github.com/nccgroup/demiguise/blob/master/examples/virginkey.js"
+ },
+ {
+ "source_name": "Environmental Keyed HTA",
+ "description": "Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved November 17, 2024.",
+ "url": "http://web.archive.org/web/20200608093807/https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2017/august/smuggling-hta-files-in-internet-exploreredge/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Nick Carr, Mandiant"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows",
+ "macOS"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:07:10.470000+00:00\", \"old_value\": \"2025-10-24 17:49:35.768000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)\\n\\nValues can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).\\n\\nSimilar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.\\n\\nLike other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.\", \"old_value\": \"Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)\\n\\nValues can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper)(Citation: Ebowla: Genetic Malware) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).\\n\\nSimilar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.\\n\\nLike other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.\", \"diff\": \"--- \\n+++ \\n@@ -1,7 +1,7 @@\\n Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)\\n \\n-Values can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper)(Citation: Ebowla: Genetic Malware) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).\\n+Values can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).\\n \\n-Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.\\n+Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.\\n \\n Like other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}, \"iterable_item_removed\": {\"root['external_references'][3]\": {\"source_name\": \"Ebowla: Genetic Malware\", \"description\": \"Morrow, T., Pitts, J. (2016, October 28). Genetic Malware: Designing Payloads for Specific Targets. Retrieved January 18, 2019.\", \"url\": \"https://github.com/Genetic-Malware/Ebowla/blob/master/Eko_2016_Morrow_Pitts_Master.pdf\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "description_change_table": "\n \n \n t Adversaries may environmentally key payloads or other featur t Adversaries may environmentally key payloads or other featur es of malware to evade defenses and constraint execution to es of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cry a specific target environment. Environmental keying uses cry ptography to constrain execution or actions based on adversa ptography to constrain execution or actions based on adversa ry supplied environment specific conditions that are expecte ry supplied environment specific conditions that are expecte d to be present on the target. Environmental keying is an im d to be present on the target. Environmental keying is an im plementation of [Execution Guardrails](https://attack.mitre. plementation of [Execution Guardrails](https://attack.mitre. org/techniques/T1480) that utilizes cryptographic techniques org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Cl of values in a given computing environment.(Citation: EK Cl ueless Agents) Values can be derived from target-specific e ueless Agents) Values can be derived from target-specific e lements and used to generate a decryption key for an encrypt lements and used to generate a decryption key for an encrypt ed payload. Target-specific values can be derived from speci ed payload. Target-specific values can be derived from speci fic network shares, physical devices, software/software vers fic network shares, physical devices, software/software vers ions, files, joined AD domains, system time, and local/exter ions, files, joined AD domains, system time, and local/exter nal IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Cita nal IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Cita tion: Proofpoint Router Malvertising)(Citation: EK Impeding tion: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citatio Malware Analysis)(Citation: Environmental Keyed HTA) By gene n: E bowla: Genetic Malware) By generating the decryption key rating the decryption keys from target-specific environmenta s from target-specific environmental values , environmental k l values, environmental keying can make sand box detection, a eying can make sandbox detection, anti-virus detection, crow nti-virus detection, cro wdsourcing of information , and rever dsourcing of information, and reverse engineering difficult.se engineering difficult.(Citation: Kaspersky Gauss Whitepap(Citation: Kaspersky Gauss Whitepaper)(Citation: Eb owla: Gen er) These difficulties can sl ow do wn the incident response p etic Mal ware) These difficulties can slow down the incident rocess and help adversaries hide their tactics, techniques, response process and help adversaries hide their tactics, teand procedures (TTPs). Similar to [Obfuscated Files or Info chniques, and procedures (TTPs). Similar to [Obfuscated Fil rmation](https://attack.mitre.org/techniques/T1027), adversa es or Information](https://attack.mitre.org/techniques/T1027 ries may use environmental keying to help protect their TTPs ), adversaries may use environmental keying to help protect and evade detection. Environmental keying may be used to de their TTPs and evade detection. Environmental keying may be liver an encrypted payload to the target that will use targe used to deliver an encrypted payload to the target that will t-specific values to decrypt the payload before execution.(C use target-specific values to decrypt the payload before ex itation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding M ecution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK alware Analysis)(Citation: Environmental Keyed HTA)(Citation Impeding Malware Analysis)(Citation: Environmental Keyed HTA : Demiguise Guardrail Router Logo) By utilizing target-speci )(Citation: E bowla: Genetic Malware)(Citation: Demiguise Gua fic values to decrypt the payload the adversary can avoid pa rdrail Router Logo) By utilizing target-specific values to d ckaging the decryption key with the payload or sending it ov ecrypt the payload the adversary can avoid packaging the dec er a potentially monitored network connection. Depending on ryption key with the payload or sending it over a potentiall the technique for gathering target-specific values, reverse y monitored network connection. Depending on the technique f engineering of the encrypted payload can be exceptionally dior gathering target-specific values, reverse engineering of fficult.(Citation: Kaspersky Gauss Whitepaper) This can be u the encrypted payload can be exceptionally difficult.(Citatised to prevent exposure of capabilities in environments that on: Kaspersky Gauss Whitepaper) This can be used to prevent are not intended to be compromised or operated within. Lik exposure of capabilities in environments that are not intend e other [Execution Guardrails](https://attack.mitre.org/tech ed to be compromised or operated within. Like other [Execut niques/T1480), environmental keying can be used to prevent e ion Guardrails](https://attack.mitre.org/techniques/T1480), xposure of capabilities in environments that are not intende environmental keying can be used to prevent exposure of capa d to be compromised or operated within. This activity is dis bilities in environments that are not intended to be comprom tinct from typical [Virtualization/Sandbox Evasion](https:// ised or operated within. This activity is distinct from typi attack.mitre.org/techniques/T1497). While use of [Virtualiza cal [Virtualization/Sandbox Evasion](https://attack.mitre.or tion/Sandbox Evasion](https://attack.mitre.org/techniques/T1 g/techniques/T1497). While use of [Virtualization/Sandbox Ev 497) may involve checking for known sandbox values and conti asion](https://attack.mitre.org/techniques/T1497) may involv nuing with execution only if there is no match, the use of e e checking for known sandbox values and continuing with exec nvironmental keying will involve checking for an expected ta ution only if there is no match, the use of environmental ke rget-specific value that must match for decryption and subse ying will involve checking for an expected target-specific v quent execution to be successful. alue that must match for decryption and subsequent execution to be successful. \n
",
+ "changelog_mitigations": {
+ "shared": [
+ "M1055: Do Not Mitigate"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0474: Environmental Keying Discovery-to-Decryption Behavioral Chain Detection Strategy"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--49fca0d2-685d-41eb-8bd4-05451cc3a742",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2024-09-19 14:00:03.401000+00:00",
+ "modified": "2026-04-15 20:07:21.724000+00:00",
+ "name": "Mutual Exclusion",
+ "description": "Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.(Citation: Microsoft Mutexes)\n\nWhile local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.(Citation: Microsoft Mutexes) By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.(Citation: Sans Mutexes 2012)\n\nIn Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.(Citation: Intezer RedXOR 2021)(Citation: Deep Instinct BPFDoor 2023)\n\nMutex names may be hard-coded or dynamically generated using a predictable algorithm.(Citation: ICS Mutexes 2015)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1480/002",
+ "external_id": "T1480.002"
+ },
+ {
+ "source_name": "Intezer RedXOR 2021",
+ "description": "Joakim Kennedy and Avigayil Mechtinger. (2021, March 10). New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor. Retrieved September 19, 2024.",
+ "url": "https://intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/"
+ },
+ {
+ "source_name": "Sans Mutexes 2012",
+ "description": "Lenny Zeltser. (2012, July 24). Looking at Mutex Objects for Malware Discovery & Indicators of Compromise. Retrieved September 19, 2024.",
+ "url": "https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/"
+ },
+ {
+ "source_name": "ICS Mutexes 2015",
+ "description": "Lenny Zeltser. (2015, March 9). How Malware Generates Mutex Names to Evade Detection. Retrieved September 19, 2024.",
+ "url": "https://isc.sans.edu/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/"
+ },
+ {
+ "source_name": "Microsoft Mutexes",
+ "description": "Microsoft. (2022, March 11). Mutexes. Retrieved September 19, 2024.",
+ "url": "https://learn.microsoft.com/en-us/dotnet/standard/threading/mutexes"
+ },
+ {
+ "source_name": "Deep Instinct BPFDoor 2023",
+ "description": "Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor Malware Evolves \u2013 Stealthy Sniffing Backdoor Ups Its Game. Retrieved September 19, 2024.",
+ "url": "https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Manikantan Srinivasan, NEC Corporation India",
+ "Pooja Natarajan, NEC Corporation India",
+ "Nagahama Hiroki \u2013 NEC Corporation Japan"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:07:21.724000+00:00\", \"old_value\": \"2025-04-15 22:50:39.088000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
+ "previous_version": "1.0",
+ "version_change": "1.0 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1055: Do Not Mitigate"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0132: Detection of Mutex-Based Execution Guardrails Across Platforms"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--fe926152-f431-4baf-956c-4ad3cb0bf23b",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2018-04-18 17:59:24.739000+00:00",
+ "modified": "2026-04-15 13:36:04.483000+00:00",
+ "name": "Exploitation for Stealth",
+ "description": "Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components. \n\nAdversaries may exploit a system or application vulnerability to avoid detection while maintaining access within an environment. Exploitation occurs when an adversary leverages a programming flaw to execute code in a manner that minimizes visibility or blends in with legitimate activity. \n\nRather than directly disabling defenses, adversaries may use exploitation to circumvent monitoring and logging mechanisms. This can include abusing vulnerabilities in logging pipelines, security tools, or cloud infrastructure to evade audit trails, suppress alerts, or operate without generating telemetry. \n\nAdversaries may identify these opportunities through prior reconnaissance or by performing discovery of security controls after initial access. In some cases, vulnerabilities in SaaS or public cloud environments may be exploited to evade logging, obscure activity, or deploy infrastructure that remains hidden from standard monitoring tools.(Citation: Bypassing CloudTrail in AWS Service Catalog)(Citation: GhostToken GCP flaw)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1211",
+ "external_id": "T1211"
+ },
+ {
+ "source_name": "Bypassing CloudTrail in AWS Service Catalog",
+ "description": "Nick Frichette. (2023, March 20). Bypassing CloudTrail in AWS Service Catalog, and Other Logging Research. Retrieved September 18, 2023.",
+ "url": "https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-catalog-and-other/"
+ },
+ {
+ "source_name": "GhostToken GCP flaw",
+ "description": "Sergiu Gatlan. (2023, April 21). GhostToken GCP flaw let attackers backdoor Google accounts. Retrieved September 18, 2023.",
+ "url": "https://www.bleepingcomputer.com/news/security/ghosttoken-gcp-flaw-let-attackers-backdoor-google-accounts/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "John Lambert, Microsoft Threat Intelligence Center"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows",
+ "macOS",
+ "SaaS",
+ "IaaS"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 13:36:04.483000+00:00\", \"old_value\": \"2025-10-24 17:49:39.960000+00:00\"}, \"root['name']\": {\"new_value\": \"Exploitation for Stealth\", \"old_value\": \"Exploitation for Defense Evasion\"}, \"root['description']\": {\"new_value\": \"Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components. \\n\\nAdversaries may exploit a system or application vulnerability to avoid detection while maintaining access within an environment. Exploitation occurs when an adversary leverages a programming flaw to execute code in a manner that minimizes visibility or blends in with legitimate activity. \\n\\nRather than directly disabling defenses, adversaries may use exploitation to circumvent monitoring and logging mechanisms. This can include abusing vulnerabilities in logging pipelines, security tools, or cloud infrastructure to evade audit trails, suppress alerts, or operate without generating telemetry. \\n\\nAdversaries may identify these opportunities through prior reconnaissance or by performing discovery of security controls after initial access. In some cases, vulnerabilities in SaaS or public cloud environments may be exploited to evade logging, obscure activity, or deploy infrastructure that remains hidden from standard monitoring tools.(Citation: Bypassing CloudTrail in AWS Service Catalog)(Citation: GhostToken GCP flaw)\", \"old_value\": \"Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\\u00a0Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\\n\\nAdversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.\\n\\nThere have also been examples of vulnerabilities in public cloud infrastructure of SaaS applications that may bypass defense boundaries (Citation: Salesforce zero-day in facebook phishing attack), evade security logs (Citation: Bypassing CloudTrail in AWS Service Catalog), or deploy hidden infrastructure.(Citation: GhostToken GCP flaw)\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,7 @@\\n-Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\\u00a0Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\\n+Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components. \\n \\n-Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.\\n+Adversaries may exploit a system or application vulnerability to avoid detection while maintaining access within an environment. Exploitation occurs when an adversary leverages a programming flaw to execute code in a manner that minimizes visibility or blends in with legitimate activity. \\n \\n-There have also been examples of vulnerabilities in public cloud infrastructure of SaaS applications that may bypass defense boundaries (Citation: Salesforce zero-day in facebook phishing attack), evade security logs (Citation: Bypassing CloudTrail in AWS Service Catalog), or deploy hidden infrastructure.(Citation: GhostToken GCP flaw)\\n+Rather than directly disabling defenses, adversaries may use exploitation to circumvent monitoring and logging mechanisms. This can include abusing vulnerabilities in logging pipelines, security tools, or cloud infrastructure to evade audit trails, suppress alerts, or operate without generating telemetry. \\n+\\n+Adversaries may identify these opportunities through prior reconnaissance or by performing discovery of security controls after initial access. In some cases, vulnerabilities in SaaS or public cloud environments may be exploited to evade logging, obscure activity, or deploy infrastructure that remains hidden from standard monitoring tools.(Citation: Bypassing CloudTrail in AWS Service Catalog)(Citation: GhostToken GCP flaw)\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.5\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"Salesforce zero-day in facebook phishing attack\", \"description\": \"Bill Toulas. (2023, August 2). Hackers exploited Salesforce zero-day in Facebook phishing attack. Retrieved September 18, 2023.\", \"url\": \"https://www.bleepingcomputer.com/news/security/hackers-exploited-salesforce-zero-day-in-facebook-phishing-attack/\"}}}",
+ "previous_version": "1.5",
+ "version_change": "1.5 \u2192 2.0",
+ "description_change_table": "\n \n \n t Adversaries may exploit a system or application vulnerabilit t Adversaries may exploit vulnerabilities to evade detection b y to bypass security features. Exploitation of a vulnerabili y hiding activity, suppressing logging, or operating within ty occurs when an adversary takes advantage of a programming trusted or unmonitored components. Adversaries may exploit error in a program, service, or within the operating system a system or application vulnerability to avoid detection wh software or kernel itself to execute adversary-controlled c ile maintaining access within an environment. Exploitation o ode.\u00a0Vulnerabilities may exist in defensive security softwar ccurs when an adversary leverages a programming flaw to exec e that can be used to disable or circumvent them. Adversari ute code in a manner that minimizes visibility or blends in es may have prior knowledge through reconnaissance that secu with legitimate activity. Rather than directly disabling d rity software exists within an environment or they may perfo efenses, adversaries may use exploitation to circumvent moni rm checks during or shortly after the system is compromised toring and logging mechanisms. This can include abusing vuln for [Security Software Discovery](https://attack.mitre.org/t erabilities in logging pipelines, security tools, or cloud i echniques/T1518/001). The security software will likely be t nfrastructure to evade audit trails, suppress alerts, or ope argeted directly for exploitation. There are examples of ant rate without generating telemetry. Adversaries may identif ivirus software being targeted by persistent threat groups t y these opportunities through prior reconnaissance or by per o avoid detection. There have also been examples of vulnera forming discovery of security controls after initial access. bilities in public cloud infrastructure of SaaS applications In some cases, vulnerabilities in SaaS or public cloud envi that may bypass defense boundaries (Citation: Salesforce ze ronments may be exploited to evade logging, obscure activity ro-day in facebook phishing attack), evade security logs (Ci , or deploy infrastructure that remains hidden from standard tation: Bypassing CloudTrail in AWS Service Catalog), or dep monitoring tools.(Citation: Bypassing CloudTrail in AWS Ser loy hidden infrastructure.(Citation: GhostToken GCP flaw) vice Catalog)(Citation: GhostToken GCP flaw) \n
",
+ "changelog_mitigations": {
+ "shared": [
+ "M1019: Threat Intelligence Program",
+ "M1048: Application Isolation and Sandboxing",
+ "M1050: Exploit Protection",
+ "M1051: Update Software"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0595: Detection Strategy for Exploitation for Stealth"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--65917ae0-b854-4139-83fe-bf2441cf0196",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2018-10-17 00:14:20.652000+00:00",
+ "modified": "2026-04-16 20:07:53.078000+00:00",
+ "name": "File and Directory Permissions Modification",
+ "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nModifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory\u2019s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).\n\nAdversaries may also change permissions of symbolic links. For example, malware (particularly ransomware) may modify symbolic links and associated settings to enable access to files from local shortcuts with remote paths.(Citation: new_rust_based_ransomware)(Citation: bad_luck_blackcat)(Citation: falconoverwatch_blackcat_attack)(Citation: blackmatter_blackcat)(Citation: fsutil_behavior) ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1222",
+ "external_id": "T1222"
+ },
+ {
+ "source_name": "falconoverwatch_blackcat_attack",
+ "description": "Falcon OverWatch Team. (2022, March 23). Falcon OverWatch Threat Hunting Contributes to Seamless Protection Against Novel BlackCat Attack. Retrieved May 5, 2022.",
+ "url": "https://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/"
+ },
+ {
+ "source_name": "Hybrid Analysis Icacls1 June 2018",
+ "description": "Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018.",
+ "url": "https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100"
+ },
+ {
+ "source_name": "Hybrid Analysis Icacls2 May 2018",
+ "description": "Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018.",
+ "url": "https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110"
+ },
+ {
+ "source_name": "bad_luck_blackcat",
+ "description": "Kaspersky Global Research & Analysis Team (GReAT). (2022). A Bad Luck BlackCat. Retrieved May 5, 2022.",
+ "url": "https://go.kaspersky.com/rs/802-IJN-240/images/TR_BlackCat_Report.pdf"
+ },
+ {
+ "source_name": "fsutil_behavior",
+ "description": "Microsoft. (2021, September 27). fsutil behavior. Retrieved January 14, 2022.",
+ "url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-behavior"
+ },
+ {
+ "source_name": "blackmatter_blackcat",
+ "description": "Pereira, T. Huey, C. (2022, March 17). From BlackMatter to BlackCat: Analyzing two attacks from one affiliate. Retrieved May 5, 2022.",
+ "url": "https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html"
+ },
+ {
+ "source_name": "new_rust_based_ransomware",
+ "description": "Symantec Threat Hunter Team. (2021, December 16). Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware. Retrieved January 14, 2022.",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "CrowdStrike Falcon OverWatch",
+ "Jan Miller, CrowdStrike"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "ESXi",
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "3.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:53.078000+00:00\", \"old_value\": \"2025-10-24 17:48:52.570000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.3\"}}, \"iterable_item_removed\": {\"root['external_references'][6]\": {\"source_name\": \"EventTracker File Permissions Feb 2014\", \"description\": \"Netsurion. (2014, February 19). Monitoring File Permission Changes with the Windows Security Log. Retrieved August 19, 2018.\", \"url\": \"https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/\"}}}",
+ "previous_version": "2.3",
+ "version_change": "2.3 \u2192 3.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1022: Restrict File and Directory Permissions",
+ "M1026: Privileged Account Management"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0299: Multi-Platform File and Directory Permissions Modification Detection Strategy"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--09b130a2-a77e-4af0-a361-f46f9aad1345",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-02-04 19:24:27.774000+00:00",
+ "modified": "2026-04-22 15:51:53.173000+00:00",
+ "name": "Linux and Mac Permissions",
+ "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nMost Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform\u2019s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: chown (short for change owner), and chmod (short for change mode).\n\nAdversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004) or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).(Citation: 20 macOS Common Tools and Techniques) ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1222/002",
+ "external_id": "T1222.002"
+ },
+ {
+ "source_name": "Hybrid Analysis Icacls1 June 2018",
+ "description": "Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018.",
+ "url": "https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100"
+ },
+ {
+ "source_name": "Hybrid Analysis Icacls2 May 2018",
+ "description": "Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018.",
+ "url": "https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110"
+ },
+ {
+ "source_name": "20 macOS Common Tools and Techniques",
+ "description": "Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.",
+ "url": "https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-22 15:51:53.173000+00:00\", \"old_value\": \"2025-10-24 17:48:21.839000+00:00\"}, \"root['name']\": {\"new_value\": \"Linux and Mac Permissions\", \"old_value\": \"Linux and Mac File and Directory Permissions Modification\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1022: Restrict File and Directory Permissions",
+ "M1026: Privileged Account Management"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0351: Unix-like File Permission Manipulation Behavioral Chain Detection Strategy"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--34e793de-0274-4982-9c1a-246ed1c19dee",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-02-04 19:17:41.767000+00:00",
+ "modified": "2026-04-22 15:51:17.272000+00:00",
+ "name": "Windows Permissions",
+ "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nWindows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)\n\nAdversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `cacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1222/001",
+ "external_id": "T1222.001"
+ },
+ {
+ "source_name": "Hybrid Analysis Icacls1 June 2018",
+ "description": "Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018.",
+ "url": "https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100"
+ },
+ {
+ "source_name": "Hybrid Analysis Icacls2 May 2018",
+ "description": "Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018.",
+ "url": "https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110"
+ },
+ {
+ "source_name": "Microsoft Access Control Lists May 2018",
+ "description": "M. Satran, M. Jacobs. (2018, May 30). Access Control Lists. Retrieved February 4, 2020.",
+ "url": "https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists"
+ },
+ {
+ "source_name": "Microsoft DACL May 2018",
+ "description": "Microsoft. (2018, May 30). DACLs and ACEs. Retrieved August 19, 2018.",
+ "url": "https://docs.microsoft.com/windows/desktop/secauthz/dacls-and-aces"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-22 15:51:17.272000+00:00\", \"old_value\": \"2025-10-24 17:48:37.826000+00:00\"}, \"root['name']\": {\"new_value\": \"Windows Permissions\", \"old_value\": \"Windows File and Directory Permissions Modification\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}, \"iterable_item_removed\": {\"root['external_references'][5]\": {\"source_name\": \"EventTracker File Permissions Feb 2014\", \"description\": \"Netsurion. (2014, February 19). Monitoring File Permission Changes with the Windows Security Log. Retrieved August 19, 2018.\", \"url\": \"https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1022: Restrict File and Directory Permissions",
+ "M1026: Privileged Account Management"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0418: Windows DACL Manipulation Behavioral Chain Detection Strategy"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-02-26 17:41:25.933000+00:00",
+ "modified": "2026-04-15 20:17:25.231000+00:00",
+ "name": "Hide Artifacts",
+ "description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)\n\nAdversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1564",
+ "external_id": "T1564"
+ },
+ {
+ "source_name": "Cybereason OSX Pirrit",
+ "description": "Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved December 10, 2021.",
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Content%20PDFs/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf"
+ },
+ {
+ "source_name": "MalwareBytes ADS July 2015",
+ "description": "Arntz, P. (2015, July 22). Introduction to Alternate Data Streams. Retrieved March 21, 2018.",
+ "url": "https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/"
+ },
+ {
+ "source_name": "Sofacy Komplex Trojan",
+ "description": "Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.",
+ "url": "https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/"
+ },
+ {
+ "source_name": "Sophos Ragnar May 2020",
+ "description": "SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.",
+ "url": "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "ESXi",
+ "Linux",
+ "macOS",
+ "Office Suite",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:17:25.231000+00:00\", \"old_value\": \"2025-10-24 17:48:31.407000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.4\"}}}",
+ "previous_version": "1.4",
+ "version_change": "1.4 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1013: Application Developer Guidance",
+ "M1033: Limit Software Installation",
+ "M1047: Audit",
+ "M1049: Antivirus/Antimalware"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0502: Detection Strategy for Hidden Artifacts Across Platforms"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--5bd41255-a224-4425-a2e2-e9d293eafe1c",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2025-01-30 21:01:16.340000+00:00",
+ "modified": "2026-04-15 20:17:48.263000+00:00",
+ "name": "Bind Mounts",
+ "description": "Adversaries may abuse bind mounts on file structures to hide their activity and artifacts from native utilities. A bind mount maps a directory or file from one location on the filesystem to another, similar to a shortcut on Windows. It\u2019s commonly used to provide access to specific files or directories across different environments, such as inside containers or chroot environments, and requires sudo access. \n\nAdversaries may use bind mounts to map either an empty directory or a benign `/proc` directory to a malicious process\u2019s `/proc` directory. Using the commands `mount \u2013o bind /proc/benign-process /proc/malicious-process` (or `mount \u2013B`), the malicious process's `/proc` directory is overlayed with the contents of a benign process's `/proc` directory. When system utilities query process activity, such as `ps` and `top`, the kernel follows the bind mount and presents the benign directory\u2019s contents instead of the malicious process's actual `/proc` directory. As a result, these utilities display information that appears to come from the benign process, effectively hiding the malicious process's metadata, executable, or other artifacts from detection.(Citation: Cado Security Commando Cat 2024)(Citation: Ahn Lab CoinMiner 2023)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1564/013",
+ "external_id": "T1564.013"
+ },
+ {
+ "source_name": "Ahn Lab CoinMiner 2023",
+ "description": "Ahn Lab. (2023, April 24). CoinMiner (KONO DIO DA) Distributed to Linux SSH Servers. Retrieved April 4, 2025.",
+ "url": "https://asec.ahnlab.com/en/51908/"
+ },
+ {
+ "source_name": "Cado Security Commando Cat 2024",
+ "description": "Nate Bill & Matt Muir. (2024, February 1). The Nine Lives of Commando Cat: Analysing a Novel Malware Campaign Targeting Docker. Retrieved April 4, 2025.",
+ "url": "https://www.cadosecurity.com/blog/the-nine-lives-of-commando-cat-analysing-a-novel-malware-campaign-targeting-docker"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "L\u00ea Ph\u01b0\u01a1ng Nam, Group-IB"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:17:48.263000+00:00\", \"old_value\": \"2025-04-15 19:58:34.469000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
+ "previous_version": "1.0",
+ "version_change": "1.0 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0428: Detection Strategy for Bind Mounts on Linux"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--0cf55441-b176-4332-89e7-2c4c7799d0ff",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2021-06-07 13:20:23.767000+00:00",
+ "modified": "2026-04-15 20:18:10.251000+00:00",
+ "name": "Email Hiding Rules",
+ "description": "Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)\n\nAdversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account.\n\nAny user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security)\n\nIn some environments, administrators may be able to enable email rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to automatically modify or delete all emails related to specific topics (such as internal security incident notifications).",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1564/008",
+ "external_id": "T1564.008"
+ },
+ {
+ "source_name": "MacOS Email Rules",
+ "description": "Apple. (n.d.). Use rules to manage emails you receive in Mail on Mac. Retrieved June 14, 2021.",
+ "url": "https://support.apple.com/guide/mail/use-rules-to-manage-emails-you-receive-mlhlp1017/mac"
+ },
+ {
+ "source_name": "Microsoft Mail Flow Rules 2023",
+ "description": "Microsoft. (2023, February 22). Mail flow rules (transport rules) in Exchange Online. Retrieved March 13, 2023.",
+ "url": "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"
+ },
+ {
+ "source_name": "Microsoft Inbox Rules",
+ "description": "Microsoft. (n.d.). Manage email messages by using rules. Retrieved June 11, 2021.",
+ "url": "https://support.microsoft.com/en-us/office/manage-email-messages-by-using-rules-c24f5dea-9465-4df4-ad17-a50704d66c59"
+ },
+ {
+ "source_name": "Microsoft New-InboxRule",
+ "description": "Microsoft. (n.d.). New-InboxRule. Retrieved June 7, 2021.",
+ "url": "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps"
+ },
+ {
+ "source_name": "Microsoft Set-InboxRule",
+ "description": "Microsoft. (n.d.). Set-InboxRule. Retrieved June 7, 2021.",
+ "url": "https://docs.microsoft.com/en-us/powershell/module/exchange/set-inboxrule?view=exchange-ps"
+ },
+ {
+ "source_name": "Microsoft Cloud App Security",
+ "description": "Niv Goldenberg. (2018, December 12). Rule your inbox with Microsoft Cloud App Security. Retrieved June 7, 2021.",
+ "url": "https://techcommunity.microsoft.com/t5/security-compliance-and-identity/rule-your-inbox-with-microsoft-cloud-app-security/ba-p/299154"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Dor Edry, Microsoft",
+ "Liran Ravich, CardinalOps"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows",
+ "Linux",
+ "macOS",
+ "Office Suite"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:18:10.251000+00:00\", \"old_value\": \"2025-10-24 17:48:23.364000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.4\"}}, \"iterable_item_removed\": {\"root['external_references'][2]\": {\"source_name\": \"Microsoft BEC Campaign\", \"description\": \"Carr, N., Sellmer, S. (2021, June 14). Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign. Retrieved June 15, 2021.\", \"url\": \"https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/\"}}}",
+ "previous_version": "1.4",
+ "version_change": "1.4 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1047: Audit"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0192: Detection Strategy for Email Hiding Rules"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--762e6f29-a62f-4d96-91ed-d0073181431f",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2025-03-27 19:40:00.716000+00:00",
+ "modified": "2026-04-15 20:19:25.896000+00:00",
+ "name": "Extended Attributes",
+ "description": "Adversaries may abuse extended attributes (xattrs) on macOS and Linux to hide their malicious data in order to evade detection. Extended attributes are key-value pairs of file and directory metadata used by both macOS and Linux. They are not visible through standard tools like `Finder`, `ls`, or `cat` and require utilities such as `xattr` (macOS) or `getfattr` (Linux) for inspection. Operating systems and applications use xattrs for tagging, integrity checks, and access control. On Linux, xattrs are organized into namespaces such as `user.` (user permissions), `trusted.` (root permissions), `security.`, and `system.`, each with specific permissions. On macOS, xattrs are flat strings without namespace prefixes, commonly prefixed with `com.apple.*` (e.g., `com.apple.quarantine`, `com.apple.metadata:_kMDItemUserTags`) and used by system features like Gatekeeper and Spotlight.(Citation: Establishing persistence using extended attributes on Linux)\n\nAn adversary may leverage xattrs by embedding a second-stage payload into the extended attribute of a legitimate file. On macOS, a payload can be embedded into a custom attribute using the `xattr` command. A separate loader can retrieve the attribute with `xattr -p`, decode the content, and execute it using a scripting interpreter. On Linux, an adversary may use `setfattr` to write a payload into the `user.` namespace of a legitimate file. A loader script can later extract the payload with `getfattr --only-values`, decode it, and execute it using bash or another interpreter. In both cases, because the primary file content remains unchanged, security tools and integrity checks that do not inspect extended attributes will observe the original file hash, allowing the malicious payload to evade detection.(Citation: Low GroupIB xattrs nov 2024)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1564/014",
+ "external_id": "T1564.014"
+ },
+ {
+ "source_name": "Establishing persistence using extended attributes on Linux",
+ "description": "Irem Kuyucu. (2024, August 6). Establishing persistence using extended attributes on Linux. Retrieved March 27, 2025.",
+ "url": "https://kernal.eu/posts/linux-xattr-persistence/"
+ },
+ {
+ "source_name": "Low GroupIB xattrs nov 2024",
+ "description": "Sharmine Low. (2024, November 13). Stealthy Attributes of Lazarus APT Group: Evading Detection with Extended Attributes. Retrieved March 27, 2025.",
+ "url": "https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Sharmine Low, Group-IB",
+ "Rouven Bissinger (SySS GmbH)",
+ "RoseSecurity"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:19:25.896000+00:00\", \"old_value\": \"2025-09-17 17:58:26.729000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
+ "previous_version": "1.0",
+ "version_change": "1.0 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1040: Behavior Prevention on Endpoint"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0406: Detection Strategy for Extended Attributes Abuse"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--09b008a9-b4eb-462a-a751-a0eb58050cd9",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2024-03-29 16:59:10.374000+00:00",
+ "modified": "2026-04-16 19:21:42.768000+00:00",
+ "name": "File/Path Exclusions",
+ "description": "Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate.(Citation: Microsoft File Folder Exclusions)\n\nAdversaries may abuse these exclusions to hide their file-based artifacts. For example, rather than tampering with tool settings to add a new exclusion (i.e., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1685)), adversaries may drop their file-based payloads in default or otherwise well-known exclusions. Adversaries may also use [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) and other [Discovery](https://attack.mitre.org/tactics/TA0007)/[Reconnaissance](https://attack.mitre.org/tactics/TA0043) activities to both discover and verify existing exclusions in a victim environment.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1564/012",
+ "external_id": "T1564.012"
+ },
+ {
+ "source_name": "Microsoft File Folder Exclusions",
+ "description": "Microsoft. (2024, February 27). Contextual file and folder exclusions. Retrieved March 29, 2024.",
+ "url": "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-contextual-file-folder-exclusions-microsoft-defender-antivirus"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 19:21:42.768000+00:00\", \"old_value\": \"2025-04-15 22:35:31.731000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate.(Citation: Microsoft File Folder Exclusions)\\n\\nAdversaries may abuse these exclusions to hide their file-based artifacts. For example, rather than tampering with tool settings to add a new exclusion (i.e., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1685)), adversaries may drop their file-based payloads in default or otherwise well-known exclusions. Adversaries may also use [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) and other [Discovery](https://attack.mitre.org/tactics/TA0007)/[Reconnaissance](https://attack.mitre.org/tactics/TA0043) activities to both discover and verify existing exclusions in a victim environment.\", \"old_value\": \"Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate.(Citation: Microsoft File Folder Exclusions)\\n\\nAdversaries may abuse these exclusions to hide their file-based artifacts. For example, rather than tampering with tool settings to add a new exclusion (i.e., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)), adversaries may drop their file-based payloads in default or otherwise well-known exclusions. Adversaries may also use [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) and other [Discovery](https://attack.mitre.org/tactics/TA0007)/[Reconnaissance](https://attack.mitre.org/tactics/TA0043) activities to both discover and verify existing exclusions in a victim environment.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate.(Citation: Microsoft File Folder Exclusions)\\n \\n-Adversaries may abuse these exclusions to hide their file-based artifacts. For example, rather than tampering with tool settings to add a new exclusion (i.e., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)), adversaries may drop their file-based payloads in default or otherwise well-known exclusions. Adversaries may also use [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) and other [Discovery](https://attack.mitre.org/tactics/TA0007)/[Reconnaissance](https://attack.mitre.org/tactics/TA0043) activities to both discover and verify existing exclusions in a victim environment.\\n+Adversaries may abuse these exclusions to hide their file-based artifacts. For example, rather than tampering with tool settings to add a new exclusion (i.e., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1685)), adversaries may drop their file-based payloads in default or otherwise well-known exclusions. Adversaries may also use [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) and other [Discovery](https://attack.mitre.org/tactics/TA0007)/[Reconnaissance](https://attack.mitre.org/tactics/TA0043) activities to both discover and verify existing exclusions in a victim environment.\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
+ "previous_version": "1.0",
+ "version_change": "1.0 \u2192 2.0",
+ "description_change_table": "\n \n \n t Adversaries may attempt to hide their file-based artifacts b t Adversaries may attempt to hide their file-based artifacts b y writing them to specific folders or file names excluded fr y writing them to specific folders or file names excluded fr om antivirus (AV) scanning and other defensive capabilities. om antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions t AV and other file-based scanners often include exclusions t o optimize performance as well as ease installation and legi o optimize performance as well as ease installation and legi timate use of applications. These exclusions may be contextu timate use of applications. These exclusions may be contextu al (e.g., scans are only initiated in response to specific t al (e.g., scans are only initiated in response to specific t riggering events/alerts), but are also often hardcoded strin riggering events/alerts), but are also often hardcoded strin gs referencing specific folders and/or files assumed to be t gs referencing specific folders and/or files assumed to be t rusted and legitimate.(Citation: Microsoft File Folder Exclu rusted and legitimate.(Citation: Microsoft File Folder Exclu sions) Adversaries may abuse these exclusions to hide their sions) Adversaries may abuse these exclusions to hide their file-based artifacts. For example, rather than tampering w file-based artifacts. For example, rather than tampering w ith tool settings to add a new exclusion (i.e., [Disable or ith tool settings to add a new exclusion (i.e., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001 ) Modify Tools](https://attack.mitre.org/techniques/T168 5)), a ), adversaries may drop their file-based payloads in default dversaries may drop their file-based payloads in default or or otherwise well-known exclusions. Adversaries may also us otherwise well-known exclusions. Adversaries may also use [S e [Security Software Discovery](https://attack.mitre.org/tec ecurity Software Discovery](https://attack.mitre.org/techniq hniques/T1518/001) and other [Discovery](https://attack.mitr ues/T1518/001) and other [Discovery](https://attack.mitre.or e.org/tactics/TA0007)/[Reconnaissance](https://attack.mitre. g/tactics/TA0007)/[Reconnaissance](https://attack.mitre.org/ org/tactics/TA0043) activities to both discover and verify e tactics/TA0043) activities to both discover and verify exist xisting exclusions in a victim environment. ing exclusions in a victim environment. \n
",
+ "changelog_mitigations": {
+ "shared": [
+ "M1013: Application Developer Guidance",
+ "M1049: Antivirus/Antimalware"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0051: Detection Strategy for File/Path Exclusions"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--dfebc3b7-d19d-450b-81c7-6dafe4184c04",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-06-28 22:55:55.719000+00:00",
+ "modified": "2026-04-15 20:22:45.621000+00:00",
+ "name": "Hidden File System",
+ "description": "Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)\n\nAdversaries may use their own abstracted file system, separate from the standard file system present on the infected system. In doing so, adversaries can hide the presence of malicious components and file input/output from security tools. Hidden file systems, sometimes referred to as virtual file systems, can be implemented in numerous ways. One implementation would be to store a file system in reserved disk space unused by disk structures or standard file system partitions.(Citation: MalwareTech VFS Nov 2014)(Citation: FireEye Bootkits) Another implementation could be for an adversary to drop their own portable partition image as a file on top of the standard file system.(Citation: ESET ComRAT May 2020) Adversaries may also fragment files across the existing file system structure in non-standard ways.(Citation: Kaspersky Equation QA)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1564/005",
+ "external_id": "T1564.005"
+ },
+ {
+ "source_name": "FireEye Bootkits",
+ "description": "Andonov, D., et al. (2015, December 7). Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record. Retrieved May 13, 2016.",
+ "url": "https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html"
+ },
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf"
+ },
+ {
+ "source_name": "MalwareTech VFS Nov 2014",
+ "description": "Hutchins, M. (2014, November 28). Virtual File Systems for Beginners. Retrieved June 22, 2020.",
+ "url": "https://www.malwaretech.com/2014/11/virtual-file-systems-for-beginners.html"
+ },
+ {
+ "source_name": "Kaspersky Equation QA",
+ "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, February). Equation Group: Questions and Answers. Retrieved December 21, 2015.",
+ "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:22:45.621000+00:00\", \"old_value\": \"2025-10-24 17:49:29.855000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0461: Detection Strategy for Hidden File System Abuse"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-02-26 17:46:13.128000+00:00",
+ "modified": "2026-04-15 20:23:13.914000+00:00",
+ "name": "Hidden Files and Directories",
+ "description": "Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a \u2018hidden\u2019 file. These files don\u2019t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls \u2013a for Linux and macOS).\n\nOn Linux and Mac, users can mark specific files as hidden simply by putting a \u201c.\u201d as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, \u2018.\u2019, are by default hidden from being viewed in the Finder application and standard command-line utilities like \u201cls\u201d. Users must specifically change settings to have these files viewable.\n\nFiles on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn\u2019t clutter up the user\u2019s workspace. For example, SSH utilities create a .ssh folder that\u2019s hidden and contains the user\u2019s known hosts and keys.\n\nAdditionally, adversaries may name files in a manner that would allow the file to be hidden such as naming a file only a \u201cspace\u201d character.\n\nAdversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1564/001",
+ "external_id": "T1564.001"
+ },
+ {
+ "source_name": "WireLurker",
+ "description": "Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.",
+ "url": "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf"
+ },
+ {
+ "source_name": "Sofacy Komplex Trojan",
+ "description": "Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.",
+ "url": "https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/"
+ },
+ {
+ "source_name": "Antiquated Mac Malware",
+ "description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Gr@ve_Rose (tcpdump101.com on bsky)"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:23:13.914000+00:00\", \"old_value\": \"2025-10-24 17:49:34.244000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0032: Detection Strategy for Hidden Files and Directories"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--8c4aef43-48d5-49aa-b2af-c0cd58d30c3d",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-03-13 20:12:40.876000+00:00",
+ "modified": "2026-04-15 20:23:44.205000+00:00",
+ "name": "Hidden Users",
+ "description": "Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users. \n\nIn macOS, adversaries can create or modify a user to be hidden through manipulating plist files, folder attributes, and user attributes. To prevent a user from being shown on the login screen and in System Preferences, adversaries can set the userID to be under 500 and set the key value Hide500Users to TRUE in the /Library/Preferences/com.apple.loginwindow plist file.(Citation: Cybereason OSX Pirrit) Every user has a userID associated with it. When the Hide500Users key value is set to TRUE, users with a userID under 500 do not appear on the login screen and in System Preferences. Using the command line, adversaries can use the dscl utility to create hidden user accounts by setting the IsHidden attribute to 1. Adversaries can also hide a user\u2019s home folder by changing the chflags to hidden.(Citation: Apple Support Hide a User Account) \n\nAdversaries may similarly hide user accounts in Windows. Adversaries can set the HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList Registry key value to 0 for a specific user to prevent that user from being listed on the logon screen.(Citation: FireEye SMOKEDHAM June 2021)(Citation: US-CERT TA18-074A)\n\nOn Linux systems, adversaries may hide user accounts from the login screen, also referred to as the greeter. The method an adversary may use depends on which Display Manager the distribution is currently using. For example, on an Ubuntu system using the GNOME Display Manger (GDM), accounts may be hidden from the greeter using the gsettings command (ex: sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true).(Citation: Hide GDM User Accounts) Display Managers are not anchored to specific distributions and may be changed by a user or adversary.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1564/002",
+ "external_id": "T1564.002"
+ },
+ {
+ "source_name": "Cybereason OSX Pirrit",
+ "description": "Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved December 10, 2021.",
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Content%20PDFs/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf"
+ },
+ {
+ "source_name": "Apple Support Hide a User Account",
+ "description": "Apple. (2020, November 30). Hide a user account in macOS. Retrieved December 10, 2021.",
+ "url": "https://support.apple.com/en-us/HT203998"
+ },
+ {
+ "source_name": "FireEye SMOKEDHAM June 2021",
+ "description": "FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate\u2019s Supply Chain Software Compromise. Retrieved September 22, 2021.",
+ "url": "https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html"
+ },
+ {
+ "source_name": "Hide GDM User Accounts",
+ "description": "Ji Mingkui. (2021, June 17). How to Hide All The User Accounts in Ubuntu 20.04, 21.04 Login Screen. Retrieved March 15, 2022.",
+ "url": "https://ubuntuhandbook.org/index.php/2021/06/hide-user-accounts-ubuntu-20-04-login-screen/"
+ },
+ {
+ "source_name": "US-CERT TA18-074A",
+ "description": "US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.",
+ "url": "https://www.us-cert.gov/ncas/alerts/TA18-074A"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Omkar Gudhate"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:23:44.205000+00:00\", \"old_value\": \"2025-10-24 17:49:05.113000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1028: Operating System Configuration"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0353: Detection Strategy for Hidden User Accounts"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-03-13 20:26:49.433000+00:00",
+ "modified": "2026-04-15 20:23:51.965000+00:00",
+ "name": "Hidden Window",
+ "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. \n\nAdversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)\n\nOn macOS, the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.\n\nSimilarly, on Windows there are a variety of features in scripting languages, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden.(Citation: PowerShell About 2019)\n\nThe Windows Registry can also be edited to hide application windows from the current user. For example, by setting the `WindowPosition` subkey in the `HKEY_CURRENT_USER\\Console\\%SystemRoot%_System32_WindowsPowerShell_v1.0_PowerShell.exe` Registry key to a maximum value, PowerShell windows will open off screen and be hidden.(Citation: Cantoris Computing)\n\nIn addition, Windows supports the `CreateDesktop()` API that can create a hidden desktop window with its own corresponding explorer.exe process.(Citation: Hidden VNC)(Citation: Anatomy of an hVNC Attack) All applications running on the hidden desktop window, such as a hidden VNC (hVNC) session,(Citation: Hidden VNC) will be invisible to other desktops windows.\n\nAdversaries may also leverage cmd.exe(Citation: Cybereason - Hidden Malicious Remote Access) as a parent process, and then utilize a LOLBin, such as DeviceCredentialDeployment.exe,(Citation: LOLBAS Project GitHub Device Cred Dep)(Citation: SecureList BlueNoroff Device Cred Dev) to hide windows.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1564/003",
+ "external_id": "T1564.003"
+ },
+ {
+ "source_name": "Cantoris Computing",
+ "description": "Cantoris. (2016, July 22). PowerShell Malware. Retrieved December 12, 2024.",
+ "url": "https://cantoriscomputing.wordpress.com/2016/07/22/powershell-malware/"
+ },
+ {
+ "source_name": "Cybereason - Hidden Malicious Remote Access",
+ "description": "Cybereason Security Services Team. (n.d.). Behind Closed Doors: The Rise of Hidden Malicious Remote Access. Retrieved July 22, 2025.",
+ "url": "https://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access"
+ },
+ {
+ "source_name": "LOLBAS Project GitHub Device Cred Dep",
+ "description": "Elliot Killick. (n.d.). /DeviceCredentialDeployment.exe. Retrieved July 22, 2025.",
+ "url": "https://lolbas-project.github.io/lolbas/Binaries/DeviceCredentialDeployment/"
+ },
+ {
+ "source_name": "Hidden VNC",
+ "description": "Hutchins, Marcus. (2015, September 13). Hidden VNC for Beginners. Retrieved November 28, 2023.",
+ "url": "https://www.malwaretech.com/2015/09/hidden-vnc-for-beginners.html"
+ },
+ {
+ "source_name": "Anatomy of an hVNC Attack",
+ "description": "Keshet, Lior. Kessem, Limor. (2017, January 25). Anatomy of an hVNC Attack. Retrieved November 28, 2023.",
+ "url": "https://securityintelligence.com/anatomy-of-an-hvnc-attack/"
+ },
+ {
+ "source_name": "SecureList BlueNoroff Device Cred Dev",
+ "description": "Seongsu Park. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved July 22, 2025.",
+ "url": "https://securelist.com/bluenoroff-methods-bypass-motw/108383/"
+ },
+ {
+ "source_name": "Antiquated Mac Malware",
+ "description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/"
+ },
+ {
+ "source_name": "PowerShell About 2019",
+ "description": "Wheeler, S. et al.. (2019, May 1). About PowerShell.exe. Retrieved October 11, 2019.",
+ "url": "https://docs.microsoft.com/en-us/powershell/module/Microsoft.PowerShell.Core/About/about_PowerShell_exe?view=powershell-5.1"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Liran Ravich, CardinalOps",
+ "Mark Tsipershtein",
+ "Travis Smith, Tripwire",
+ "Vijay Lalwani"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:23:51.965000+00:00\", \"old_value\": \"2025-10-24 17:49:23.485000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.4\"}}}",
+ "previous_version": "1.4",
+ "version_change": "1.4 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1033: Limit Software Installation",
+ "M1038: Execution Prevention"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0128: Detection Strategy for Hidden Windows"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--4a2975db-414e-4c0c-bd92-775987514b4b",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2023-08-24 17:23:34.470000+00:00",
+ "modified": "2026-04-15 20:24:37.027000+00:00",
+ "name": "Ignore Process Interrupts",
+ "description": "Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hangups, such as when the user of the active session logs off.(Citation: Linux Signal Man) These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes. \n\nAdversaries may invoke processes using `nohup`, [PowerShell](https://attack.mitre.org/techniques/T1059/001) `-ErrorAction SilentlyContinue`, or similar commands that may be immune to hangups.(Citation: nohup Linux Man)(Citation: Microsoft PowerShell SilentlyContinue) This may enable malicious commands and malware to continue execution through system events that would otherwise terminate its execution, such as users logging off or the termination of its C2 network connection.\n\nHiding from process interrupt signals may allow malware to continue execution, but unlike [Trap](https://attack.mitre.org/techniques/T1546/005) this does not establish [Persistence](https://attack.mitre.org/tactics/TA0003) since the process will not be re-invoked once actually terminated.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1564/011",
+ "external_id": "T1564.011"
+ },
+ {
+ "source_name": "Linux Signal Man",
+ "description": "Linux man-pages. (2023, April 3). signal(7). Retrieved August 30, 2023.",
+ "url": "https://man7.org/linux/man-pages/man7/signal.7.html"
+ },
+ {
+ "source_name": "nohup Linux Man",
+ "description": "Meyering, J. (n.d.). nohup(1). Retrieved August 30, 2023.",
+ "url": "https://linux.die.net/man/1/nohup"
+ },
+ {
+ "source_name": "Microsoft PowerShell SilentlyContinue",
+ "description": "Microsoft. (2023, March 2). $DebugPreference. Retrieved August 30, 2023.",
+ "url": "https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_preference_variables?view=powershell-7.3#debugpreference"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Viren Chaudhari, Qualys"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:24:37.027000+00:00\", \"old_value\": \"2025-04-15 22:41:11.807000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
+ "previous_version": "1.0",
+ "version_change": "1.0 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0067: Detection Strategy for Ignore Process Interrupts"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--f2857333-11d4-45bf-b064-2c28d8525be5",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-03-13 20:33:00.009000+00:00",
+ "modified": "2026-04-15 20:24:50.745000+00:00",
+ "name": "NTFS File Attributes",
+ "description": "Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)\n\nAdversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. (Citation: Journey into IR ZeroAccess NTFS EA) (Citation: MalwareBytes ADS July 2015)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1564/004",
+ "external_id": "T1564.004"
+ },
+ {
+ "source_name": "MalwareBytes ADS July 2015",
+ "description": "Arntz, P. (2015, July 22). Introduction to Alternate Data Streams. Retrieved March 21, 2018.",
+ "url": "https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/"
+ },
+ {
+ "source_name": "SpectorOps Host-Based Jul 2017",
+ "description": "Atkinson, J. (2017, July 18). Host-based Threat Modeling & Indicator Design. Retrieved March 21, 2018.",
+ "url": "https://posts.specterops.io/host-based-threat-modeling-indicator-design-a9dbbb53d5ea"
+ },
+ {
+ "source_name": "Journey into IR ZeroAccess NTFS EA",
+ "description": "Harrell, C. (2012, December 11). Extracting ZeroAccess from NTFS Extended Attributes. Retrieved June 3, 2016.",
+ "url": "http://journeyintoir.blogspot.com/2012/12/extracting-zeroaccess-from-ntfs.html"
+ },
+ {
+ "source_name": "Microsoft NTFS File Attributes Aug 2010",
+ "description": "Hughes, J. (2010, August 25). NTFS File Attributes. Retrieved March 21, 2018.",
+ "url": "https://blogs.technet.microsoft.com/askcore/2010/08/25/ntfs-file-attributes/"
+ },
+ {
+ "source_name": "Microsoft ADS Mar 2014",
+ "description": "Marlin, J. (2013, March 24). Alternate Data Streams in NTFS. Retrieved March 21, 2018.",
+ "url": "https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/"
+ },
+ {
+ "source_name": "Microsoft File Streams",
+ "description": "Microsoft. (n.d.). File Streams. Retrieved September 12, 2024.",
+ "url": "https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Oddvar Moe, @oddvarmoe",
+ "Red Canary"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:24:50.745000+00:00\", \"old_value\": \"2025-10-24 17:49:35.944000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}, \"iterable_item_removed\": {\"root['external_references'][7]\": {\"source_name\": \"Oddvar Moe ADS2 Apr 2018\", \"description\": \"Moe, O. (2018, April 11). Putting Data in Alternate Data Streams and How to Execute It - Part 2. Retrieved June 30, 2018.\", \"url\": \"https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/\"}, \"root['external_references'][8]\": {\"source_name\": \"Oddvar Moe ADS1 Jan 2018\", \"description\": \"Moe, O. (2018, January 14). Putting Data in Alternate Data Streams and How to Execute It. Retrieved June 30, 2018.\", \"url\": \"https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/\"}, \"root['external_references'][9]\": {\"source_name\": \"Symantec ADS May 2009\", \"description\": \"Pravs. (2009, May 25). What you need to know about alternate data streams in windows? Is your Data secure? Can you restore that?. Retrieved March 21, 2018.\", \"url\": \"https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1022: Restrict File and Directory Permissions"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0432: Detection Strategy for NTFS File Attribute Abuse (ADS/EAs)"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2021-11-19 14:13:11.335000+00:00",
+ "modified": "2026-04-15 20:25:25.946000+00:00",
+ "name": "Process Argument Spoofing",
+ "description": "Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)\n\nAdversaries may manipulate a process PEB to evade defenses. For example, [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) can be abused to spawn a process in a suspended state with benign arguments. After the process is spawned and the PEB is initialized (and process information is potentially logged by tools/sensors), adversaries may override the PEB to modify the command-line arguments (ex: using the [Native API](https://attack.mitre.org/techniques/T1106) WriteProcessMemory() function) then resume process execution with malicious arguments.(Citation: Cobalt Strike Arguments 2019)(Citation: Xpn Argue Like Cobalt 2019)(Citation: Nviso Spoof Command Line 2020)\n\nAdversaries may also execute a process with malicious command-line arguments then patch the memory with benign arguments that may bypass subsequent process memory analysis.(Citation: FireEye FiveHands April 2021)\n\nThis behavior may also be combined with other tricks (such as [Parent PID Spoofing](https://attack.mitre.org/techniques/T1134/004)) to manipulate or further evade process-based detections.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1564/010",
+ "external_id": "T1564.010"
+ },
+ {
+ "source_name": "Xpn Argue Like Cobalt 2019",
+ "description": "Chester, A. (2019, January 28). How to Argue like Cobalt Strike. Retrieved November 19, 2021.",
+ "url": "https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/"
+ },
+ {
+ "source_name": "Nviso Spoof Command Line 2020",
+ "description": "Daman, R. (2020, February 4). The return of the spoof part 2: Command line spoofing. Retrieved November 19, 2021.",
+ "url": "https://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/"
+ },
+ {
+ "source_name": "FireEye FiveHands April 2021",
+ "description": "McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.",
+ "url": "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html"
+ },
+ {
+ "source_name": "Microsoft PEB 2021",
+ "description": "Microsoft. (2021, October 6). PEB structure (winternl.h). Retrieved November 19, 2021.",
+ "url": "https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb"
+ },
+ {
+ "source_name": "Cobalt Strike Arguments 2019",
+ "description": "Mudge, R. (2019, January 2). https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/. Retrieved November 19, 2021.",
+ "url": "https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:25:25.946000+00:00\", \"old_value\": \"2025-10-24 17:49:40.325000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}, \"iterable_item_removed\": {\"root['external_references'][6]\": {\"source_name\": \"Mandiant Endpoint Evading 2019\", \"description\": \"Pena, E., Erikson, C. (2019, October 10). Staying Hidden on the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.\", \"url\": \"https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0045: Detection Strategy for Process Argument Spoofing on Windows"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--b22e5153-ac28-4cc6-865c-2054e36285cb",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2021-10-12 20:02:31.866000+00:00",
+ "modified": "2026-04-15 20:25:32.891000+00:00",
+ "name": "Resource Forking",
+ "description": "Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file\u2019s extended attributes, using ls -l@ or xattr -l commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the /Resources folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)\n\nAdversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1564/009",
+ "external_id": "T1564.009"
+ },
+ {
+ "source_name": "tau bundlore erika noerenberg 2020",
+ "description": "Erika Noerenberg. (2020, June 29). TAU Threat Analysis: Bundlore (macOS) mm-install-macos. Retrieved October 12, 2021.",
+ "url": "https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html"
+ },
+ {
+ "source_name": "Resource and Data Forks",
+ "description": "Flylib. (n.d.). Identifying Resource and Data Forks. Retrieved October 12, 2021.",
+ "url": "https://flylib.com/books/en/4.395.1.192/1/"
+ },
+ {
+ "source_name": "ELC Extended Attributes",
+ "description": "Howard Oakley. (2020, October 24). There's more to files than data: Extended Attributes. Retrieved October 12, 2021.",
+ "url": "https://eclecticlight.co/2020/10/24/theres-more-to-files-than-data-extended-attributes/"
+ },
+ {
+ "source_name": "sentinellabs resource named fork 2020",
+ "description": "Phil Stokes. (2020, November 5). Resourceful macOS Malware Hides in Named Fork. Retrieved October 12, 2021.",
+ "url": "https://www.sentinelone.com/labs/resourceful-macos-malware-hides-in-named-fork/"
+ },
+ {
+ "source_name": "macOS Hierarchical File System Overview",
+ "description": "Tenon. (n.d.). Retrieved October 12, 2021.",
+ "url": "http://tenon.com/products/codebuilder/User_Guide/6_File_Systems.html#anchor520553"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Ivan Sinyakov",
+ "Jaron Bradley @jbradley89"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "macOS"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:25:32.891000+00:00\", \"old_value\": \"2025-10-24 17:49:14.736000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1013: Application Developer Guidance"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0584: Detection Strategy for Resource Forking on macOS"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--b5327dd1-6bf9-4785-a199-25bcbd1f4a9d",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-06-29 15:36:41.535000+00:00",
+ "modified": "2026-04-15 20:26:04.116000+00:00",
+ "name": "Run Virtual Instance",
+ "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance.(Citation: CyberCX Akira Ransomware) Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)\n\nAdversaries may utilize native support for virtualization (ex: Hyper-V), deploy lightweight emulators (ex: QEMU), or drop the necessary files to run a virtual instance (ex: VirtualBox binaries).(Citation: Securonix CronTrap 2024) After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)\n\nThreat actors may also leverage temporary virtualized environments such as the Windows Sandbox, which supports the use of `.wsb` configuration files for defining execution parameters. For example, the `` property supports the creation of a shared folder, while the `` property allows the specification of a payload.(Citation: ESET MirrorFace 2025)(Citation: ITOCHU Hack the Sandbox)(Citation: ITOCHU Sandbox PPT)\n\nIn VMWare environments, adversaries may leverage the vCenter console to create new virtual machines. However, they may also create virtual machines directly on ESXi servers by running a valid `.vmx` file with the `/bin/vmx` utility. Adding this command to `/etc/rc.local.d/local.sh` (i.e., [RC Scripts](https://attack.mitre.org/techniques/T1037/004)) will cause the VM to persistently restart.(Citation: vNinja Rogue VMs 2024) Creating a VM this way prevents it from appearing in the vCenter console or in the output to the `vim-cmd vmsvc/getallvms` command on the ESXi server, thereby hiding it from typical administrative activities.(Citation: MITRE VMware Abuse 2024)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1564/006",
+ "external_id": "T1564.006"
+ },
+ {
+ "source_name": "ESET MirrorFace 2025",
+ "description": " Dominik Breitenbacher. (2025, March 18). Operation AkaiRy\u016b: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor. Retrieved May 22, 2025.",
+ "url": "https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/"
+ },
+ {
+ "source_name": "vNinja Rogue VMs 2024",
+ "description": "Christian Mohn. (2024, November 11). Beware Of The Rogue VMs!. Retrieved March 26, 2025.",
+ "url": "https://vninja.net/2024/11/11/beware-of-the-rogue-vms/"
+ },
+ {
+ "source_name": "SingHealth Breach Jan 2019",
+ "description": "Committee of Inquiry into the Cyber Attack on SingHealth. (2019, January 10). Public Report of the Committee of Inquiry into the Cyber Attack on Singapore Health Services Private Limited's Patient Database. Retrieved June 29, 2020.",
+ "url": "https://www.mci.gov.sg/-/media/mcicorp/doc/report-of-the-coi-into-the-cyber-attack-on-singhealth-10-jan-2019.ashx"
+ },
+ {
+ "source_name": "CyberCX Akira Ransomware",
+ "description": "CyberCX. (2023, September 15). Weaponising VMs to bypass EDR \u2013 Akira ransomware. Retrieved April 4, 2025.",
+ "url": "https://cybercx.com.au/blog/akira-ransomware/"
+ },
+ {
+ "source_name": "Securonix CronTrap 2024",
+ "description": "Den Iuzvyk and Tim Peck. (2024, November 4). CRON#TRAP: Emulated Linux Environments as the Latest Tactic in Malware Staging. Retrieved May 22, 2025.",
+ "url": "https://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/"
+ },
+ {
+ "source_name": "ITOCHU Hack the Sandbox",
+ "description": "ITOCHU Cyber & Intelligence Inc.. (2025, March 12). Hack The Sandbox: Unveiling the Truth Behind Disappearing Artifacts. Retrieved November 5, 2025.",
+ "url": "https://blog-en.itochuci.co.jp/entry/2025/03/12/140000"
+ },
+ {
+ "source_name": "ITOCHU Sandbox PPT",
+ "description": "ITOCHU Cyber & Intelligence Inc.. (n.d.). Hack The Sandbox: Unveiling the Truth Behind Disappearing Artifacts. Retrieved November 5, 2025.",
+ "url": "https://jsac.jpcert.or.jp/archive/2025/pdf/JSAC2025_2_9_kamekawa_sasada_niwa_en.pdf"
+ },
+ {
+ "source_name": "MITRE VMware Abuse 2024",
+ "description": "Lex Crumpton. (2024, May 22). Infiltrating Defenses: Abusing VMware in MITRE\u2019s Cyber Intrusion. Retrieved March 26, 2025.",
+ "url": "https://medium.com/mitre-engenuity/infiltrating-defenses-abusing-vmware-in-mitres-cyber-intrusion-4ea647b83f5b"
+ },
+ {
+ "source_name": "Sophos Ragnar May 2020",
+ "description": "SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.",
+ "url": "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Enis Aksu",
+ "Janantha Marasinghe",
+ "Jiraput Thamsongkrah",
+ "Johann Rehberger",
+ "Menachem Shafran, XM Cyber",
+ "Natthawut Saexu",
+ "Purinut Wongwaiwuttiguldej",
+ "Satoshi Kamekawa, ITOCHU Cyber & Intelligence Inc.",
+ "Shuhei Sasada, ITOCHU Cyber & Intelligence Inc.",
+ "Yusuke Niwa, ITOCHU Cyber & Intelligence Inc."
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "ESXi",
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:26:04.116000+00:00\", \"old_value\": \"2025-11-05 15:22:05.269000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.3\"}}}",
+ "previous_version": "1.3",
+ "version_change": "1.3 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1038: Execution Prevention",
+ "M1042: Disable or Remove Feature or Program",
+ "M1047: Audit"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0321: Detection Strategy for Hidden Virtual Instance Execution"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-09-17 12:51:40.845000+00:00",
+ "modified": "2026-04-15 20:26:09.220000+00:00",
+ "name": "VBA Stomping",
+ "description": "Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)\n\nMS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the _VBA_PROJECT stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.(Citation: Evil Clippy May 2019)(Citation: Microsoft _VBA_PROJECT Stream)\n\nAn adversary may hide malicious VBA code by overwriting the VBA source code location with zero\u2019s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the _VBA_PROJECT stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.(Citation: Walmart Roberts Oct 2018)(Citation: FireEye VBA stomp Feb 2020)(Citation: pcodedmp Bontchev)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1564/007",
+ "external_id": "T1564.007"
+ },
+ {
+ "source_name": "pcodedmp Bontchev",
+ "description": "Bontchev, V. (2019, July 30). pcodedmp.py - A VBA p-code disassembler. Retrieved September 17, 2020.",
+ "url": "https://github.com/bontchev/pcodedmp"
+ },
+ {
+ "source_name": "FireEye VBA stomp Feb 2020",
+ "description": "Cole, R., Moore, A., Stark, G., Stancill, B. (2020, February 5). STOMP 2 DIS: Brilliance in the (Visual) Basics. Retrieved September 17, 2020.",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html"
+ },
+ {
+ "source_name": "Evil Clippy May 2019",
+ "description": "Hegt, S. (2019, May 5). Evil Clippy: MS Office maldoc assistant. Retrieved September 17, 2020.",
+ "url": "https://outflank.nl/blog/2019/05/05/evil-clippy-ms-office-maldoc-assistant/"
+ },
+ {
+ "source_name": "Microsoft _VBA_PROJECT Stream",
+ "description": "Microsoft. (2020, February 19). 2.3.4.1 _VBA_PROJECT Stream: Version Dependent Project Information. Retrieved September 18, 2020.",
+ "url": "https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-ovba/ef7087ac-3974-4452-aab2-7dba2214d239"
+ },
+ {
+ "source_name": "Walmart Roberts Oct 2018",
+ "description": "Sayre, K., Ogden, H., Roberts, C. (2018, October 10). VBA Stomping \u2014 Advanced Maldoc Techniques. Retrieved September 17, 2020.",
+ "url": "https://medium.com/walmartglobaltech/vba-stomping-advanced-maldoc-techniques-612c484ab278"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Rick Cole, Mandiant"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:26:09.220000+00:00\", \"old_value\": \"2025-10-24 17:49:22.623000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}, \"iterable_item_removed\": {\"root['external_references'][6]\": {\"source_name\": \"oletools toolkit\", \"description\": \"decalage2. (2019, December 3). python-oletools. Retrieved September 18, 2020.\", \"url\": \"https://github.com/decalage2/oletools\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1042: Disable or Remove Feature or Program"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0012: Detection Strategy for VBA Stomping"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-03-12 20:38:12.465000+00:00",
+ "modified": "2026-04-20 21:18:17.156000+00:00",
+ "name": "Hijack Execution Flow",
+ "description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.\n\nThere are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1574",
+ "external_id": "T1574"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_remote_support": false,
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-20 21:18:17.156000+00:00\", \"old_value\": \"2025-10-24 17:49:13.820000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.3\"}, \"root['kill_chain_phases'][1]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"execution\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}}, \"root['kill_chain_phases'][0]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"stealth\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"persistence\"}}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][2]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}, \"root['external_references'][1]\": {\"source_name\": \"Autoruns for Windows\", \"description\": \"Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020.\", \"url\": \"https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns\"}}}",
+ "previous_version": "1.3",
+ "version_change": "1.3 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1013: Application Developer Guidance",
+ "M1018: User Account Management",
+ "M1022: Restrict File and Directory Permissions",
+ "M1024: Restrict Registry Permissions",
+ "M1038: Execution Prevention",
+ "M1040: Behavior Prevention on Endpoint",
+ "M1044: Restrict Library Loading",
+ "M1047: Audit",
+ "M1051: Update Software",
+ "M1052: User Account Control"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0218: Detection Strategy for Hijack Execution Flow across OS platforms."
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--356662f7-e315-4759-86c9-6214e2a50ff8",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2024-03-28 15:36:34.141000+00:00",
+ "modified": "2026-04-15 22:57:09.601000+00:00",
+ "name": "AppDomainManager",
+ "description": "Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` loads assemblies. The .NET framework uses the `AppDomainManager` class to create and manage one or more isolated runtime environments (called application domains) inside a process to host the execution of .NET applications. Assemblies (`.exe` or `.dll` binaries compiled to run as .NET code) may be loaded into an application domain as executable code.(Citation: Microsoft App Domains) \n\nKnown as \"AppDomainManager injection,\" adversaries may execute arbitrary code by hijacking how .NET applications load assemblies. For example, malware may create a custom application domain inside a target process to load and execute an arbitrary assembly. Alternatively, configuration files (`.config`) or process environment variables that define .NET runtime settings may be tampered with to instruct otherwise benign .NET applications to load a malicious assembly (identified by name) into the target process.(Citation: PenTestLabs AppDomainManagerInject)(Citation: PwC Yellow Liderc)(Citation: Rapid7 AppDomain Manager Injection)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1574/014",
+ "external_id": "T1574.014"
+ },
+ {
+ "source_name": "PenTestLabs AppDomainManagerInject",
+ "description": "Administrator. (2020, May 26). APPDOMAINMANAGER INJECTION AND DETECTION. Retrieved March 28, 2024.",
+ "url": "https://pentestlaboratories.com/2020/05/26/appdomainmanager-injection-and-detection/"
+ },
+ {
+ "source_name": "Microsoft App Domains",
+ "description": "Microsoft. (2021, September 15). Application domains. Retrieved March 28, 2024.",
+ "url": "https://learn.microsoft.com/dotnet/framework/app-domains/application-domains"
+ },
+ {
+ "source_name": "PwC Yellow Liderc",
+ "description": "PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved March 29, 2024.",
+ "url": "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html"
+ },
+ {
+ "source_name": "Rapid7 AppDomain Manager Injection",
+ "description": "Spagnola, N. (2023, May 5). AppDomain Manager Injection: New Techniques For Red Teams. Retrieved March 29, 2024.",
+ "url": "https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Ivy Drexel",
+ "Thomas B"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_remote_support": false,
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:57:09.601000+00:00\", \"old_value\": \"2025-04-15 21:48:08.401000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}, \"root['kill_chain_phases'][1]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"execution\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}}, \"root['kill_chain_phases'][0]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"stealth\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"persistence\"}}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][2]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
+ "previous_version": "1.0",
+ "version_change": "1.0 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1022: Restrict File and Directory Permissions"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0517: Detection Strategy for Hijack Execution Flow through the AppDomainManager on Windows."
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-06-24 22:30:55.843000+00:00",
+ "modified": "2026-04-16 18:58:17.752000+00:00",
+ "name": "COR_PROFILER",
+ "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)\n\nThe COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)\n\nAdversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and impair defenses provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1574/012",
+ "external_id": "T1574.012"
+ },
+ {
+ "source_name": "Almond COR_PROFILER Apr 2019",
+ "description": "Almond. (2019, April 30). UAC bypass via elevated .NET applications. Retrieved June 24, 2020.",
+ "url": "https://offsec.almond.consulting/UAC-bypass-dotnet.html"
+ },
+ {
+ "source_name": "Red Canary COR_PROFILER May 2020",
+ "description": "Brown, J. (2020, May 7). Detecting COR_PROFILER manipulation for persistence. Retrieved June 24, 2020.",
+ "url": "https://redcanary.com/blog/cor_profiler-for-persistence/"
+ },
+ {
+ "source_name": "RedCanary Mockingbird May 2020",
+ "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.",
+ "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/"
+ },
+ {
+ "source_name": "Microsoft COR_PROFILER Feb 2013",
+ "description": "Microsoft. (2013, February 4). Registry-Free Profiler Startup and Attach. Retrieved June 24, 2020.",
+ "url": "https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ee471451(v=vs.100)"
+ },
+ {
+ "source_name": "Microsoft Profiling Mar 2017",
+ "description": "Microsoft. (2017, March 30). Profiling Overview. Retrieved June 24, 2020.",
+ "url": "https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/profiling-overview"
+ },
+ {
+ "source_name": "subTee .NET Profilers May 2017",
+ "description": "Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET Profilers. Retrieved June 24, 2020.",
+ "url": "https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html"
+ },
+ {
+ "source_name": "GitHub OmerYa Invisi-Shell",
+ "description": "Yair, O. (2019, August 19). Invisi-Shell. Retrieved June 24, 2020.",
+ "url": "https://github.com/OmerYa/Invisi-Shell"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Jesse Brown, Red Canary"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_remote_support": false,
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 18:58:17.752000+00:00\", \"old_value\": \"2025-10-24 17:49:40.510000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)\\n\\nThe COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)\\n\\nAdversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and impair defenses provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)\", \"old_value\": \"Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)\\n\\nThe COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)\\n\\nAdversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)\", \"diff\": \"--- \\n+++ \\n@@ -2,4 +2,4 @@\\n \\n The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)\\n \\n-Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)\\n+Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and impair defenses provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}, \"root['kill_chain_phases'][1]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"execution\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}}, \"root['kill_chain_phases'][0]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"stealth\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"persistence\"}}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][2]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "description_change_table": "\n \n \n t Adversaries may leverage the COR_PROFILER environment variab t Adversaries may leverage the COR_PROFILER environment variab le to hijack the execution flow of programs that load the .N le to hijack the execution flow of programs that load the .N ET CLR. The COR_PROFILER is a .NET Framework feature which a ET CLR. The COR_PROFILER is a .NET Framework feature which a llows developers to specify an unmanaged (or external of .NE llows developers to specify an unmanaged (or external of .NE T) profiling DLL to be loaded into each .NET process that lo T) profiling DLL to be loaded into each .NET process that lo ads the Common Language Runtime (CLR). These profilers are d ads the Common Language Runtime (CLR). These profilers are d esigned to monitor, troubleshoot, and debug managed code exe esigned to monitor, troubleshoot, and debug managed code exe cuted by the .NET CLR.(Citation: Microsoft Profiling Mar 201 cuted by the .NET CLR.(Citation: Microsoft Profiling Mar 201 7)(Citation: Microsoft COR_PROFILER Feb 2013) The COR_PROFI 7)(Citation: Microsoft COR_PROFILER Feb 2013) The COR_PROFI LER environment variable can be set at various scopes (syste LER environment variable can be set at various scopes (syste m, user, or process) resulting in different levels of influe m, user, or process) resulting in different levels of influe nce. System and user-wide environment variable scopes are sp nce. System and user-wide environment variable scopes are sp ecified in the Registry, where a [Component Object Model](ht ecified in the Registry, where a [Component Object Model](ht tps://attack.mitre.org/techniques/T1559/001) (COM) object ca tps://attack.mitre.org/techniques/T1559/001) (COM) object ca n be registered as a profiler DLL. A process scope COR_PROFI n be registered as a profiler DLL. A process scope COR_PROFI LER can also be created in-memory without modifying the Regi LER can also be created in-memory without modifying the Regi stry. Starting with .NET Framework 4, the profiling DLL does stry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DL not need to be registered as long as the location of the DL L is specified in the COR_PROFILER_PATH environment variable L is specified in the COR_PROFILER_PATH environment variable .(Citation: Microsoft COR_PROFILER Feb 2013) Adversaries ma .(Citation: Microsoft COR_PROFILER Feb 2013) Adversaries ma y abuse COR_PROFILER to establish persistence that executes y abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every t a malicious DLL in the context of all .NET processes every t ime the CLR is invoked. The COR_PROFILER can also be used to ime the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https elevate privileges (ex: [Bypass User Account Control](https ://attack.mitre.org/techniques/T1548/002)) if the victim .NE ://attack.mitre.org/techniques/T1548/002)) if the victim .NE T process executes at a higher permission level, as well as T process executes at a higher permission level, as well as to hook and [Impair Defenses] (https ://atta ck.mitre.org/techn to hook and impair defenses provided by .NET processes. (Cita iques/T1562) provided b y .NET processes.(Citation: RedCanary tion : RedCanary Mo ckingbird Ma y 2020)(Citation: Red Canary C Mockingbird May 2020)(Citation: Red Canary COR_PROFILER MayOR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: Git )(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NE Hub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May T Profilers May 2017) 2017) \n
",
+ "changelog_mitigations": {
+ "shared": [
+ "M1018: User Account Management",
+ "M1024: Restrict Registry Permissions",
+ "M1038: Execution Prevention"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0479: Detection Strategy for Hijack Execution Flow using the Windows COR_PROFILER."
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-03-13 18:11:08.357000+00:00",
+ "modified": "2026-04-15 22:57:22.515000+00:00",
+ "name": "DLL",
+ "description": "Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.(Citation: unit 42)\n\nSpecific ways DLLs are abused by adversaries include:\n\n### DLL Sideloading\nAdversaries may execute their own malicious payloads by side-loading DLLs. Side-loading involves hijacking which DLL a program loads by planting and then invoking a legitimate application that executes their payload(s).\n\nSide-loading positions both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.\n\nAdversaries may also side-load other packages, such as BPLs (Borland Package Library).(Citation: kroll bpl)\n\nAdversaries may chain DLL sideloading multiple times to fragment functionality hindering analysis. Adversaries using multiple DLL files can split the loader functions across different DLLs, with a main DLL loading the separated export functions. (Citation: Virus Bulletin) Spreading loader functions across multiple DLLs makes analysis harder, since all files must be collected to fully understand the malware\u2019s behavior. Another method implements a \u201cloader-for-a-loader\u201d, where a malicious DLL\u2019s sole role is to load a second DLL (or a chain of DLLs) that contain the real payload. (Citation: Sophos)\n\n### DLL Search Order Hijacking\nAdversaries may execute their own malicious payloads by hijacking the search order that Windows uses to load DLLs. This search order is a sequence of special and standard search locations that a program checks when loading a DLL. An adversary can plant a trojan DLL in a directory that will be prioritized by the DLL search order over the location of a legitimate library. This will cause Windows to load the malicious DLL when it is called for by the victim program.(Citation: unit 42)\n\n### DLL Redirection\nAdversaries may directly modify the search order via DLL redirection, which after being enabled (in the Registry or via the creation of a redirection file) may cause a program to load a DLL from a different location.(Citation: Microsoft redirection)(Citation: Microsoft - manifests/assembly)\n\n### Phantom DLL Hijacking\nAdversaries may leverage phantom DLL hijacking by targeting references to non-existent DLL files. They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.(Citation: Hexacorn DLL Hijacking)(Citation: Hijack DLLs CrowdStrike)\n\n### DLL Substitution\nAdversaries may target existing, valid DLL files and substitute them with their own malicious DLLs, planting them with the same name and in the same location as the valid DLL file.(Citation: Wietze Beukema DLL Hijacking)\n\nPrograms that fall victim to DLL hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace, evading defenses.\n\nRemote DLL hijacking can occur when a program sets its current directory to a remote location, such as a Web share, before loading a DLL.(Citation: dll pre load owasp)(Citation: microsoft remote preloading)\n\nIf a valid DLL is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1574/001",
+ "external_id": "T1574.001"
+ },
+ {
+ "source_name": "Hijack DLLs CrowdStrike",
+ "description": " falcon.overwatch.team. (2022, December 30). 4 Ways Adversaries Hijack DLLs \u2014 and How CrowdStrike Falcon OverWatch Fights Back. Retrieved January 30, 2025.",
+ "url": "https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/"
+ },
+ {
+ "source_name": "kroll bpl",
+ "description": "Dave Truman. (2024, June 24). Novel Technique Combination Used In IDATLOADER Distribution. Retrieved January 30, 2025.",
+ "url": "https://www.kroll.com/en/insights/publications/cyber/idatloader-distribution"
+ },
+ {
+ "source_name": "Sophos",
+ "description": "Gabor Szappanos. (2023, May 3). A doubled \u201cDragon Breath\u201d adds new air to DLL sideloading attacks. Retrieved October 3, 2025.",
+ "url": "https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/"
+ },
+ {
+ "source_name": "Hexacorn DLL Hijacking",
+ "description": "Hexacorn. (2013, December 8). Beyond good ol\u2019 Run key, Part 5. Retrieved August 14, 2024.",
+ "url": "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/"
+ },
+ {
+ "source_name": "microsoft remote preloading",
+ "description": "Microsoft. (2014, May 13). Microsoft Security Advisory 2269637: Insecure Library Loading Could Allow Remote Code Execution. Retrieved January 30, 2025.",
+ "url": "https://learn.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637"
+ },
+ {
+ "source_name": "Microsoft - manifests/assembly",
+ "description": "Microsoft. (2021, January 7). Manifests. Retrieved January 30, 2025.",
+ "url": "https://learn.microsoft.com/en-us/windows/win32/sbscs/manifests?redirectedfrom=MSDN"
+ },
+ {
+ "source_name": "Microsoft redirection",
+ "description": "Microsoft. (2023, October 12). Dynamic-link library redirection. Retrieved January 30, 2025.",
+ "url": "https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN"
+ },
+ {
+ "source_name": "dll pre load owasp",
+ "description": "OWASP. (n.d.). Binary Planting. Retrieved January 30, 2025.",
+ "url": "https://owasp.org/www-community/attacks/Binary_planting"
+ },
+ {
+ "source_name": "Virus Bulletin",
+ "description": "Suguru Ishimaru, Hajime Yanagishita, Yusuke Niwa. (2023, October 5). Unveiling activities of Tropic Trooper 2023: deep analysis of Xiangoop Loader and EntryShell payload. Retrieved October 3, 2025.",
+ "url": "https://www.virusbulletin.com/conference/vb2023/abstracts/unveiling-activities-tropic-trooper-2023-deep-analysis-xiangoop-loader-and-entryshell-payload/"
+ },
+ {
+ "source_name": "unit 42",
+ "description": "Tom Fakterman, Chen Erlich, & Assaf Dahan. (2024, February 22). Intruders in the Library: Exploring DLL Hijacking. Retrieved January 30, 2025.",
+ "url": "https://unit42.paloaltonetworks.com/dll-hijacking-techniques/"
+ },
+ {
+ "source_name": "Wietze Beukema DLL Hijacking",
+ "description": "Wietze Beukema. (2020, June 22). Hijacking DLLs in Windows. Retrieved April 8, 2025.",
+ "url": "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Ami Holeston, CrowdStrike",
+ "Hajime Yanagishita, Macnica, Inc.",
+ "Marina Liang",
+ "Stefan Kanthak",
+ "Suguru Ishimaru, ITOCHU Cyber & Intelligence Inc.",
+ "Travis Smith, Tripwire",
+ "Wietze Beukema @Wietze",
+ "Will Alexander, CrowdStrike",
+ "Yusuke Niwa, ITOCHU Cyber & Intelligence Inc."
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_remote_support": false,
+ "x_mitre_version": "3.0",
+ "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:57:22.515000+00:00\", \"old_value\": \"2025-11-06 17:52:37.747000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}, \"root['kill_chain_phases'][1]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"execution\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}}, \"root['kill_chain_phases'][0]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"stealth\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"persistence\"}}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][2]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
+ "previous_version": "2.1",
+ "version_change": "2.1 \u2192 3.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1013: Application Developer Guidance",
+ "M1038: Execution Prevention",
+ "M1044: Restrict Library Loading",
+ "M1047: Audit",
+ "M1051: Update Software"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0201: Detection Strategy for Hijack Execution Flow for DLLs"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-03-16 15:23:30.896000+00:00",
+ "modified": "2026-04-15 22:58:27.104000+00:00",
+ "name": "Dylib Hijacking",
+ "description": "Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with @rpath, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the LC_LOAD_WEAK_DYLIB function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.\n\nAdversaries may gain execution by inserting malicious dylibs with the name of the missing dylib in the identified path.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Wardle Dylib Hijacking OSX 2015)(Citation: Github EmpireProject HijackScanner)(Citation: Github EmpireProject CreateHijacker Dylib) Dylibs are loaded into an application's address space allowing the malicious dylib to inherit the application's privilege level and resources. Based on the application, this could result in privilege escalation and uninhibited network access. This method may also evade detection from security products since the execution is masked under a legitimate process.(Citation: Writing Bad Malware for OSX)(Citation: wardle artofmalware volume1)(Citation: MalwareUnicorn macOS Dylib Injection MachO)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1574/004",
+ "external_id": "T1574.004"
+ },
+ {
+ "source_name": "MalwareUnicorn macOS Dylib Injection MachO",
+ "description": "Amanda Rousseau. (2020, April 4). MacOS Dylib Injection Workshop. Retrieved March 29, 2021.",
+ "url": "https://malwareunicorn.org/workshops/macos_dylib_injection.html#5"
+ },
+ {
+ "source_name": "Wardle Dylib Hijacking OSX 2015",
+ "description": "Patrick Wardle. (2015, March 1). Dylib Hijacking on OS X. Retrieved March 29, 2021.",
+ "url": "https://www.virusbulletin.com/uploads/pdf/magazine/2015/vb201503-dylib-hijacking.pdf"
+ },
+ {
+ "source_name": "Writing Bad Malware for OSX",
+ "description": "Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved July 10, 2017.",
+ "url": "https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf"
+ },
+ {
+ "source_name": "Wardle Dylib Hijack Vulnerable Apps",
+ "description": "Patrick Wardle. (2019, July 2). Getting Root with Benign AppStore Apps. Retrieved March 31, 2021.",
+ "url": "https://objective-see.com/blog/blog_0x46.html"
+ },
+ {
+ "source_name": "wardle artofmalware volume1",
+ "description": "Patrick Wardle. (2020, August 5). The Art of Mac Malware Volume 0x1: Analysis. Retrieved November 17, 2024.",
+ "url": "https://taomm.org/vol1/read.html"
+ },
+ {
+ "source_name": "Github EmpireProject HijackScanner",
+ "description": "Wardle, P., Ross, C. (2017, September 21). Empire Project Dylib Hijack Vulnerability Scanner. Retrieved April 1, 2021.",
+ "url": "https://github.com/EmpireProject/Empire/blob/master/lib/modules/python/situational_awareness/host/osx/HijackScanner.py"
+ },
+ {
+ "source_name": "Github EmpireProject CreateHijacker Dylib",
+ "description": "Wardle, P., Ross, C. (2018, April 8). EmpireProject Create Dylib Hijacker. Retrieved April 1, 2021.",
+ "url": "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "macOS"
+ ],
+ "x_mitre_remote_support": false,
+ "x_mitre_version": "3.0",
+ "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:58:27.104000+00:00\", \"old_value\": \"2025-10-24 17:49:39.243000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}, \"root['kill_chain_phases'][1]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"execution\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}}, \"root['kill_chain_phases'][0]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"stealth\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"persistence\"}}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][2]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}, \"root['external_references'][2]\": {\"source_name\": \"Apple Developer Doco Archive Run-Path\", \"description\": \"Apple Inc.. (2012, July 7). Run-Path Dependent Libraries. Retrieved March 31, 2021.\", \"url\": \"https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/RunpathDependentLibraries.html\"}}}",
+ "previous_version": "2.1",
+ "version_change": "2.1 \u2192 3.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1022: Restrict File and Directory Permissions"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0152: Detection Strategy for Hijack Execution Flow: Dylib Hijacking"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-03-13 20:09:59.569000+00:00",
+ "modified": "2026-04-15 22:57:21.530000+00:00",
+ "name": "Dynamic Linker Hijacking",
+ "description": "Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from various environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass) Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) Each platform's linker uses an extensive list of environment variables at different points in execution. These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions in the original library.(Citation: Baeldung LD_PRELOAD)\n\nHijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. On Linux, adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. For example, adversaries have used `LD_PRELOAD` to inject a malicious library into every descendant process of the `sshd` daemon, resulting in execution under a legitimate process. When the executing sub-process calls the `execve` function, for example, the malicious library\u2019s `execve` function is executed rather than the system function `execve` contained in the system library on disk. This allows adversaries to [Hide Artifacts](https://attack.mitre.org/techniques/T1564) from detection, as hooking system functions such as `execve` and `readdir` enables malware to scrub its own artifacts from the results of commands such as `ls`, `ldd`, `iptables`, and `dmesg`.(Citation: ESET Ebury Oct 2017)(Citation: Intezer Symbiote 2022)(Citation: Elastic Security Labs Pumakit 2024)\n\nHijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1574/006",
+ "external_id": "T1574.006"
+ },
+ {
+ "source_name": "Apple Doco Archive Dynamic Libraries",
+ "description": "Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved March 24, 2021.",
+ "url": "https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html"
+ },
+ {
+ "source_name": "Baeldung LD_PRELOAD",
+ "description": "baeldung. (2020, August 9). What Is the LD_PRELOAD Trick?. Retrieved March 24, 2021.",
+ "url": "https://www.baeldung.com/linux/ld_preload-trick-what-is"
+ },
+ {
+ "source_name": "TheEvilBit DYLD_INSERT_LIBRARIES",
+ "description": "Fitzl, C. (2019, July 9). DYLD_INSERT_LIBRARIES DYLIB injection in macOS / OSX. Retrieved March 26, 2020.",
+ "url": "https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/"
+ },
+ {
+ "source_name": "Intezer Symbiote 2022",
+ "description": "Joakim Kennedy and The BlackBerry Threat Research & Intelligence Team. (2022, June 9). Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat. Retrieved March 24, 2025.",
+ "url": "https://intezer.com/blog/research/new-linux-threat-symbiote/"
+ },
+ {
+ "source_name": "Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass",
+ "description": "Jon Gabilondo. (2019, September 22). How to Inject Code into Mach-O Apps. Part II.. Retrieved March 24, 2021.",
+ "url": "https://jon-gabilondo-angulo-7635.medium.com/how-to-inject-code-into-mach-o-apps-part-ii-ddb13ebc8191"
+ },
+ {
+ "source_name": "Man LD.SO",
+ "description": "Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved June 15, 2020.",
+ "url": "https://www.man7.org/linux/man-pages/man8/ld.so.8.html"
+ },
+ {
+ "source_name": "Elastic Security Labs Pumakit 2024",
+ "description": "Remco Sprooten and Ruben Groenewoud. (2024, December 11). Declawing PUMAKIT. Retrieved March 24, 2025.",
+ "url": "https://www.elastic.co/security-labs/declawing-pumakit"
+ },
+ {
+ "source_name": "TLDP Shared Libraries",
+ "description": "The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved January 31, 2020.",
+ "url": "https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html"
+ },
+ {
+ "source_name": "Timac DYLD_INSERT_LIBRARIES",
+ "description": "Timac. (2012, December 18). Simple code injection using DYLD_INSERT_LIBRARIES. Retrieved March 26, 2020.",
+ "url": "https://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/"
+ },
+ {
+ "source_name": "ESET Ebury Oct 2017",
+ "description": "Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.",
+ "url": "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS"
+ ],
+ "x_mitre_remote_support": false,
+ "x_mitre_version": "3.0",
+ "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:57:21.530000+00:00\", \"old_value\": \"2025-10-24 17:48:51.810000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}, \"root['kill_chain_phases'][1]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"execution\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}}, \"root['kill_chain_phases'][0]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"stealth\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"persistence\"}}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][2]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
+ "previous_version": "2.1",
+ "version_change": "2.1 \u2192 3.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1028: Operating System Configuration",
+ "M1038: Execution Prevention"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0435: Detection Strategy for Hijack Execution Flow: Dynamic Linker Hijacking"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--70d81154-b187-45f9-8ec5-295d01255979",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-03-13 11:12:18.558000+00:00",
+ "modified": "2026-04-15 23:02:03.423000+00:00",
+ "name": "Executable Installer File Permissions Weakness",
+ "description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL](https://attack.mitre.org/techniques/T1574/001) search order hijacking.\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1574/005",
+ "external_id": "T1574.005"
+ },
+ {
+ "source_name": "mozilla_sec_adv_2012",
+ "description": "Robert Kugler. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.",
+ "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/"
+ },
+ {
+ "source_name": "Executable Installers are Vulnerable",
+ "description": "Stefan Kanthak. (2015, December 8). Executable installers are vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation of privilege. Retrieved December 4, 2014.",
+ "url": "https://seclists.org/fulldisclosure/2015/Dec/34"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Stefan Kanthak",
+ "Travis Smith, Tripwire"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_remote_support": false,
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 23:02:03.423000+00:00\", \"old_value\": \"2025-10-24 17:48:56.875000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}, \"root['kill_chain_phases'][1]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"execution\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}}, \"root['kill_chain_phases'][0]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"stealth\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"persistence\"}}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][2]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1018: User Account Management",
+ "M1047: Audit",
+ "M1052: User Account Control"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0038: Detection Strategy for Hijack Execution Flow using Executable Installer File Permissions Weakness"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--a4657bc9-d22f-47d2-a7b7-dd6ec33f3dde",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2022-02-25 15:27:44.927000+00:00",
+ "modified": "2026-04-15 23:01:58.951000+00:00",
+ "name": "KernelCallbackTable",
+ "description": "Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The KernelCallbackTable can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once user32.dll is loaded.(Citation: Windows Process Injection KernelCallbackTable)\n\nAn adversary may hijack the execution flow of a process using the KernelCallbackTable by replacing an original callback function with a malicious payload. Modifying callback functions can be achieved in various ways involving related behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) or [Process Injection](https://attack.mitre.org/techniques/T1055) into another process.\n\nA pointer to the memory address of the KernelCallbackTable can be obtained by locating the PEB (ex: via a call to the NtQueryInformationProcess() [Native API](https://attack.mitre.org/techniques/T1106) function).(Citation: NtQueryInformationProcess) Once the pointer is located, the KernelCallbackTable can be duplicated, and a function in the table (e.g., fnCOPYDATA) set to the address of a malicious payload (ex: via WriteProcessMemory()). The PEB is then updated with the new address of the table. Once the tampered function is invoked, the malicious payload will be triggered.(Citation: Lazarus APT January 2022)\n\nThe tampered function is typically invoked using a Windows message. After the process is hijacked and malicious code is executed, the KernelCallbackTable may also be restored to its original state by the rest of the malicious payload.(Citation: Lazarus APT January 2022) Use of the KernelCallbackTable to hijack execution flow may evade detection from security products since the execution can be masked under a legitimate process.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1574/013",
+ "external_id": "T1574.013"
+ },
+ {
+ "source_name": "FinFisher exposed ",
+ "description": "Microsoft Defender Security Research Team. (2018, March 1). FinFisher exposed: A researcher\u2019s tale of defeating traps, tricks, and complex virtual machines. Retrieved January 27, 2022.",
+ "url": "https://www.microsoft.com/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/"
+ },
+ {
+ "source_name": "NtQueryInformationProcess",
+ "description": "Microsoft. (2021, November 23). NtQueryInformationProcess function (winternl.h). Retrieved February 4, 2022.",
+ "url": "https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess"
+ },
+ {
+ "source_name": "Windows Process Injection KernelCallbackTable",
+ "description": "odzhan. (2019, May 25). Windows Process Injection: KernelCallbackTable used by FinFisher / FinSpy. Retrieved February 4, 2022.",
+ "url": "https://modexp.wordpress.com/2019/05/25/windows-injection-finspy/"
+ },
+ {
+ "source_name": "Lazarus APT January 2022",
+ "description": "Saini, A. and Hossein, J. (2022, January 27). North Korea\u2019s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.",
+ "url": "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_remote_support": false,
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 23:01:58.951000+00:00\", \"old_value\": \"2025-10-24 17:49:11.077000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}, \"root['kill_chain_phases'][1]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"execution\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}}, \"root['kill_chain_phases'][0]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"stealth\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"persistence\"}}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][2]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
+ "previous_version": "1.0",
+ "version_change": "1.0 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1040: Behavior Prevention on Endpoint"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0577: Detection Strategy for Hijack Execution Flow through the KernelCallbackTable on Windows."
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-03-13 14:10:43.424000+00:00",
+ "modified": "2026-04-15 23:01:52.753000+00:00",
+ "name": "Path Interception by PATH Environment Variable",
+ "description": "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line. \n\nAdversaries can place a malicious program in an earlier entry in the list of directories stored in the PATH environment variable, resulting in the operating system executing the malicious binary rather than the legitimate binary when it searches sequentially through that PATH listing.\n\nFor example, on Windows if an adversary places a malicious program named \"net.exe\" in `C:\\example path`, which by default precedes `C:\\Windows\\system32\\net.exe` in the PATH environment variable, when \"net\" is executed from the command-line the `C:\\example path` will be called instead of the system's legitimate executable at `C:\\Windows\\system32\\net.exe`. Some methods of executing a program rely on the PATH environment variable to determine the locations that are searched when the path for the program is not given, such as executing programs from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: ExpressVPN PATH env Windows 2021)\n\nAdversaries may also directly modify the $PATH variable specifying the directories to be searched. An adversary can modify the `$PATH` variable to point to a directory they have write access. When a program using the $PATH variable is called, the OS searches the specified directory and executes the malicious binary. On macOS, this can also be performed through modifying the $HOME variable. These variables can be modified using the command-line, launchctl, [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or modifying the `/etc/paths.d` folder contents.(Citation: uptycs Fake POC linux malware 2023)(Citation: nixCraft macOS PATH variables)(Citation: Elastic Rules macOS launchctl 2022)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1574/007",
+ "external_id": "T1574.007"
+ },
+ {
+ "source_name": "Elastic Rules macOS launchctl 2022",
+ "description": "Elastic Security 7.17. (2022, February 1). Modification of Environment Variable via Launchctl. Retrieved September 28, 2023.",
+ "url": "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.html"
+ },
+ {
+ "source_name": "ExpressVPN PATH env Windows 2021",
+ "description": "ExpressVPN Security Team. (2021, November 16). Cybersecurity lessons: A PATH vulnerability in Windows. Retrieved September 28, 2023.",
+ "url": "https://www.expressvpn.com/blog/cybersecurity-lessons-a-path-vulnerability-in-windows/"
+ },
+ {
+ "source_name": "uptycs Fake POC linux malware 2023",
+ "description": "Nischay Hegde and Siddartha Malladi. (2023, July 12). PoC Exploit: Fake Proof of Concept with Backdoor Malware. Retrieved September 28, 2023.",
+ "url": "https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware"
+ },
+ {
+ "source_name": "nixCraft macOS PATH variables",
+ "description": "Vivek Gite. (2023, August 22). MacOS \u2013 Set / Change $PATH Variable Command. Retrieved September 28, 2023.",
+ "url": "https://www.cyberciti.biz/faq/appleosx-bash-unix-change-set-path-environment-variable/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Stefan Kanthak"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_remote_support": false,
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 23:01:52.753000+00:00\", \"old_value\": \"2025-10-24 17:48:22.736000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}, \"root['kill_chain_phases'][1]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"execution\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}}, \"root['kill_chain_phases'][0]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"stealth\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"persistence\"}}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][2]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1022: Restrict File and Directory Permissions",
+ "M1038: Execution Prevention",
+ "M1047: Audit"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0004: Detection Strategy for Hijack Execution Flow using Path Interception by PATH Environment Variable."
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-03-13 17:48:58.999000+00:00",
+ "modified": "2026-04-15 23:01:48.263000+00:00",
+ "name": "Path Interception by Search Order Hijacking",
+ "description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.\n\nSearch order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL](https://attack.mitre.org/techniques/T1574/001) search order hijacking, the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.\n\nFor example, \"example.exe\" runs \"cmd.exe\" with the command-line argument net user. An adversary may place a program called \"net.exe\" within the same directory as example.exe, \"net.exe\" will be run instead of the Windows system utility net. In addition, if an adversary places a program called \"net.com\" in the same directory as \"net.exe\", then cmd.exe /C net user will execute \"net.com\" instead of \"net.exe\" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)\n\nSearch order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL](https://attack.mitre.org/techniques/T1574/001).",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1574/008",
+ "external_id": "T1574.008"
+ },
+ {
+ "source_name": "Microsoft Environment Property",
+ "description": "Microsoft. (2011, October 24). Environment Property. Retrieved July 27, 2016.",
+ "url": "https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN"
+ },
+ {
+ "source_name": "Microsoft CreateProcess",
+ "description": "Microsoft. (n.d.). CreateProcess function. Retrieved September 12, 2024.",
+ "url": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa"
+ },
+ {
+ "source_name": "Microsoft WinExec",
+ "description": "Microsoft. (n.d.). WinExec function. Retrieved September 12, 2024.",
+ "url": "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec"
+ },
+ {
+ "source_name": "Windows NT Command Shell",
+ "description": "Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved December 5, 2014.",
+ "url": "https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Stefan Kanthak"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_remote_support": false,
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 23:01:48.263000+00:00\", \"old_value\": \"2025-10-24 17:48:49.665000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}, \"root['kill_chain_phases'][1]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"execution\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}}, \"root['kill_chain_phases'][0]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"stealth\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"persistence\"}}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][2]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1022: Restrict File and Directory Permissions",
+ "M1038: Execution Prevention",
+ "M1047: Audit"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0564: Detection Strategy for Hijack Execution Flow using Path Interception by Search Order Hijacking"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-03-13 13:51:58.519000+00:00",
+ "modified": "2026-04-15 23:01:45.477000+00:00",
+ "name": "Path Interception by Unquoted Path",
+ "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n\nService paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\\unsafe path with space\\program.exe vs. \"C:\\safe path with space\\program.exe\"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\\program files\\myapp.exe, an adversary may create a program at C:\\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)\n\nThis technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1574/009",
+ "external_id": "T1574.009"
+ },
+ {
+ "source_name": "Windows Privilege Escalation Guide",
+ "description": "absolomb. (2018, January 26). Windows Privilege Escalation Guide. Retrieved August 10, 2018.",
+ "url": "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/"
+ },
+ {
+ "source_name": "Windows Unquoted Services",
+ "description": "HackHappy. (2018, April 23). Windows Privilege Escalation \u2013 Unquoted Services. Retrieved August 10, 2018.",
+ "url": "https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/"
+ },
+ {
+ "source_name": "Help eliminate unquoted path",
+ "description": "Mark Baggett. (2012, November 8). Help eliminate unquoted path vulnerabilities. Retrieved November 8, 2012.",
+ "url": "https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464"
+ },
+ {
+ "source_name": "Microsoft CurrentControlSet Services",
+ "description": "Microsoft. (2017, April 20). HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree. Retrieved March 16, 2020.",
+ "url": "https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Stefan Kanthak"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_remote_support": false,
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 23:01:45.477000+00:00\", \"old_value\": \"2025-10-24 17:49:19.228000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}, \"root['kill_chain_phases'][1]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"execution\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}}, \"root['kill_chain_phases'][0]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"stealth\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"persistence\"}}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][2]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1022: Restrict File and Directory Permissions",
+ "M1038: Execution Prevention",
+ "M1047: Audit"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0064: Detection Strategy for Hijack Execution Flow through Path Interception by Unquoted Path"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-03-12 20:43:53.998000+00:00",
+ "modified": "2026-04-15 23:02:37.539000+00:00",
+ "name": "Services File Permissions Weakness",
+ "description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1574/010",
+ "external_id": "T1574.010"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Stefan Kanthak",
+ "Travis Smith, Tripwire"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_remote_support": false,
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 23:02:37.539000+00:00\", \"old_value\": \"2025-10-24 17:49:09.575000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}, \"root['kill_chain_phases'][1]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"execution\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}}, \"root['kill_chain_phases'][0]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"stealth\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"persistence\"}}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][2]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1018: User Account Management",
+ "M1047: Audit",
+ "M1052: User Account Control"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0436: Detection Strategy for Hijack Execution Flow through Services File Permissions Weakness."
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-03-13 11:42:14.444000+00:00",
+ "modified": "2026-04-15 23:02:58.258000+00:00",
+ "name": "Services Registry Permissions Weakness",
+ "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Flaws in the permissions for Registry keys related to services can allow adversaries to redirect the originally specified executable to one they control, launching their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)\n\nIf the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\n\nAdversaries may also alter other Registry keys in the service\u2019s Registry tree. For example, the FailureCommand key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness)\n\nThe Performance key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL.(Citation: microsoft_services_registry_tree) If the Performance key is not already present and if an adversary-controlled user has the Create Subkey permission, adversaries may create the Performance key in the service\u2019s Registry tree to point to a malicious DLL.(Citation: insecure_reg_perms)\n\nAdversaries may also add the Parameters key, which can reference malicious drivers file paths. This technique has been identified to be a method of abuse by configuring DLL file paths within the Parameters key of a given services registry configuration. By placing and configuring the Parameters key to reference a malicious DLL, adversaries can ensure that their code is loaded persistently whenever the associated service or library is invoked.\n\nFor example, the registry path(Citation: MDSec) HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\Parameters(Citation: hexacorn)(Citation: gendigital) contains the AutodiaDLL value, which specifies the DLL to be loaded for autodial funcitionality. An adversary could set the AutodiaDLL to point to a hijacked or malicious DLL:\n\n\"AutodialDLL\"=\"c:\\temp\\foo.dll\"\n\nThis ensures persistence, as it causes the DLL (in this case, foo.dll) to be loaded each time the Winsock 2 library is invoked.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1574/011",
+ "external_id": "T1574.011"
+ },
+ {
+ "source_name": "Tweet Registry Perms Weakness",
+ "description": "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved September 12, 2024.",
+ "url": "https://x.com/r0wdy_/status/936365549553991680"
+ },
+ {
+ "source_name": "insecure_reg_perms",
+ "description": "Cl\u00e9ment Labro. (2020, November 12). Windows RpcEptMapper Service Insecure Registry Permissions EoP. Retrieved August 25, 2021.",
+ "url": "https://itm4n.github.io/windows-registry-rpceptmapper-eop/"
+ },
+ {
+ "source_name": "hexacorn",
+ "description": "hexacorn. (2015, January 13). Beyond good ol\u2019 Run key, Part 24. Retrieved September 25, 2025.",
+ "url": "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/"
+ },
+ {
+ "source_name": "Kansa Service related collectors",
+ "description": "Hull, D.. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.",
+ "url": "https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html"
+ },
+ {
+ "source_name": "malware_hides_service",
+ "description": "Lawrence Abrams. (2004, September 10). How Malware hides and is installed as a Service. Retrieved August 30, 2021.",
+ "url": "https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/"
+ },
+ {
+ "source_name": "MDSec",
+ "description": "MDSec. (n.d.). Autodial(DLL)ing Your Way. Retrieved September 25, 2025.",
+ "url": "https://www.mdsec.co.uk/2022/10/autodialdlling-your-way/"
+ },
+ {
+ "source_name": "Registry Key Security",
+ "description": "Microsoft. (2018, May 31). Registry Key Security and Access Rights. Retrieved March 16, 2017.",
+ "url": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN"
+ },
+ {
+ "source_name": "microsoft_services_registry_tree",
+ "description": "Microsoft. (2021, August 5). HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree. Retrieved August 25, 2021.",
+ "url": "https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree"
+ },
+ {
+ "source_name": "gendigital",
+ "description": "Threat Research Team. (2022, March 22). Operation Dragon Castling: APT group targeting betting companies. Retrieved September 25, 2025.",
+ "url": "https://www.gendigital.com/blog/insights/research/operation-dragon-castling-apt-group-targeting-betting-companies"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Joe Gumke, U.S. Bank",
+ "Matthew Demaske, Adaptforward",
+ "Travis Smith, Tripwire"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_remote_support": false,
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 23:02:58.258000+00:00\", \"old_value\": \"2025-10-24 17:48:27.075000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.3\"}, \"root['kill_chain_phases'][1]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"execution\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}}, \"root['kill_chain_phases'][0]\": {\"new_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"stealth\"}, \"old_value\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"persistence\"}}}, \"iterable_item_removed\": {\"root['kill_chain_phases'][2]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"defense-evasion\"}, \"root['external_references'][6]\": {\"source_name\": \"Autoruns for Windows\", \"description\": \"Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020.\", \"url\": \"https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns\"}}}",
+ "previous_version": "1.3",
+ "version_change": "1.3 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1024: Restrict Registry Permissions"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0427: Detection Strategy for Hijack Execution Flow through Service Registry Premission Weakness."
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2017-05-31 21:30:55.892000+00:00",
+ "modified": "2026-04-15 15:10:02.929000+00:00",
+ "name": "Indicator Removal",
+ "description": "Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity. Rather than broadly removing evidence, adversaries may target specific artifacts that appear anomalous or are likely to draw scrutiny, while leaving sufficient data intact to maintain the appearance of normal system behavior.\n\nArtifacts such as command histories, log entries, or file metadata may be altered in ways that align with expected user or system activity. Location, format, and type of artifact (such as command or login history) are often platform-specific, allowing adversaries to tailor modifications that minimize suspicion.\n\nThese actions may not prevent detection entirely but can delay recognition of malicious activity or reduce the fidelity of alerts by making events appear benign or consistent with routine operations. Additionally, selectively removed or modified artifacts may still be recoverable through deeper forensic analysis, though their absence or alteration can complicate timeline reconstruction and attribution.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1070",
+ "external_id": "T1070"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Brad Geesaman, @bradgeesaman",
+ "Ed Williams, Trustwave, SpiderLabs",
+ "Blake Strom, Microsoft 365 Defender"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Containers",
+ "ESXi",
+ "Linux",
+ "macOS",
+ "Network Devices",
+ "Office Suite",
+ "Windows"
+ ],
+ "x_mitre_version": "3.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 15:10:02.929000+00:00\", \"old_value\": \"2025-10-24 17:48:59.237000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity. Rather than broadly removing evidence, adversaries may target specific artifacts that appear anomalous or are likely to draw scrutiny, while leaving sufficient data intact to maintain the appearance of normal system behavior.\\n\\nArtifacts such as command histories, log entries, or file metadata may be altered in ways that align with expected user or system activity. Location, format, and type of artifact (such as command or login history) are often platform-specific, allowing adversaries to tailor modifications that minimize suspicion.\\n\\nThese actions may not prevent detection entirely but can delay recognition of malicious activity or reduce the fidelity of alerts by making events appear benign or consistent with routine operations. Additionally, selectively removed or modified artifacts may still be recoverable through deeper forensic analysis, though their absence or alteration can complicate timeline reconstruction and attribution.\", \"old_value\": \"Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary\\u2019s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.\\n\\nRemoval of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,5 @@\\n-Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary\\u2019s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.\\n+Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity. Rather than broadly removing evidence, adversaries may target specific artifacts that appear anomalous or are likely to draw scrutiny, while leaving sufficient data intact to maintain the appearance of normal system behavior.\\n \\n-Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.\\n+Artifacts such as command histories, log entries, or file metadata may be altered in ways that align with expected user or system activity. Location, format, and type of artifact (such as command or login history) are often platform-specific, allowing adversaries to tailor modifications that minimize suspicion.\\n+\\n+These actions may not prevent detection entirely but can delay recognition of malicious activity or reduce the fidelity of alerts by making events appear benign or consistent with routine operations. Additionally, selectively removed or modified artifacts may still be recoverable through deeper forensic analysis, though their absence or alteration can complicate timeline reconstruction and attribution.\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.4\"}}}",
+ "previous_version": "2.4",
+ "version_change": "2.4 \u2192 3.0",
+ "description_change_table": "\n \n \n t Adversaries may delete or modify artifacts generated within t Adversaries may selectively delete or modify artifacts gener systems to remove evidence of their presence or hinder defen ated to reduce indications of their presence and blend in wi ses. Various artifacts may be created by an adversary or som th legitimate activity. Rather than broadly removing evidenc ething that can be attributed to an adversary\u2019s actions. Typ e, adversaries may target specific artifacts that appear ano ically these artifacts are used as defensive indicators rela malous or are likely to draw scrutiny, while leaving suffici ted to monitored events, such as strings from downloaded fil ent data intact to maintain the appearance of normal system es, logs that are generated from user actions, and other dat behavior. Artifacts such as command histories, log entries, a analyzed by defenders. Location, format, and type of artif or file metadata may be altered in ways that align with exp act (such as command or login history) are often specific to ected user or system activity. Location, format, and type of each platform. Removal of these indicators may interfere w artifact (such as command or login history) are often platf ith event collection, reporting, or other processes used to orm-specific, allowing adversaries to tailor modifications t detect intrusion activity. This may compromise the integrity hat minimize suspicion. These actions may not prevent detec of security solutions by causing notable events to go unrep tion entirely but can delay recognition of malicious activit orted. This activity may also impede forensic analysis and i y or reduce the fidelity of alerts by making events appear b ncident response, due to lack of sufficient data to determin enign or consistent with routine operations. Additionally, s e what occurred. electively removed or modified artifacts may still be recove rable through deeper forensic analysis, though their absence or alteration can complicate timeline reconstruction and at tribution. \n
",
+ "changelog_mitigations": {
+ "shared": [
+ "M1022: Restrict File and Directory Permissions",
+ "M1029: Remote Data Storage",
+ "M1041: Encrypt Sensitive Information"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0184: Behavioral Detection of Indicator Removal Across Platforms"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--3aef9463-9a7a-43ba-8957-a867e07c1e6a",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-01-31 12:32:08.228000+00:00",
+ "modified": "2026-04-15 20:27:09.604000+00:00",
+ "name": "Clear Command History",
+ "description": "In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.\n\nOn Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Adversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history. \n\nAdversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to clear command history data (clear logging and/or clear history).(Citation: US-CERT-TA18-106A) On ESXi servers, command history may be manually removed from the `/var/log/shell.log` file.(Citation: Broadcom ESXi Shell Audit)\n\nOn Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.\n\nThe PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)\n\nAdversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1070/003",
+ "external_id": "T1070.003"
+ },
+ {
+ "source_name": "Broadcom ESXi Shell Audit",
+ "description": "Broadcom. (2025, February 20). Auditing ESXi Shell logins and commands. Retrieved March 26, 2025.",
+ "url": "https://knowledge.broadcom.com/external/article/321910/auditing-esxi-shell-logins-and-commands.html"
+ },
+ {
+ "source_name": "Sophos PowerShell command audit",
+ "description": "jak. (2020, June 27). Live Discover - PowerShell command audit. Retrieved August 21, 2020.",
+ "url": "https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit"
+ },
+ {
+ "source_name": "Microsoft PowerShell Command History",
+ "description": "Microsoft. (2020, May 13). About History. Retrieved September 4, 2020.",
+ "url": "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7"
+ },
+ {
+ "source_name": "US-CERT-TA18-106A",
+ "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.",
+ "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A"
+ },
+ {
+ "source_name": "Sophos PowerShell Command History Forensics",
+ "description": "Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved November 17, 2024.",
+ "url": "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Vikas Singh, Sophos",
+ "Emile Kenning, Sophos",
+ "Austin Clark, @c2defense"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "ESXi",
+ "Linux",
+ "macOS",
+ "Network Devices",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:27:09.604000+00:00\", \"old_value\": \"2025-10-24 17:48:40.313000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.6\"}}}",
+ "previous_version": "1.6",
+ "version_change": "1.6 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1022: Restrict File and Directory Permissions",
+ "M1029: Remote Data Storage",
+ "M1039: Environment Variable Permissions"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0165: Behavioral Detection of Command History Clearing"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--438c967d-3996-4870-bfc2-3954752a1927",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2022-07-08 21:04:03.739000+00:00",
+ "modified": "2026-04-15 20:27:22.074000+00:00",
+ "name": "Clear Mailbox Data",
+ "description": "Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests. \n\nAdversaries may manipulate emails and mailbox data to remove logs, artifacts, and metadata, such as evidence of [Phishing](https://attack.mitre.org/techniques/T1566)/[Internal Spearphishing](https://attack.mitre.org/techniques/T1534), [Email Collection](https://attack.mitre.org/techniques/T1114), [Mail Protocols](https://attack.mitre.org/techniques/T1071/003) for command and control, or email-based exfiltration such as [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell [PowerShell](https://attack.mitre.org/techniques/T1059/001) module, including Remove-MailboxExportRequest to remove evidence of mailbox exports.(Citation: Volexity SolarWinds)(Citation: ExchangePowerShell Module) On Linux and macOS, adversaries may also delete emails through a command line utility called mail or use [AppleScript](https://attack.mitre.org/techniques/T1059/002) to interact with APIs on macOS.(Citation: Cybereason Cobalt Kitty 2017)(Citation: mailx man page)\n\nAdversaries may also remove emails and metadata/headers indicative of spam or suspicious activity (for example, through the use of organization-wide transport rules) to reduce the likelihood of malicious emails being detected by security products.(Citation: Microsoft OAuth Spam 2022)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1070/008",
+ "external_id": "T1070.008"
+ },
+ {
+ "source_name": "Volexity SolarWinds",
+ "description": "Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.",
+ "url": "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/"
+ },
+ {
+ "source_name": "Cybereason Cobalt Kitty 2017",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf"
+ },
+ {
+ "source_name": "mailx man page",
+ "description": "Michael Kerrisk. (2021, August 27). mailx(1p) \u2014 Linux manual page. Retrieved June 10, 2022.",
+ "url": "https://man7.org/linux/man-pages/man1/mailx.1p.html"
+ },
+ {
+ "source_name": "ExchangePowerShell Module",
+ "description": "Microsoft. (2017, September 25). ExchangePowerShell. Retrieved June 10, 2022.",
+ "url": "https://docs.microsoft.com/en-us/powershell/module/exchange/?view=exchange-ps#mailboxes"
+ },
+ {
+ "source_name": "Microsoft OAuth Spam 2022",
+ "description": "Microsoft. (2023, September 22). Malicious OAuth applications abuse cloud email services to spread spam. Retrieved March 13, 2023.",
+ "url": "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Liran Ravich, CardinalOps"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Office Suite",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:27:22.074000+00:00\", \"old_value\": \"2025-04-15 21:56:59.810000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1022: Restrict File and Directory Permissions",
+ "M1029: Remote Data Storage",
+ "M1047: Audit"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0266: Behavioral Detection of Mailbox Data and Log Deletion for Anti-Forensics"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2022-06-15 18:00:04.219000+00:00",
+ "modified": "2026-04-16 19:27:07.242000+00:00",
+ "name": "Clear Network Connection History and Configurations",
+ "description": "Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.\n\nNetwork connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\n\nWindows may also store information about recent RDP connections in files such as C:\\Users\\\\%username%\\Documents\\Default.rdp and `C:\\Users\\%username%\\AppData\\Local\\Microsoft\\Terminal\nServer Client\\Cache\\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\n\nMalicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1686) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1070/007",
+ "external_id": "T1070.007"
+ },
+ {
+ "source_name": "FreeDesktop Journal",
+ "description": "freedesktop.org. (n.d.). systemd-journald.service. Retrieved June 15, 2022.",
+ "url": "https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html"
+ },
+ {
+ "source_name": "Microsoft RDP Removal",
+ "description": "Microsoft. (2021, September 24). How to remove entries from the Remote Desktop Connection Computer box. Retrieved June 15, 2022.",
+ "url": "https://docs.microsoft.com/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer"
+ },
+ {
+ "source_name": "Moran RDPieces",
+ "description": "Moran, B. (2020, November 18). Putting Together the RDPieces. Retrieved October 17, 2022.",
+ "url": "https://www.osdfcon.org/presentations/2020/Brian-Moran_Putting-Together-the-RDPieces.pdf"
+ },
+ {
+ "source_name": "Apple Culprit Access",
+ "description": "rjben. (2012, May 30). How do you find the culprit when unauthorized access to a computer is a problem?. Retrieved August 3, 2022.",
+ "url": "https://discussions.apple.com/thread/3991574"
+ },
+ {
+ "source_name": "Apple Unified Log Analysis Remote Login and Screen Sharing",
+ "description": "Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] \u2013 Working From Home? Remote Logins. Retrieved August 19, 2021.",
+ "url": "https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "CrowdStrike Falcon OverWatch"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows",
+ "Network Devices"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 19:27:07.242000+00:00\", \"old_value\": \"2025-04-16 20:37:16.734000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.\\n\\nNetwork connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):\\n\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Servers\\n\\nWindows may also store information about recent RDP connections in files such as C:\\\\Users\\\\\\\\%username%\\\\Documents\\\\Default.rdp and `C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\Microsoft\\\\Terminal\\nServer Client\\\\Cache\\\\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\\n\\nMalicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1686) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.\", \"old_value\": \"Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.\\n\\nNetwork connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):\\n\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Servers\\n\\nWindows may also store information about recent RDP connections in files such as C:\\\\Users\\\\\\\\%username%\\\\Documents\\\\Default.rdp and `C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\Microsoft\\\\Terminal\\nServer Client\\\\Cache\\\\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\\n\\nMalicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.\", \"diff\": \"--- \\n+++ \\n@@ -8,4 +8,4 @@\\n Windows may also store information about recent RDP connections in files such as C:\\\\Users\\\\\\\\%username%\\\\Documents\\\\Default.rdp and `C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\Microsoft\\\\Terminal\\n Server Client\\\\Cache\\\\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\\n \\n-Malicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.\\n+Malicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1686) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "description_change_table": "\n \n \n t Adversaries may clear or remove evidence of malicious networ t Adversaries may clear or remove evidence of malicious networ k connections in order to clean up traces of their operation k connections in order to clean up traces of their operation s. Configuration settings as well as various artifacts that s. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/ highlight connection history may be created on a system and/ or in application logs from behaviors that require network c or in application logs from behaviors that require network c onnections, such as [Remote Services](https://attack.mitre.o onnections, such as [Remote Services](https://attack.mitre.o rg/techniques/T1021) or [External Remote Services](https://a rg/techniques/T1021) or [External Remote Services](https://a ttack.mitre.org/techniques/T1133). Defenders may use these a ttack.mitre.org/techniques/T1133). Defenders may use these a rtifacts to monitor or otherwise analyze network connections rtifacts to monitor or otherwise analyze network connections created by adversaries. Network connection history may be created by adversaries. Network connection history may be stored in various locations. For example, RDP connection his stored in various locations. For example, RDP connection his tory may be stored in Windows Registry values under (Citatio tory may be stored in Windows Registry values under (Citatio n: Microsoft RDP Removal): * <code>HKEY_CURRENT_USER\\Softwa n: Microsoft RDP Removal): * <code>HKEY_CURRENT_USER\\Softwa re\\Microsoft\\Terminal Server Client\\Default</code> * <code>H re\\Microsoft\\Terminal Server Client\\Default</code> * <code>H KEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\S KEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\S ervers</code> Windows may also store information about rece ervers</code> Windows may also store information about rece nt RDP connections in files such as <code>C:\\Users\\\\%usernam nt RDP connections in files such as <code>C:\\Users\\\\%usernam e%\\Documents\\Default.rdp</code> and `C:\\Users\\%username%\\App e%\\Documents\\Default.rdp</code> and `C:\\Users\\%username%\\App Data\\Local\\Microsoft\\Terminal Server Client\\Cache\\`.(Citatio Data\\Local\\Microsoft\\Terminal Server Client\\Cache\\`.(Citatio n: Moran RDPieces) Similarly, macOS and Linux hosts may stor n: Moran RDPieces) Similarly, macOS and Linux hosts may stor e information highlighting connection history in system logs e information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/` (such as those stored in `/Library/Logs` and/or `/var/log/` ).(Citation: Apple Culprit Access)(Citation: FreeDesktop Jou ).(Citation: Apple Culprit Access)(Citation: FreeDesktop Jou rnal)(Citation: Apple Unified Log Analysis Remote Login and rnal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing) Malicious network connections may also requ Screen Sharing) Malicious network connections may also requ ire changes to third-party applications or network configura ire changes to third-party applications or network configura tion settings, such as [Disable or Modify System Firewall](h tion settings, such as [Disable or Modify System Firewall](h ttps://attack.mitre.org/techniques/T15 62/004 ) or tampering t ttps://attack.mitre.org/techniques/T1686 ) or tampering to en o enable [Proxy](https://attack.mitre.org/techniques/T1090). able [Proxy](https://attack.mitre.org/techniques/T1090). Adv Adversaries may delete or modify this data to conceal indic ersaries may delete or modify this data to conceal indicator ators and/or impede defensive analysis. s and/or impede defensive analysis. \n
",
+ "changelog_mitigations": {
+ "shared": [
+ "M1024: Restrict Registry Permissions",
+ "M1029: Remote Data Storage"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0049: Behavioral Detection of Network History and Configuration Tampering"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--d2c4e5ea-dbdf-4113-805a-b1e2a337fb33",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2022-07-29 19:32:11.552000+00:00",
+ "modified": "2026-04-15 20:28:24.292000+00:00",
+ "name": "Clear Persistence",
+ "description": "Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)\n\nIn some instances, artifacts of persistence may also be removed once an adversary\u2019s persistence is executed in order to prevent errors with the new instance of the malware.(Citation: NCC Group Team9 June 2020)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1070/009",
+ "external_id": "T1070.009"
+ },
+ {
+ "source_name": "Cylance Dust Storm",
+ "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.",
+ "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf"
+ },
+ {
+ "source_name": "Talos - Cisco Attack 2022",
+ "description": "Nick Biasini. (2022, August 10). Cisco Talos shares insights related to recent cyber attack on Cisco. Retrieved March 9, 2023.",
+ "url": "https://blog.talosintelligence.com/recent-cyber-attack/"
+ },
+ {
+ "source_name": "NCC Group Team9 June 2020",
+ "description": "Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.",
+ "url": "https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Gavin Knapp"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "ESXi",
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:28:24.292000+00:00\", \"old_value\": \"2025-04-16 20:37:21.515000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1022: Restrict File and Directory Permissions",
+ "M1029: Remote Data Storage"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0040: Detection of Persistence Artifact Removal Across Host Platforms"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-01-31 12:35:36.479000+00:00",
+ "modified": "2026-04-15 20:28:46.342000+00:00",
+ "name": "File Deletion",
+ "description": "Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n\nThere are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include del on Windows, rm or unlink on Linux and macOS, and `rm` on ESXi.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1070/004",
+ "external_id": "T1070.004"
+ },
+ {
+ "source_name": "Microsoft SDelete July 2016",
+ "description": "Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February 8, 2018.",
+ "url": "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Walker Johnson"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "ESXi",
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:28:46.342000+00:00\", \"old_value\": \"2025-10-24 17:49:27.978000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0140: Behavioral Detection of Malicious File Deletion"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--a750a9f6-0bde-4bb3-9aae-1e2786e9780c",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-01-31 12:39:18.816000+00:00",
+ "modified": "2026-04-15 20:29:50.512000+00:00",
+ "name": "Network Share Connection Removal",
+ "description": "Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the net use \\\\system\\share /delete command. (Citation: Technet Net Use)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1070/005",
+ "external_id": "T1070.005"
+ },
+ {
+ "source_name": "Technet Net Use",
+ "description": "Microsoft. (n.d.). Net Use. Retrieved November 25, 2016.",
+ "url": "https://technet.microsoft.com/bb490717.aspx"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:29:50.512000+00:00\", \"old_value\": \"2025-10-24 17:49:11.691000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0103: Behavioral Detection of Network Share Connection Removal via CLI and SMB Disconnects"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--cc36eeae-2209-4e63-89d3-c97e19edf280",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2024-05-31 11:07:57.406000+00:00",
+ "modified": "2026-04-15 20:29:55.911000+00:00",
+ "name": "Relocate Malware",
+ "description": "Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts.\n\nRelocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., [Match Legitimate Resource Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012) as well as specific locations associated with establishing [Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024)\n\nRelocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as [User Execution](https://attack.mitre.org/techniques/T1204) and [Phishing](https://attack.mitre.org/techniques/T1566)) that may have generated alerts or otherwise drawn attention from defenders. Moving payloads into target directories does not alter the Creation timestamp, thereby evading detection logic reliant on modifications to this artifact (i.e., [Timestomp](https://attack.mitre.org/techniques/T1070/006)).",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1070/010",
+ "external_id": "T1070.010"
+ },
+ {
+ "source_name": "Latrodectus APR 2024",
+ "description": "Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.",
+ "url": "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice"
+ },
+ {
+ "source_name": "DFIR Report Trickbot June 2023",
+ "description": "The DFIR Report. (2023, June 12). A Truly Graceful Wipe Out. Retrieved May 31, 2024.",
+ "url": "https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Gregory Frey",
+ "Matt Anderson, @\u200cnosecurething, Huntress"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Network Devices",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:29:55.911000+00:00\", \"old_value\": \"2025-10-05 16:08:40.119000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0439: Detection of Malware Relocation via Suspicious File Movement"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-01-31 12:42:44.103000+00:00",
+ "modified": "2026-04-15 20:30:57.770000+00:00",
+ "name": "Timestomp",
+ "description": "Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.\n\nIn Windows systems, both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (dates/time stamps) is displayed to the end user, including in the File System view, while `$FN` is dealt with by the kernel.(Citation: Magnet Forensics)\n\nModifying the `$SI` attribute is the most common method of timestomping because it can be modified at the user level using API calls. `$FN` timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022)\n\nAdversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the `$SI` and `$FN` attributes, adversaries may also engage in \u201cdouble timestomping\u201d by modifying times on both attributes simultaneously.(Citation: Double Timestomping)\n\nIn Linux systems and on ESXi servers, threat actors may attempt to perform timestomping using commands such as `touch -a -m -t ` (which sets access and modification times to a specific value) or `touch -r ` (which sets access and modification times to match those of another file).(Citation: Inversecos Linux Timestomping)(Citation: Juniper Networks ESXi Backdoor 2022)\n\nTimestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1070/006",
+ "external_id": "T1070.006"
+ },
+ {
+ "source_name": "Juniper Networks ESXi Backdoor 2022",
+ "description": "Asher Langton. (2022, December 9). A Custom Python Backdoor for VMWare ESXi Servers. Retrieved March 26, 2025.",
+ "url": "https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers"
+ },
+ {
+ "source_name": "WindowsIR Anti-Forensic Techniques",
+ "description": "Carvey, H. (2013, July 23). HowTo: Determine/Detect the use of Anti-Forensics Techniques. Retrieved June 3, 2016.",
+ "url": "http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html"
+ },
+ {
+ "source_name": "Inversecos Linux Timestomping",
+ "description": "inversecos. (2022, August 4). Detecting Linux Anti-Forensics: Timestomping. Retrieved March 26, 2025.",
+ "url": "https://www.inversecos.com/2022/08/detecting-linux-anti-forensics.html"
+ },
+ {
+ "source_name": "Inversecos Timestomping 2022",
+ "description": "Lina Lau. (2022, April 28). Defence Evasion Technique: Timestomping Detection \u2013 NTFS Forensics. Retrieved September 30, 2024.",
+ "url": "https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html"
+ },
+ {
+ "source_name": "Magnet Forensics",
+ "description": "Magnet Forensics. (2020, August 24). Expose Evidence of Timestomping with the NTFS Timestamp Mismatch Artifact. Retrieved June 20, 2024.",
+ "url": "https://www.magnetforensics.com/blog/expose-evidence-of-timestomping-with-the-ntfs-timestamp-mismatch-artifact-in-magnet-axiom-4-4/"
+ },
+ {
+ "source_name": "Double Timestomping",
+ "description": "Matthew Dunwoody. (2022, April 28). I have seen double-timestomping ITW, including by APT29. Stay sharp out there.. Retrieved June 20, 2024.",
+ "url": "https://x.com/matthewdunwoody/status/1519846657646604289"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Mike Hartley @mikehartley10",
+ "Romain Dumont, ESET"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "ESXi",
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:30:57.770000+00:00\", \"old_value\": \"2025-10-24 17:48:43.937000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0591: Cross-Platform Behavioral Detection of File Timestomping via Metadata Tampering"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2018-04-18 17:59:24.739000+00:00",
+ "modified": "2026-04-15 20:31:14.152000+00:00",
+ "name": "Indirect Command Execution",
+ "description": "Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (`pcalua.exe`), components of the Windows Subsystem for Linux (WSL), `Scriptrunner.exe`, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe) Adversaries may also abuse the `ssh.exe` binary to execute malicious commands via the `ProxyCommand` and `LocalCommand` options, which can be invoked via the `-o` flag or by modifying the SSH config file.(Citation: Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot)\n\nAdversaries may abuse these features for [Stealth](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1202",
+ "external_id": "T1202"
+ },
+ {
+ "source_name": "Bleeping Computer - Scriptrunner.exe",
+ "description": "Bill Toulas. (2023, January 4). Hackers abuse Windows error reporting tool to deploy malware. Retrieved July 8, 2024.",
+ "url": "https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/"
+ },
+ {
+ "source_name": "Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot",
+ "description": "Cyble. (2024, December 5). Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot. Retrieved February 4, 2025.",
+ "url": "https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/"
+ },
+ {
+ "source_name": "Evi1cg Forfiles Nov 2017",
+ "description": "Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved September 12, 2024.",
+ "url": "https://x.com/Evi1cg/status/935027922397573120"
+ },
+ {
+ "source_name": "Secure Team - Scriptrunner.exe",
+ "description": "Secure Team - Information Assurance. (2023, January 8). Windows Error Reporting Tool Abused to Load Malware. Retrieved July 8, 2024.",
+ "url": "https://secureteam.co.uk/2023/01/08/windows-error-reporting-tool-abused-to-load-malware/"
+ },
+ {
+ "source_name": "SS64",
+ "description": "SS64. (n.d.). ScriptRunner.exe. Retrieved July 8, 2024.",
+ "url": "https://ss64.com/nt/scriptrunner.html"
+ },
+ {
+ "source_name": "VectorSec ForFiles Aug 2017",
+ "description": "vector_sec. (2017, August 11). Defenders watching launches of cmd? What about forfiles?. Retrieved September 12, 2024.",
+ "url": "https://x.com/vector_sec/status/896049052642533376"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Liran Ravich, CardinalOps",
+ "Matthew Demaske, Adaptforward"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:31:14.152000+00:00\", \"old_value\": \"2025-10-24 17:48:40.495000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (`pcalua.exe`), components of the Windows Subsystem for Linux (WSL), `Scriptrunner.exe`, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe) Adversaries may also abuse the `ssh.exe` binary to execute malicious commands via the `ProxyCommand` and `LocalCommand` options, which can be invoked via the `-o` flag or by modifying the SSH config file.(Citation: Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot)\\n\\nAdversaries may abuse these features for [Stealth](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.\", \"old_value\": \"Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (`pcalua.exe`), components of the Windows Subsystem for Linux (WSL), `Scriptrunner.exe`, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe) Adversaries may also abuse the `ssh.exe` binary to execute malicious commands via the `ProxyCommand` and `LocalCommand` options, which can be invoked via the `-o` flag or by modifying the SSH config file.(Citation: Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot)\\n\\nAdversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (`pcalua.exe`), components of the Windows Subsystem for Linux (WSL), `Scriptrunner.exe`, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe) Adversaries may also abuse the `ssh.exe` binary to execute malicious commands via the `ProxyCommand` and `LocalCommand` options, which can be invoked via the `-o` flag or by modifying the SSH config file.(Citation: Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot)\\n \\n-Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.\\n+Adversaries may abuse these features for [Stealth](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.3\"}}, \"iterable_item_removed\": {\"root['external_references'][4]\": {\"source_name\": \"RSA Forfiles Aug 2017\", \"description\": \"Partington, E. (2017, August 14). Are you looking out for forfiles.exe (if you are watching for cmd.exe). Retrieved January 22, 2018.\", \"url\": \"https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe\"}}}",
+ "previous_version": "1.3",
+ "version_change": "1.3 \u2192 2.0",
+ "description_change_table": "\n \n \n t Adversaries may abuse utilities that allow for command execu t Adversaries may abuse utilities that allow for command execu tion to bypass security restrictions that limit the use of c tion to bypass security restrictions that limit the use of c ommand-line interpreters. Various Windows utilities may be u ommand-line interpreters. Various Windows utilities may be u sed to execute commands, possibly without invoking [cmd](htt sed to execute commands, possibly without invoking [cmd](htt ps://attack.mitre.org/software/S0106). For example, [Forfile ps://attack.mitre.org/software/S0106). For example, [Forfile s](https://attack.mitre.org/software/S0193), the Program Com s](https://attack.mitre.org/software/S0193), the Program Com patibility Assistant (`pcalua.exe`), components of the Windo patibility Assistant (`pcalua.exe`), components of the Windo ws Subsystem for Linux (WSL), `Scriptrunner.exe`, as well as ws Subsystem for Linux (WSL), `Scriptrunner.exe`, as well as other utilities may invoke the execution of programs and co other utilities may invoke the execution of programs and co mmands from a [Command and Scripting Interpreter](https://at mmands from a [Command and Scripting Interpreter](https://at tack.mitre.org/techniques/T1059), Run window, or via scripts tack.mitre.org/techniques/T1059), Run window, or via scripts .(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Fo .(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Fo rfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(C rfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(C itation: SS64)(Citation: Bleeping Computer - Scriptrunner.ex itation: SS64)(Citation: Bleeping Computer - Scriptrunner.ex e) Adversaries may also abuse the `ssh.exe` binary to execut e) Adversaries may also abuse the `ssh.exe` binary to execut e malicious commands via the `ProxyCommand` and `LocalComman e malicious commands via the `ProxyCommand` and `LocalComman d` options, which can be invoked via the `-o` flag or by mod d` options, which can be invoked via the `-o` flag or by mod ifying the SSH config file.(Citation: Threat Actor Targets t ifying the SSH config file.(Citation: Threat Actor Targets t he Manufacturing industry with Lumma Stealer and Amadey Bot) he Manufacturing industry with Lumma Stealer and Amadey Bot) Adversaries may abuse these features for [Defense Evasion ] Adversaries may abuse these features for [Stealth ](https:/ (https://attack.mitre.org/tactics/TA0005), specifically to p /attack.mitre.org/tactics/TA0005), specifically to perform a erform arbitrary execution while subverting detections and/o rbitrary execution while subverting detections and/or mitiga r mitigation controls (such as Group Policy) that limit/prev tion controls (such as Group Policy) that limit/prevent the ent the usage of [cmd](https://attack.mitre.org/software/S01 usage of [cmd](https://attack.mitre.org/software/S0106) or f 06) or file extensions more commonly associated with malicio ile extensions more commonly associated with malicious paylo us payloads. ads. \n
",
+ "changelog_mitigations": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0200: Indirect Command Execution \u2013 Windows utility abuse behavior chain"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2017-05-31 21:30:38.511000+00:00",
+ "modified": "2026-04-15 20:32:00.311000+00:00",
+ "name": "Masquerading",
+ "description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1036",
+ "external_id": "T1036"
+ },
+ {
+ "source_name": "LOLBAS Main Site",
+ "description": "LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020.",
+ "url": "https://lolbas-project.github.io/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Bartosz Jerzman",
+ "David Lu, Tripwire",
+ "Elastic",
+ "Felipe Esp\u00f3sito, @Pr0teus",
+ "Menachem Goldstein",
+ "Nick Carr, Mandiant",
+ "Oleg Kolesnikov, Securonix"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Containers",
+ "ESXi",
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:32:00.311000+00:00\", \"old_value\": \"2025-10-24 17:48:42.609000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.8\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"Twitter ItsReallyNick Masquerading Update\", \"description\": \"Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved September 12, 2024.\", \"url\": \"https://x.com/ItsReallyNick/status/1055321652777619457\"}, \"root['external_references'][2]\": {\"source_name\": \"Elastic Masquerade Ball\", \"description\": \"Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.\", \"url\": \"https://www.elastic.co/blog/how-hunt-masquerade-ball\"}}}",
+ "previous_version": "1.8",
+ "version_change": "1.8 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1017: User Training",
+ "M1018: User Account Management",
+ "M1022: Restrict File and Directory Permissions",
+ "M1038: Execution Prevention",
+ "M1040: Behavior Prevention on Endpoint",
+ "M1045: Code Signing",
+ "M1047: Audit",
+ "M1049: Antivirus/Antimalware"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0127: Behavioral Detection of Masquerading Across Platforms via Metadata and Execution Discrepancy"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--34a80bc4-80f2-46e6-94ff-f3265a4b657c",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2023-09-27 19:49:40.815000+00:00",
+ "modified": "2026-04-15 20:32:49.027000+00:00",
+ "name": "Break Process Trees",
+ "description": "An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent process ID (PPID). If endpoint protection software leverages the \u201cparent-child\" relationship for detection, breaking this relationship could result in the adversary\u2019s behavior not being associated with previous process tree activity. On Unix-based systems breaking this process tree is common practice for administrators to execute software using scripts and programs.(Citation: 3OHA double-fork 2022) \n\nOn Linux systems, adversaries may execute a series of [Native API](https://attack.mitre.org/techniques/T1106) calls to alter malware's process tree. For example, adversaries can execute their payload without any arguments, call the `fork()` API call twice, then have the parent process exit. This creates a grandchild process with no parent process that is immediately adopted by the `init` system process (PID 1), which successfully disconnects the execution of the adversary's payload from its previous process tree.\n\nAnother example is using the \u201cdaemon\u201d syscall to detach from the current parent process and run in the background.(Citation: Sandfly BPFDoor 2022)(Citation: Microsoft XorDdos Linux Stealth 2022) ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1036/009",
+ "external_id": "T1036.009"
+ },
+ {
+ "source_name": "3OHA double-fork 2022",
+ "description": "Juan Tapiador. (2022, April 11). UNIX daemonization and the double fork. Retrieved September 29, 2023.",
+ "url": "https://0xjet.github.io/3OHA/2022/04/11/post.html"
+ },
+ {
+ "source_name": "Microsoft XorDdos Linux Stealth 2022",
+ "description": "Microsoft Threat Intelligence. (2022, May 19). Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices. Retrieved September 27, 2023.",
+ "url": "https://www.microsoft.com/en-us/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/"
+ },
+ {
+ "source_name": "Sandfly BPFDoor 2022",
+ "description": "The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive Linux Backdoor Technical Analysis. Retrieved September 29, 2023.",
+ "url": "https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Tim (Wadhwa-)Brown"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:32:49.027000+00:00\", \"old_value\": \"2025-04-15 21:54:02.243000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
+ "previous_version": "1.0",
+ "version_change": "1.0 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0443: Detection Strategy for Masquerading via Breaking Process Trees"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--afac5dbc-4383-4fb6-9ba6-45b25d49e530",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2025-09-22 20:13:45.616000+00:00",
+ "modified": "2026-04-15 20:37:12.322000+00:00",
+ "name": "Browser Fingerprint",
+ "description": "Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc. The HTTP\u00a0User-Agent\u00a0request header\u00a0is a string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting\u00a0user agent.(Citation: Mozilla User Agent)\n\nAdversaries may gather this information through [System Information Discovery](https://attack.mitre.org/techniques/T1082) or by users navigating to adversary-controlled websites, and then use that information to craft their web traffic to evade defenses.(Citation: Gummy Browsers Targeted Browser Spoofing against State-of-the-Art Fingerprinting Techniques)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1036/012",
+ "external_id": "T1036.012"
+ },
+ {
+ "source_name": "Mozilla User Agent",
+ "description": "MDN contributors. (2025, July 4). User-Agent header. Retrieved October 19, 2025.",
+ "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/User-Agent"
+ },
+ {
+ "source_name": "Gummy Browsers Targeted Browser Spoofing against State-of-the-Art Fingerprinting Techniques",
+ "description": "Zengrui Liu, Prakash Shrestha, and Nitesh Saxena. (2021, October 19). Retrieved April 15, 2026.",
+ "url": "https://arxiv.org/pdf/2110.10129"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:37:12.322000+00:00\", \"old_value\": \"2025-10-19 19:41:22.343000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc. The HTTP\\u00a0User-Agent\\u00a0request header\\u00a0is a string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting\\u00a0user agent.(Citation: Mozilla User Agent)\\n\\nAdversaries may gather this information through [System Information Discovery](https://attack.mitre.org/techniques/T1082) or by users navigating to adversary-controlled websites, and then use that information to craft their web traffic to evade defenses.(Citation: Gummy Browsers Targeted Browser Spoofing against State-of-the-Art Fingerprinting Techniques)\", \"old_value\": \"Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc. The HTTP\\u00a0User-Agent\\u00a0request header\\u00a0is a string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting\\u00a0user agent.(Citation: Mozilla User Agent)\\n\\nAdversaries may gather this information through [System Information Discovery](https://attack.mitre.org/techniques/T1082) or by users navigating to adversary-controlled websites, and then use that information to craft their web traffic to evade defenses.(Citation: Gummy Browsers: Targeted Browser Spoofing against State-of-the-Art Fingerprinting Techniques)\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc. The HTTP\\u00a0User-Agent\\u00a0request header\\u00a0is a string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting\\u00a0user agent.(Citation: Mozilla User Agent)\\n \\n-Adversaries may gather this information through [System Information Discovery](https://attack.mitre.org/techniques/T1082) or by users navigating to adversary-controlled websites, and then use that information to craft their web traffic to evade defenses.(Citation: Gummy Browsers: Targeted Browser Spoofing against State-of-the-Art Fingerprinting Techniques)\\n+Adversaries may gather this information through [System Information Discovery](https://attack.mitre.org/techniques/T1082) or by users navigating to adversary-controlled websites, and then use that information to craft their web traffic to evade defenses.(Citation: Gummy Browsers Targeted Browser Spoofing against State-of-the-Art Fingerprinting Techniques)\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"Gummy Browsers Targeted Browser Spoofing against State-of-the-Art Fingerprinting Techniques\", \"old_value\": \"Gummy Browsers: Targeted Browser Spoofing against State-of-the-Art Fingerprinting Techniques\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Zengrui Liu, Prakash Shrestha, and Nitesh Saxena. (2021, October 19). Retrieved April 15, 2026.\", \"old_value\": \"Zengrui Liu, Prakash Shrestha, and Nitesh Saxena. (2021, October 19). Retrieved September 22, 2025.\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
+ "previous_version": "1.0",
+ "version_change": "1.0 \u2192 2.0",
+ "description_change_table": "\n \n \n t Adversaries may attempt to blend in with legitimate traffic t Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating sys by spoofing browser and system attributes like operating sys tem, system language, platform, user-agent string, resolutio tem, system language, platform, user-agent string, resolutio n, time zone, etc. The HTTP\u00a0User-Agent\u00a0request header\u00a0is a n, time zone, etc. The HTTP\u00a0User-Agent\u00a0request header\u00a0is a string that lets servers and network peers identify the appl string that lets servers and network peers identify the appl ication, operating system, vendor, and/or version of the req ication, operating system, vendor, and/or version of the req uesting\u00a0user agent.(Citation: Mozilla User Agent) Adversari uesting\u00a0user agent.(Citation: Mozilla User Agent) Adversari es may gather this information through [System Information D es may gather this information through [System Information D iscovery](https://attack.mitre.org/techniques/T1082) or by u iscovery](https://attack.mitre.org/techniques/T1082) or by u sers navigating to adversary-controlled websites, and then u sers navigating to adversary-controlled websites, and then u se that information to craft their web traffic to evade defe se that information to craft their web traffic to evade defe nses.(Citation: Gummy Browsers: Targeted Browser Spoofing ag nses.(Citation: Gummy Browsers Targeted Browser Spoofing aga ainst State-of-the-Art Fingerprinting Techniques) inst State-of-the-Art Fingerprinting Techniques) \n
",
+ "changelog_mitigations": {
+ "shared": [
+ "M1047: Audit"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0898: Detection of Spoofed User-Agent"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--11f29a39-0942-4d62-92b6-fe236cf3066e",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2021-08-04 20:54:03.066000+00:00",
+ "modified": "2026-04-15 20:33:07.592000+00:00",
+ "name": "Double File Extension",
+ "description": "Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system\u2019s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension) \n\nAdversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain [Initial Access](https://attack.mitre.org/tactics/TA0001) into a user\u2019s system via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) then [User Execution](https://attack.mitre.org/techniques/T1204). For example, an executable file attachment named Evil.txt.exe may display as Evil.txt to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension)\n\nCommon file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1036/007",
+ "external_id": "T1036.007"
+ },
+ {
+ "source_name": "SOCPrime DoubleExtension",
+ "description": "Eugene Tkachenko. (2020, May 1). Rule of the Week: Possible Malicious File Double Extension. Retrieved July 27, 2021.",
+ "url": "https://socprime.com/blog/rule-of-the-week-possible-malicious-file-double-extension/"
+ },
+ {
+ "source_name": "PCMag DoubleExtension",
+ "description": "PCMag. (n.d.). Encyclopedia: double extension. Retrieved August 4, 2021.",
+ "url": "https://www.pcmag.com/encyclopedia/term/double-extension"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:33:07.592000+00:00\", \"old_value\": \"2025-10-24 17:48:25.732000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}, \"iterable_item_removed\": {\"root['external_references'][3]\": {\"source_name\": \"Seqrite DoubleExtension\", \"description\": \"Seqrite. (n.d.). How to avoid dual attack and vulnerable files with double extension?. Retrieved July 27, 2021.\", \"url\": \"https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/\"}}}",
+ "previous_version": "1.0",
+ "version_change": "1.0 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1017: User Training",
+ "M1028: Operating System Configuration"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0366: Detection Strategy for Double File Extension Masquerading"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--b4b7458f-81f2-4d38-84be-1c5ba0167a52",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-02-10 19:49:46.752000+00:00",
+ "modified": "2026-04-15 20:38:13.564000+00:00",
+ "name": "Invalid Code Signature",
+ "description": "Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)\n\nUnlike [Code Signing](https://attack.mitre.org/techniques/T1553/002), this activity will not result in a valid signature.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1036/001",
+ "external_id": "T1036.001"
+ },
+ {
+ "source_name": "Threatexpress MetaTwin 2017",
+ "description": "Vest, J. (2017, October 9). Borrowing Microsoft MetaData and Signatures to Hide Binary Payloads. Retrieved September 10, 2019.",
+ "url": "https://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:38:13.564000+00:00\", \"old_value\": \"2025-10-24 17:49:15.520000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
+ "previous_version": "1.0",
+ "version_change": "1.0 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1045: Code Signing"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0031: Invalid Code Signature Execution Detection via Metadata and Behavioral Context"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2024-08-05 21:39:16.274000+00:00",
+ "modified": "2026-04-17 14:21:43.719000+00:00",
+ "name": "Masquerade Account Name",
+ "description": "Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during [Create Account](https://attack.mitre.org/techniques/T1136), although accounts may also be renamed at a later date. This may also coincide with [Account Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first deletes an account before re-creating one with the same name.(Citation: Huntress MOVEit 2023)\n\nOften, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec Kubernetes Attack 2023) They may also give accounts generic, trustworthy names, such as \u201cadmin\u201d, \u201chelp\u201d, or \u201croot.\u201d(Citation: Invictus IR Cloud Ransomware 2024) Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087). \n\nNote that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1684/001), which describes impersonating specific trusted individuals or organizations, rather than user or service account names. ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1036/010",
+ "external_id": "T1036.010"
+ },
+ {
+ "source_name": "Elastic CUBA Ransomware 2022",
+ "description": "Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew Pease. (2022, September 7). CUBA Ransomware Campaign Analysis. Retrieved August 5, 2024.",
+ "url": "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis"
+ },
+ {
+ "source_name": "Invictus IR Cloud Ransomware 2024",
+ "description": "Invictus IR. (2024, January 11). Ransomware in the cloud. Retrieved August 5, 2024.",
+ "url": "https://www.invictus-ir.com/news/ransomware-in-the-cloud"
+ },
+ {
+ "source_name": "Huntress MOVEit 2023",
+ "description": "John Hammond. (2023, June 1). MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response. Retrieved August 5, 2024.",
+ "url": "https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response"
+ },
+ {
+ "source_name": "Aquasec Kubernetes Attack 2023",
+ "description": "Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14, 2023.",
+ "url": "https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Menachem Goldstein"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Containers",
+ "IaaS",
+ "Identity Provider",
+ "Linux",
+ "macOS",
+ "Office Suite",
+ "SaaS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-17 14:21:43.719000+00:00\", \"old_value\": \"2025-04-15 22:48:14.966000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during [Create Account](https://attack.mitre.org/techniques/T1136), although accounts may also be renamed at a later date. This may also coincide with [Account Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first deletes an account before re-creating one with the same name.(Citation: Huntress MOVEit 2023)\\n\\nOften, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec Kubernetes Attack 2023) They may also give accounts generic, trustworthy names, such as \\u201cadmin\\u201d, \\u201chelp\\u201d, or \\u201croot.\\u201d(Citation: Invictus IR Cloud Ransomware 2024) Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087). \\n\\nNote that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1684/001), which describes impersonating specific trusted individuals or organizations, rather than user or service account names. \", \"old_value\": \"Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during [Create Account](https://attack.mitre.org/techniques/T1136), although accounts may also be renamed at a later date. This may also coincide with [Account Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first deletes an account before re-creating one with the same name.(Citation: Huntress MOVEit 2023)\\n\\nOften, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec Kubernetes Attack 2023) They may also give accounts generic, trustworthy names, such as \\u201cadmin\\u201d, \\u201chelp\\u201d, or \\u201croot.\\u201d(Citation: Invictus IR Cloud Ransomware 2024) Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087). \\n\\nNote that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1656), which describes impersonating specific trusted individuals or organizations, rather than user or service account names. \", \"diff\": \"--- \\n+++ \\n@@ -2,4 +2,4 @@\\n \\n Often, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec Kubernetes Attack 2023) They may also give accounts generic, trustworthy names, such as \\u201cadmin\\u201d, \\u201chelp\\u201d, or \\u201croot.\\u201d(Citation: Invictus IR Cloud Ransomware 2024) Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087). \\n \\n-Note that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1656), which describes impersonating specific trusted individuals or organizations, rather than user or service account names. \\n+Note that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1684/001), which describes impersonating specific trusted individuals or organizations, rather than user or service account names. \"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
+ "previous_version": "1.0",
+ "version_change": "1.0 \u2192 2.0",
+ "description_change_table": "\n \n \n t Adversaries may match or approximate the names of legitimate t Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This wil accounts to make newly created ones appear benign. This wil l typically occur during [Create Account](https://attack.mit l typically occur during [Create Account](https://attack.mit re.org/techniques/T1136), although accounts may also be rena re.org/techniques/T1136), although accounts may also be rena med at a later date. This may also coincide with [Account Ac med at a later date. This may also coincide with [Account Ac cess Removal](https://attack.mitre.org/techniques/T1531) if cess Removal](https://attack.mitre.org/techniques/T1531) if the actor first deletes an account before re-creating one wi the actor first deletes an account before re-creating one wi th the same name.(Citation: Huntress MOVEit 2023) Often, ad th the same name.(Citation: Huntress MOVEit 2023) Often, ad versaries will attempt to masquerade as service accounts, su versaries will attempt to masquerade as service accounts, su ch as those associated with legitimate software, data backup ch as those associated with legitimate software, data backup s, or container cluster management.(Citation: Elastic CUBA R s, or container cluster management.(Citation: Elastic CUBA R ansomware 2022)(Citation: Aquasec Kubernetes Attack 2023) Th ansomware 2022)(Citation: Aquasec Kubernetes Attack 2023) Th ey may also give accounts generic, trustworthy names, such a ey may also give accounts generic, trustworthy names, such a s \u201cadmin\u201d, \u201chelp\u201d, or \u201croot.\u201d(Citation: Invictus IR Cloud Ra s \u201cadmin\u201d, \u201chelp\u201d, or \u201croot.\u201d(Citation: Invictus IR Cloud Ra nsomware 2024) Sometimes adversaries may model account names nsomware 2024) Sometimes adversaries may model account names off of those already existing in the system, as a follow-on off of those already existing in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/te behavior to [Account Discovery](https://attack.mitre.org/te chniques/T1087). Note that this is distinct from [Imperso chniques/T1087). Note that this is distinct from [Imperso nation](https://attack.mitre.org/techniques/T1656 ), which de nation](https://attack.mitre.org/techniques/T1684/001 ), whic scribes impersonating specific trusted individuals or organi h describes impersonating specific trusted individuals or or zations, rather than user or service account names. ganizations, rather than user or service account names. \n
",
+ "changelog_mitigations": {
+ "shared": [
+ "M1018: User Account Management",
+ "M1047: Audit"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0383: Detection Strategy for Masquerading via Account Name Similarity"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--208884f1-7b83-4473-ac22-4e1cf6c41471",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2023-03-08 22:40:06.918000+00:00",
+ "modified": "2026-04-15 20:39:13.971000+00:00",
+ "name": "Masquerade File Type",
+ "description": "Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file\u2019s signature, extension, icon, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file\u2019s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file\u2019s type. For example, the header of a JPEG file, is 0xFF 0xD8 and the file extension is either `.JPE`, `.JPEG` or `.JPG`. \n\nAdversaries may edit the header\u2019s hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred (e.g., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and stored (e.g., [Upload Malware](https://attack.mitre.org/techniques/T1608/001)) so that adversaries may move their malware without triggering detections. \n\nCommon non-executable file types and extensions, such as text files (`.txt`) and image files (`.jpg`, `.gif`, etc.) may be typically treated as benign. Based on this, adversaries may use a file extension to disguise malware, such as naming a PHP backdoor code with a file name of test.gif. A user may not know that a file is malicious due to the benign appearance and file extension.\n\nPolyglot files, which are files that have multiple different file types and that function differently based on the application that will execute them, may also be used to disguise malicious malware and capabilities.(Citation: polygot_icedID)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1036/008",
+ "external_id": "T1036.008"
+ },
+ {
+ "source_name": "polygot_icedID",
+ "description": "Lim, M. (2022, September 27). More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID. Retrieved September 29, 2022.",
+ "url": "https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Ben Smith",
+ "CrowdStrike Falcon OverWatch"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:39:13.971000+00:00\", \"old_value\": \"2025-10-08 17:44:11.183000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1038: Execution Prevention",
+ "M1040: Behavior Prevention on Endpoint",
+ "M1049: Antivirus/Antimalware"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0226: Detection Strategy for Masquerading via File Type Modification"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-02-10 20:30:07.426000+00:00",
+ "modified": "2026-04-15 20:39:39.311000+00:00",
+ "name": "Masquerade Task or Service",
+ "description": "Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.\n\nTasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1036/004",
+ "external_id": "T1036.004"
+ },
+ {
+ "source_name": "Fysbis Dr Web Analysis",
+ "description": "Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.",
+ "url": "https://vms.drweb.com/virus/?i=4276269"
+ },
+ {
+ "source_name": "Palo Alto Shamoon Nov 2016",
+ "description": "Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.",
+ "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/"
+ },
+ {
+ "source_name": "Systemd Service Units",
+ "description": "Freedesktop.org. (n.d.). systemd.service \u2014 Service unit configuration. Retrieved March 16, 2020.",
+ "url": "https://www.freedesktop.org/software/systemd/man/systemd.service.html"
+ },
+ {
+ "source_name": "TechNet Schtasks",
+ "description": "Microsoft. (n.d.). Schtasks. Retrieved April 28, 2016.",
+ "url": "https://technet.microsoft.com/en-us/library/bb490996.aspx"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:39:39.311000+00:00\", \"old_value\": \"2025-10-24 17:49:00.215000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0117: Detection of Masqueraded Tasks or Services with Suspicious Naming and Execution"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-02-10 20:43:10.239000+00:00",
+ "modified": "2026-04-15 20:39:41.881000+00:00",
+ "name": "Match Legitimate Resource Name or Location",
+ "description": "Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation. \n\nThis may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: `svchost.exe`). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.(Citation: Aquasec Kubernetes Backdoor 2023)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1036/005",
+ "external_id": "T1036.005"
+ },
+ {
+ "source_name": "Aquasec Kubernetes Backdoor 2023",
+ "description": "Michael Katchinskiy and Assaf Morag. (2023, April 21). First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved March 24, 2025.",
+ "url": "https://www.aquasec.com/blog/leveraging-kubernetes-rbac-to-backdoor-clusters/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Vishwas Manral, McAfee",
+ "Yossi Weizman, Azure Defender Research Team"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Containers",
+ "ESXi",
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "3.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:39:41.881000+00:00\", \"old_value\": \"2025-10-24 17:48:28.950000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.0\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"Twitter ItsReallyNick Masquerading Update\", \"description\": \"Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved September 12, 2024.\", \"url\": \"https://x.com/ItsReallyNick/status/1055321652777619457\"}, \"root['external_references'][2]\": {\"source_name\": \"Docker Images\", \"description\": \"Docker. (n.d.). Docker Images. Retrieved April 6, 2021.\", \"url\": \"https://docs.docker.com/engine/reference/commandline/images/\"}, \"root['external_references'][3]\": {\"source_name\": \"Elastic Masquerade Ball\", \"description\": \"Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.\", \"url\": \"https://www.elastic.co/blog/how-hunt-masquerade-ball\"}}}",
+ "previous_version": "2.0",
+ "version_change": "2.0 \u2192 3.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1022: Restrict File and Directory Permissions",
+ "M1038: Execution Prevention",
+ "M1045: Code Signing"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0347: Detection Strategy for Masquerading via Legitimate Resource Name or Location"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--514dc7b3-0b80-4382-80a9-2e2d294f5019",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2025-03-27 20:37:52.269000+00:00",
+ "modified": "2026-04-15 20:40:03.475000+00:00",
+ "name": "Overwrite Process Arguments",
+ "description": "Adversaries may modify a process's in-memory arguments to change its name in order to appear as a legitimate or benign process. On Linux, the operating system stores command-line arguments in the process\u2019s stack and passes them to the `main()` function as the `argv` array. The first element, `argv[0]`, typically contains the process name or path - by default, the command used to actually start the process (e.g., `cat /etc/passwd`). By default, the Linux `/proc` filesystem uses this value to represent the process name. The `/proc//cmdline` file reflects the contents of this memory, and tools like `ps` use it to display process information. Since arguments are stored in user-space memory at launch, this modification can be performed without elevated privileges. \n\nDuring runtime, adversaries can erase the memory used by all command-line arguments for a process, overwriting each argument string with null bytes. This removes evidence of how the process was originally launched. They can then write a spoofed string into the memory region previously occupied by `argv[0]` to mimic a benign command, such as `cat resolv.conf`. The new command-line string is reflected in `/proc//cmdline` and displayed by tools like `ps`.(Citation: Sandfly BPFDoor 2022)(Citation: Microsoft XorDdos Linux Stealth 2022) ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1036/011",
+ "external_id": "T1036.011"
+ },
+ {
+ "source_name": "Microsoft XorDdos Linux Stealth 2022",
+ "description": "Ratnesh Pandey, Yevgeny Kulakov, and Jonathan Bar Or with Saurabh Swaroop. (2022, May 19). Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices. Retrieved September 27, 2023.",
+ "url": "https://www.microsoft.com/en-us/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/"
+ },
+ {
+ "source_name": "Sandfly BPFDoor 2022",
+ "description": "The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive Linux Backdoor Technical Analysis. Retrieved September 29, 2023.",
+ "url": "https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:40:03.475000+00:00\", \"old_value\": \"2025-04-15 19:58:30.391000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
+ "previous_version": "1.0",
+ "version_change": "1.0 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0164: Detection Strategy for Overwritten Process Arguments Masquerading"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-02-10 20:03:11.691000+00:00",
+ "modified": "2026-04-15 20:40:54.471000+00:00",
+ "name": "Rename Legitimate Utilities",
+ "description": "Adversaries may rename legitimate / system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for legitimate utilities adversaries are capable of abusing, including both built-in binaries and tools such as PSExec, AutoHotKey, and IronPython.(Citation: LOLBAS Main Site)(Citation: Huntress Python Malware 2025)(Citation: The DFIR Report AutoHotKey 2023)(Citation: Splunk Detect Renamed PSExec) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe).(Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on these utilities executing from non-standard paths.(Citation: F-Secure CozyDuke)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1036/003",
+ "external_id": "T1036.003"
+ },
+ {
+ "source_name": "Elastic Masquerade Ball",
+ "description": "Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.",
+ "url": "https://www.elastic.co/blog/how-hunt-masquerade-ball"
+ },
+ {
+ "source_name": "F-Secure CozyDuke",
+ "description": "F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.",
+ "url": "https://www.f-secure.com/documents/996508/1030745/CozyDuke"
+ },
+ {
+ "source_name": "LOLBAS Main Site",
+ "description": "LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020.",
+ "url": "https://lolbas-project.github.io/"
+ },
+ {
+ "source_name": "Huntress Python Malware 2025",
+ "description": "Matthew Brennan. (2024, July 5). Snakes on a Domain: An Analysis of a Python Malware Loader. Retrieved April 3, 2025.",
+ "url": "https://www.huntress.com/blog/snakes-on-a-domain-an-analysis-of-a-python-malware-loader"
+ },
+ {
+ "source_name": "Splunk Detect Renamed PSExec",
+ "description": "Splunk. (2025, February 24). Detection: Detect Renamed PSExec. Retrieved April 3, 2025.",
+ "url": "https://research.splunk.com/endpoint/683e6196-b8e8-11eb-9a79-acde48001122/"
+ },
+ {
+ "source_name": "The DFIR Report AutoHotKey 2023",
+ "description": "The DFIR Report. (2023, February 6). Collect, Exfiltrate, Sleep, Repeat. Retrieved April 3, 2025.",
+ "url": "https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Matt Anderson, @\u200cnosecurething, Huntress"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "3.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:40:54.471000+00:00\", \"old_value\": \"2025-10-24 17:49:18.517000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.0\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"Twitter ItsReallyNick Masquerading Update\", \"description\": \"Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved September 12, 2024.\", \"url\": \"https://x.com/ItsReallyNick/status/1055321652777619457\"}}}",
+ "previous_version": "2.0",
+ "version_change": "2.0 \u2192 3.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1022: Restrict File and Directory Permissions"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0005: Renamed Legitimate Utility Execution with Metadata Mismatch and Suspicious Path"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--77eae145-55db-4519-8ae5-77b0c7215d69",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-02-10 19:55:29.385000+00:00",
+ "modified": "2026-04-15 20:41:03.753000+00:00",
+ "name": "Right-to-Left Override",
+ "description": "Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named March 25 \\u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\\u202Egnp.js will be displayed as photo_high_resj.png.(Citation: Infosecinstitute RTLO Technique)\n\nAdversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)/[Malicious File](https://attack.mitre.org/techniques/T1204/002) since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1036/002",
+ "external_id": "T1036.002"
+ },
+ {
+ "source_name": "Trend Micro PLEAD RTLO",
+ "description": "Alintanahin, K.. (2014, May 23). PLEAD Targeted Attacks Against Taiwanese Government Agencies. Retrieved April 22, 2019.",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/plead-targeted-attacks-against-taiwanese-government-agencies-2/"
+ },
+ {
+ "source_name": "Kaspersky RTLO Cyber Crime",
+ "description": "Firsh, A.. (2018, February 13). Zero-day vulnerability in Telegram - Cybercriminals exploited Telegram flaw to launch multipurpose attacks. Retrieved April 22, 2019.",
+ "url": "https://securelist.com/zero-day-vulnerability-in-telegram/83800/"
+ },
+ {
+ "source_name": "Infosecinstitute RTLO Technique",
+ "description": "Security Ninja. (2015, April 16). Spoof Using Right to Left Override (RTLO) Technique. Retrieved April 22, 2019.",
+ "url": "https://web.archive.org/web/20151102094333/https://resources.infosecinstitute.com/spoof-using-right-to-left-override-rtlo-technique-2/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:41:03.753000+00:00\", \"old_value\": \"2025-10-24 17:48:58.683000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://web.archive.org/web/20151102094333/https://resources.infosecinstitute.com/spoof-using-right-to-left-override-rtlo-technique-2/\", \"old_value\": \"https://resources.infosecinstitute.com/spoof-using-right-to-left-override-rtlo-technique-2/\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0527: Right-to-Left Override Masquerading Detection via Filename and Execution Context"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--e51137a5-1cdc-499e-911a-abaedaa5ac86",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-02-10 20:47:10.082000+00:00",
+ "modified": "2026-04-15 20:41:09.462000+00:00",
+ "name": "Space after Filename",
+ "description": "Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.\n\nFor example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to evil.txt (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).\n\nAdversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1036/006",
+ "external_id": "T1036.006"
+ },
+ {
+ "source_name": "Mac Backdoors are back",
+ "description": "Dan Goodin. (2016, July 6). After hiatus, in-the-wild Mac backdoors are suddenly back. Retrieved July 8, 2017.",
+ "url": "https://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Erye Hernandez, Palo Alto Networks"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 20:41:09.462000+00:00\", \"old_value\": \"2025-10-24 17:49:32.287000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0292: Masquerading via Space After Filename - Behavioral Detection Strategy"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--f4c1826f-a322-41cd-9557-562100848c84",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-02-11 19:01:56.887000+00:00",
+ "modified": "2026-04-16 20:07:52.977000+00:00",
+ "name": "Modify Authentication Process",
+ "description": "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).\n\nAdversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "credential-access"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1556",
+ "external_id": "T1556"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Chris Ross @xorrior"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "IaaS",
+ "Identity Provider",
+ "Linux",
+ "macOS",
+ "Network Devices",
+ "Office Suite",
+ "SaaS",
+ "Windows"
+ ],
+ "x_mitre_version": "3.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:52.977000+00:00\", \"old_value\": \"2025-10-24 17:49:36.944000+00:00\"}, \"root['kill_chain_phases'][1]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\", \"new_path\": \"root['kill_chain_phases'][0]['phase_name']\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.6\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"Clymb3r Function Hook Passwords Sept 2013\", \"description\": \"Bialek, J. (2013, September 15). Intercepting Password Changes With Function Hooking. Retrieved November 21, 2017.\", \"url\": \"https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/\"}, \"root['external_references'][2]\": {\"source_name\": \"Xorrior Authorization Plugins\", \"description\": \"Chris Ross. (2018, October 17). Persistent Credential Theft with Authorization Plugins. Retrieved April 22, 2021.\", \"url\": \"https://xorrior.com/persistent-credential-theft/\"}, \"root['external_references'][3]\": {\"source_name\": \"Dell Skeleton\", \"description\": \"Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved April 8, 2019.\", \"url\": \"https://www.secureworks.com/research/skeleton-key-malware-analysis\"}, \"root['external_references'][4]\": {\"source_name\": \"dump_pwd_dcsync\", \"description\": \"Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.\", \"url\": \"https://adsecurity.org/?p=2053\"}, \"root['external_references'][5]\": {\"source_name\": \"TechNet Audit Policy\", \"description\": \"Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.\", \"url\": \"https://technet.microsoft.com/en-us/library/dn487457.aspx\"}}}",
+ "previous_version": "2.6",
+ "version_change": "2.6 \u2192 3.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1018: User Account Management",
+ "M1022: Restrict File and Directory Permissions",
+ "M1024: Restrict Registry Permissions",
+ "M1025: Privileged Process Integrity",
+ "M1026: Privileged Account Management",
+ "M1027: Password Policies",
+ "M1028: Operating System Configuration",
+ "M1032: Multi-factor Authentication",
+ "M1047: Audit"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0104: Detect Modification of Authentication Processes Across Platforms"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--ceaeb6d8-95ee-4da2-9d42-dc6aa6ca43ae",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2024-01-02 13:43:37.389000+00:00",
+ "modified": "2026-04-16 20:07:53.111000+00:00",
+ "name": "Conditional Access Policies",
+ "description": "Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be denied access to applications based on their IP address, device enrollment status, and use of multi-factor authentication.(Citation: Microsoft Conditional Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional Access Policies) In some cases, identity providers may also support the use of risk-based metrics to deny sign-ins based on a variety of indicators. In AWS and GCP, IAM policies can contain `condition` attributes that verify arbitrary constraints such as the source IP, the date the request was made, and the nature of the resources or regions being requested.(Citation: AWS IAM Conditions)(Citation: GCP IAM Conditions) These measures help to prevent compromised credentials from resulting in unauthorized access to data or resources, as well as limit user permissions to only those required. \n\nBy modifying conditional access policies, such as adding additional trusted IP ranges, removing [Multi-Factor Authentication](https://attack.mitre.org/techniques/T1556/006) requirements, or allowing additional [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535), adversaries may be able to ensure persistent access to accounts and circumvent defensive measures.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "credential-access"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1556/009",
+ "external_id": "T1556.009"
+ },
+ {
+ "source_name": "AWS IAM Conditions",
+ "description": "AWS. (n.d.). IAM JSON policy elements: Condition. Retrieved January 2, 2024.",
+ "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html"
+ },
+ {
+ "source_name": "GCP IAM Conditions",
+ "description": "Google Cloud. (n.d.). Overview of IAM Conditions. Retrieved January 2, 2024.",
+ "url": "https://cloud.google.com/iam/docs/conditions-overview"
+ },
+ {
+ "source_name": "JumpCloud Conditional Access Policies",
+ "description": "JumpCloud. (n.d.). Get Started: Conditional Access Policies. Retrieved January 2, 2024.",
+ "url": "https://jumpcloud.com/support/get-started-conditional-access-policies"
+ },
+ {
+ "source_name": "Microsoft Conditional Access",
+ "description": "Microsoft. (2023, November 15). What is Conditional Access?. Retrieved January 2, 2024.",
+ "url": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"
+ },
+ {
+ "source_name": "Okta Conditional Access Policies",
+ "description": "Okta. (2023, November 30). Conditional Access Based on Device Security Posture. Retrieved January 2, 2024.",
+ "url": "https://support.okta.com/help/s/article/Conditional-access-based-on-device-security-posture?language=en_US"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Gavin Knapp",
+ "Joshua Penny"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "IaaS",
+ "Identity Provider"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:53.111000+00:00\", \"old_value\": \"2025-04-15 22:09:03.621000+00:00\"}, \"root['kill_chain_phases'][1]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\", \"new_path\": \"root['kill_chain_phases'][0]['phase_name']\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1018: User Account Management"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0030: Detect Conditional Access Policy Modification in Identity and Cloud Platforms"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-02-11 19:05:02.399000+00:00",
+ "modified": "2026-04-16 20:07:53.091000+00:00",
+ "name": "Domain Controller Authentication",
+ "description": "Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. \n\nMalware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user\u2019s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "credential-access"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1556/001",
+ "external_id": "T1556.001"
+ },
+ {
+ "source_name": "Dell Skeleton",
+ "description": "Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved April 8, 2019.",
+ "url": "https://www.secureworks.com/research/skeleton-key-malware-analysis"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_version": "3.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:53.091000+00:00\", \"old_value\": \"2025-10-24 17:49:27.324000+00:00\"}, \"root['kill_chain_phases'][1]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\", \"new_path\": \"root['kill_chain_phases'][0]['phase_name']\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}}, \"iterable_item_removed\": {\"root['external_references'][2]\": {\"source_name\": \"TechNet Audit Policy\", \"description\": \"Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.\", \"url\": \"https://technet.microsoft.com/en-us/library/dn487457.aspx\"}}}",
+ "previous_version": "2.1",
+ "version_change": "2.1 \u2192 3.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1017: User Training",
+ "M1025: Privileged Process Integrity",
+ "M1026: Privileged Account Management",
+ "M1032: Multi-factor Authentication"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0271: Detect Domain Controller Authentication Process Modification (Skeleton Key)"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--54ca26f3-c172-4231-93e5-ccebcac2161f",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2022-09-28 13:29:53.354000+00:00",
+ "modified": "2026-04-16 20:07:52.922000+00:00",
+ "name": "Hybrid Identity",
+ "description": "Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts. \n\nMany organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Microsoft Entra ID includes three options for synchronizing identities between Active Directory and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization (PHS), in which a privileged on-premises account synchronizes user password hashes between Active Directory and Entra ID, allowing authentication to Entra ID to take place entirely in the cloud \n* Pass Through Authentication (PTA), in which Entra ID authentication attempts are forwarded to an on-premises PTA agent, which validates the credentials against Active Directory \n* Active Directory Federation Services (AD FS), in which a trust relationship is established between Active Directory and Entra ID \n\nAD FS can also be used with other SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication process to AD FS and receive a token containing the hybrid users\u2019 identity and privileges. \n\nBy modifying authentication processes tied to hybrid identities, an adversary may be able to establish persistent privileged access to cloud resources. For example, adversaries who compromise an on-premises server running a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService` process that authorizes all attempts to authenticate to Entra ID, as well as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation: AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary may edit the `Microsoft.IdentityServer.Servicehost` configuration file to load a malicious DLL that generates authentication tokens for any user with any set of claims, thereby bypassing multi-factor authentication and defined AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able to modify the hybrid identity authentication process from the cloud. For example, adversaries who compromise a Global Administrator account in an Entra ID tenant may be able to register a new PTA agent via the web console, similarly allowing them to harvest credentials and log into the Entra ID environment as any user.(Citation: Mandiant Azure AD Backdoors)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "credential-access"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1556/007",
+ "external_id": "T1556.007"
+ },
+ {
+ "source_name": "Azure AD Connect for Read Teamers",
+ "description": "Adam Chester. (2019, February 18). Azure AD Connect for Red Teamers. Retrieved September 28, 2022.",
+ "url": "https://blog.xpnsec.com/azuread-connect-for-redteam/"
+ },
+ {
+ "source_name": "AADInternals Azure AD On-Prem to Cloud",
+ "description": "Dr. Nestori Syynimaa. (2020, July 13). Unnoticed sidekick: Getting access to cloud as an on-prem admin. Retrieved September 28, 2022.",
+ "url": "https://o365blog.com/post/on-prem_admin/"
+ },
+ {
+ "source_name": "MagicWeb",
+ "description": "Microsoft Threat Intelligence Center, Microsoft Detection and Response Team, Microsoft 365 Defender Research Team . (2022, August 24). MagicWeb: NOBELIUM\u2019s post-compromise trick to authenticate as anyone. Retrieved September 28, 2022.",
+ "url": "https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/"
+ },
+ {
+ "source_name": "Azure AD Hybrid Identity",
+ "description": "Microsoft. (2022, August 26). Choose the right authentication method for your Azure Active Directory hybrid identity solution. Retrieved September 28, 2022.",
+ "url": "https://learn.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn"
+ },
+ {
+ "source_name": "Mandiant Azure AD Backdoors",
+ "description": "Mike Burns. (2020, September 30). Detecting Microsoft 365 and Azure Active Directory Backdoors. Retrieved September 28, 2022.",
+ "url": "https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Praetorian"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "IaaS",
+ "Identity Provider",
+ "Office Suite",
+ "SaaS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:52.922000+00:00\", \"old_value\": \"2025-04-15 22:40:10.913000+00:00\"}, \"root['kill_chain_phases'][1]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\", \"new_path\": \"root['kill_chain_phases'][0]['phase_name']\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1026: Privileged Account Management",
+ "M1032: Multi-factor Authentication",
+ "M1047: Audit"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0293: Detect Hybrid Identity Authentication Process Modification"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--b4409cd8-0da9-46e1-a401-a241afd4d1cc",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2022-05-31 19:31:38.431000+00:00",
+ "modified": "2026-04-16 20:07:52.875000+00:00",
+ "name": "Multi-Factor Authentication",
+ "description": "Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as [Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621), adversaries may leverage their access to modify or completely disable MFA defenses. This can be accomplished by abusing legitimate features, such as excluding users from Azure AD Conditional Access Policies, registering a new yet vulnerable/adversary-controlled MFA method, or by manually patching MFA programs and configuration files to bypass expected functionality.(Citation: Mandiant APT42)(Citation: Azure AD Conditional Access Exclusions)\n\nFor example, modifying the Windows hosts file (`C:\\windows\\system32\\drivers\\etc\\hosts`) to redirect MFA calls to localhost instead of an MFA server may cause the MFA process to fail. If a \"fail open\" policy is in place, any otherwise successful authentication attempt may be granted access without enforcing MFA. (Citation: Russians Exploit Default MFA Protocol - CISA March 2022) \n\nDepending on the scope, goals, and privileges of the adversary, MFA defenses may be disabled for individual accounts or for all accounts tied to a larger group, such as all domain accounts in a victim's network environment.(Citation: Russians Exploit Default MFA Protocol - CISA March 2022) ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "credential-access"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1556/006",
+ "external_id": "T1556.006"
+ },
+ {
+ "source_name": "Russians Exploit Default MFA Protocol - CISA March 2022",
+ "description": "Cyber Security Infrastructure Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and \u201cPrintNightmare\u201d Vulnerability. Retrieved May 31, 2022.",
+ "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-074a"
+ },
+ {
+ "source_name": "Mandiant APT42",
+ "description": "Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromise. Retrieved September 16, 2022.",
+ "url": "https://www.mandiant.com/media/17826"
+ },
+ {
+ "source_name": "Azure AD Conditional Access Exclusions",
+ "description": "Microsoft. (2022, August 26). Use Azure AD access reviews to manage users excluded from Conditional Access policies. Retrieved August 30, 2022.",
+ "url": "https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Arun Seelagan, CISA",
+ "Liran Ravich, CardinalOps",
+ "Muhammad Moiz Arshad, @5T34L7H"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "IaaS",
+ "Identity Provider",
+ "Linux",
+ "macOS",
+ "Office Suite",
+ "SaaS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:52.875000+00:00\", \"old_value\": \"2025-04-15 19:58:59.338000+00:00\"}, \"root['kill_chain_phases'][1]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\", \"new_path\": \"root['kill_chain_phases'][0]['phase_name']\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.4\"}}}",
+ "previous_version": "1.4",
+ "version_change": "1.4 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1018: User Account Management",
+ "M1032: Multi-factor Authentication",
+ "M1047: Audit"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0190: Detect MFA Modification or Disabling Across Platforms"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--fa44a152-ac48-441e-a524-dd7b04b8adcd",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-10-19 17:58:04.155000+00:00",
+ "modified": "2026-04-16 20:07:53.117000+00:00",
+ "name": "Network Device Authentication",
+ "description": "Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.\n\n[Modify System Image](https://attack.mitre.org/techniques/T1601) may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: Mandiant - Synful Knock)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "credential-access"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1556/004",
+ "external_id": "T1556.004"
+ },
+ {
+ "source_name": "Mandiant - Synful Knock",
+ "description": "Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved November 17, 2024.",
+ "url": "https://cloud.google.com/blog/topics/threat-intelligence/synful-knock-acis/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Network Devices"
+ ],
+ "x_mitre_version": "3.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:53.117000+00:00\", \"old_value\": \"2025-10-24 17:49:38.719000+00:00\"}, \"root['kill_chain_phases'][1]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\", \"new_path\": \"root['kill_chain_phases'][0]['phase_name']\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}}, \"iterable_item_removed\": {\"root['external_references'][2]\": {\"source_name\": \"Cisco IOS Software Integrity Assurance - Image File Verification\", \"description\": \"Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020.\", \"url\": \"https://tools.cisco.com/security/center/resources/integrity_assurance.html#7\"}, \"root['external_references'][3]\": {\"source_name\": \"Cisco IOS Software Integrity Assurance - Run-Time Memory Verification\", \"description\": \"Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.\", \"url\": \"https://tools.cisco.com/security/center/resources/integrity_assurance.html#13\"}}}",
+ "previous_version": "2.1",
+ "version_change": "2.1 \u2192 3.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1026: Privileged Account Management",
+ "M1032: Multi-factor Authentication"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0272: Detect Modification of Network Device Authentication via Patched System Images"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--90c4a591-d02d-490b-92aa-619d9701ac04",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2023-03-30 22:45:00.431000+00:00",
+ "modified": "2026-04-16 20:07:53.025000+00:00",
+ "name": "Network Provider DLL",
+ "description": "Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions.(Citation: Network Provider API) During the logon process, Winlogon (the interactive logon module) sends credentials to the local `mpnotify.exe` process via RPC. The `mpnotify.exe` process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening.(Citation: NPPSPY - Huntress)(Citation: NPPSPY Video)(Citation: NPLogonNotify) \n\nAdversaries can configure a malicious network provider DLL to receive credentials from `mpnotify.exe`.(Citation: NPPSPY) Once installed as a credential manager (via the Registry), a malicious DLL can receive and save credentials each time a user logs onto a Windows workstation or domain via the `NPLogonNotify()` function.(Citation: NPLogonNotify)\n\nAdversaries may target planting malicious network provider DLLs on systems known to have increased logon activity and/or administrator logon activity, such as servers and domain controllers.(Citation: NPPSPY - Huntress)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "credential-access"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1556/008",
+ "external_id": "T1556.008"
+ },
+ {
+ "source_name": "NPPSPY - Huntress",
+ "description": " Dray Agha. (2022, August 16). Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY. Retrieved March 30, 2023.",
+ "url": "https://www.huntress.com/blog/cleartext-shenanigans-gifting-user-passwords-to-adversaries-with-nppspy"
+ },
+ {
+ "source_name": "NPPSPY Video",
+ "description": "Grzegorz Tworek. (2021, December 14). How winlogon.exe shares the cleartext password with custom DLLs. Retrieved March 30, 2023.",
+ "url": "https://www.youtube.com/watch?v=ggY3srD9dYs"
+ },
+ {
+ "source_name": "NPPSPY",
+ "description": "Grzegorz Tworek. (2021, December 15). NPPSpy. Retrieved March 30, 2023.",
+ "url": "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy"
+ },
+ {
+ "source_name": "Network Provider API",
+ "description": "Microsoft. (2021, January 7). Network Provider API. Retrieved March 30, 2023.",
+ "url": "https://learn.microsoft.com/en-us/windows/win32/secauthn/network-provider-api"
+ },
+ {
+ "source_name": "NPLogonNotify",
+ "description": "Microsoft. (2021, October 21). NPLogonNotify function (npapi.h). Retrieved March 30, 2023.",
+ "url": "https://learn.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "CrowdStrike Falcon OverWatch",
+ "Jai Minton"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:53.025000+00:00\", \"old_value\": \"2025-04-15 22:51:56.379000+00:00\"}, \"root['kill_chain_phases'][1]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\", \"new_path\": \"root['kill_chain_phases'][0]['phase_name']\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
+ "previous_version": "1.0",
+ "version_change": "1.0 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1024: Restrict Registry Permissions",
+ "M1028: Operating System Configuration",
+ "M1047: Audit"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0580: Detect Network Provider DLL Registration and Credential Capture"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-02-11 19:05:45.829000+00:00",
+ "modified": "2026-04-16 20:07:53.031000+00:00",
+ "name": "Password Filter DLL",
+ "description": "Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. \n\nWindows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation. \n\nAdversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made.(Citation: Carnal Ownage Password Filters Sept 2013)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "credential-access"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1556/002",
+ "external_id": "T1556.002"
+ },
+ {
+ "source_name": "Carnal Ownage Password Filters Sept 2013",
+ "description": "Fuller, R. (2013, September 11). Stealing passwords every time they change. Retrieved November 21, 2017.",
+ "url": "http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Vincent Le Toux"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_version": "3.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:53.031000+00:00\", \"old_value\": \"2025-10-24 17:48:39.067000+00:00\"}, \"root['kill_chain_phases'][1]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\", \"new_path\": \"root['kill_chain_phases'][0]['phase_name']\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"Clymb3r Function Hook Passwords Sept 2013\", \"description\": \"Bialek, J. (2013, September 15). Intercepting Password Changes With Function Hooking. Retrieved November 21, 2017.\", \"url\": \"https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/\"}}}",
+ "previous_version": "2.1",
+ "version_change": "2.1 \u2192 3.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1028: Operating System Configuration"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0472: Detect Malicious Password Filter DLL Registration"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-06-26 04:01:09.648000+00:00",
+ "modified": "2026-04-16 20:07:53.037000+00:00",
+ "name": "Pluggable Authentication Modules",
+ "description": "Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)\n\nAdversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)\n\nMalicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "credential-access"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1556/003",
+ "external_id": "T1556.003"
+ },
+ {
+ "source_name": "Apple PAM",
+ "description": "Apple. (2011, May 11). PAM - Pluggable Authentication Modules. Retrieved June 25, 2020.",
+ "url": "https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt"
+ },
+ {
+ "source_name": "Man Pam_Unix",
+ "description": "die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June 25, 2020.",
+ "url": "https://linux.die.net/man/8/pam_unix"
+ },
+ {
+ "source_name": "PAM Creds",
+ "description": "Fern\u00e1ndez, J. M. (2018, June 27). Exfiltrating credentials via PAM backdoors & DNS requests. Retrieved November 17, 2024.",
+ "url": "https://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/"
+ },
+ {
+ "source_name": "Red Hat PAM",
+ "description": "Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES (PAM). Retrieved June 25, 2020.",
+ "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules"
+ },
+ {
+ "source_name": "PAM Backdoor",
+ "description": "zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June 25, 2020.",
+ "url": "https://github.com/zephrax/linux-pam-backdoor"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "George Allen, VMware Carbon Black",
+ "Scott Knight, @sdotknight, VMware Carbon Black"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS"
+ ],
+ "x_mitre_version": "3.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:53.037000+00:00\", \"old_value\": \"2025-10-24 17:48:21.118000+00:00\"}, \"root['kill_chain_phases'][1]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\", \"new_path\": \"root['kill_chain_phases'][0]['phase_name']\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}}}",
+ "previous_version": "2.1",
+ "version_change": "2.1 \u2192 3.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1026: Privileged Account Management",
+ "M1032: Multi-factor Authentication"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0454: Detect Malicious Modification of Pluggable Authentication Modules (PAM)"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2022-01-13 20:02:28.349000+00:00",
+ "modified": "2026-04-16 20:07:53.082000+00:00",
+ "name": "Reversible Encryption",
+ "description": "An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)\n\nIf the property is enabled and/or a user changes their password after it is enabled, an adversary may be able to obtain the plaintext of passwords created/changed after the property was enabled. To decrypt the passwords, an adversary needs four components:\n\n1. Encrypted password (G$RADIUSCHAP) from the Active Directory user-structure userParameters\n2. 16 byte randomly-generated value (G$RADIUSCHAPKEY) also from userParameters\n3. Global LSA secret (G$MSRADIUSCHAPKEY)\n4. Static key hardcoded in the Remote Access Subauthentication DLL (RASSFM.DLL)\n\nWith this information, an adversary may be able to reproduce the encryption key and subsequently decrypt the encrypted password value.(Citation: how_pwd_rev_enc_1)(Citation: how_pwd_rev_enc_2)\n\nAn adversary may set this property at various scopes through Local Group Policy Editor, user properties, Fine-Grained Password Policy (FGPP), or via the ActiveDirectory [PowerShell](https://attack.mitre.org/techniques/T1059/001) module. For example, an adversary may implement and apply a FGPP to users or groups if the Domain Functional Level is set to \"Windows Server 2008\" or higher.(Citation: dump_pwd_dcsync) In PowerShell, an adversary may make associated changes to user settings using commands similar to Set-ADUser -AllowReversiblePasswordEncryption $true.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "credential-access"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1556/005",
+ "external_id": "T1556.005"
+ },
+ {
+ "source_name": "dump_pwd_dcsync",
+ "description": "Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.",
+ "url": "https://adsecurity.org/?p=2053"
+ },
+ {
+ "source_name": "store_pwd_rev_enc",
+ "description": "Microsoft. (2021, October 28). Store passwords using reversible encryption. Retrieved January 3, 2022.",
+ "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption"
+ },
+ {
+ "source_name": "how_pwd_rev_enc_1",
+ "description": "Teusink, N. (2009, August 25). Passwords stored using reversible encryption: how it works (part 1). Retrieved November 17, 2021.",
+ "url": "http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html"
+ },
+ {
+ "source_name": "how_pwd_rev_enc_2",
+ "description": "Teusink, N. (2009, August 26). Passwords stored using reversible encryption: how it works (part 2). Retrieved November 17, 2021.",
+ "url": "http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:53.082000+00:00\", \"old_value\": \"2025-10-24 17:49:27.587000+00:00\"}, \"root['kill_chain_phases'][1]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\", \"new_path\": \"root['kill_chain_phases'][0]['phase_name']\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1026: Privileged Account Management",
+ "M1027: Password Policies"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0589: Detect Modification of Authentication Process via Reversible Encryption"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--144e007b-e638-431d-a894-45d90c54ab90",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2019-08-30 18:03:05.864000+00:00",
+ "modified": "2026-04-16 20:07:52.919000+00:00",
+ "name": "Modify Cloud Compute Infrastructure",
+ "description": "An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.\n\nPermissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1578",
+ "external_id": "T1578"
+ },
+ {
+ "source_name": "Mandiant M-Trends 2020",
+ "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.",
+ "url": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "IaaS"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:52.919000+00:00\", \"old_value\": \"2025-10-24 17:48:26.284000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1018: User Account Management",
+ "M1047: Audit"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0308: Detection Strategy for Modify Cloud Compute Infrastructure"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-05-14 14:45:15.978000+00:00",
+ "modified": "2026-04-16 20:07:52.862000+00:00",
+ "name": "Create Cloud Instance",
+ "description": "An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)\n\nCreating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1578/002",
+ "external_id": "T1578.002"
+ },
+ {
+ "source_name": "Mandiant M-Trends 2020",
+ "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.",
+ "url": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Arun Seelagan, CISA"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "IaaS"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:52.862000+00:00\", \"old_value\": \"2025-10-24 17:49:24.804000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"AWS CloudTrail Search\", \"description\": \"Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances. Retrieved June 17, 2020.\", \"url\": \"https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/\"}, \"root['external_references'][2]\": {\"source_name\": \"Cloud Audit Logs\", \"description\": \"Google. (n.d.). Audit Logs. Retrieved June 1, 2020.\", \"url\": \"https://cloud.google.com/logging/docs/audit#admin-activity\"}, \"root['external_references'][4]\": {\"source_name\": \"Azure Activity Logs\", \"description\": \"Microsoft. (n.d.). View Azure activity logs. Retrieved June 17, 2020.\", \"url\": \"https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1018: User Account Management",
+ "M1047: Audit"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0449: Detection Strategy for Modify Cloud Compute Infrastructure: Create Cloud Instance"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-06-09 15:33:13.563000+00:00",
+ "modified": "2026-04-16 20:07:52.934000+00:00",
+ "name": "Create Snapshot",
+ "description": "An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.\n\nAn adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002), mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1578/001",
+ "external_id": "T1578.001"
+ },
+ {
+ "source_name": "Mandiant M-Trends 2020",
+ "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.",
+ "url": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Praetorian"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "IaaS"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:52.934000+00:00\", \"old_value\": \"2025-10-24 17:49:34.416000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"AWS Cloud Trail Backup API\", \"description\": \"Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail. Retrieved April 27, 2020.\", \"url\": \"https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html\"}, \"root['external_references'][2]\": {\"source_name\": \"GCP - Creating and Starting a VM\", \"description\": \"Google. (2020, April 23). Creating and Starting a VM instance. Retrieved May 1, 2020.\", \"url\": \"https://cloud.google.com/compute/docs/instances/create-start-instance#api_2\"}, \"root['external_references'][3]\": {\"source_name\": \"Cloud Audit Logs\", \"description\": \"Google. (n.d.). Audit Logs. Retrieved June 1, 2020.\", \"url\": \"https://cloud.google.com/logging/docs/audit#admin-activity\"}, \"root['external_references'][5]\": {\"source_name\": \"Azure - Monitor Logs\", \"description\": \"Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor. Retrieved May 1, 2020.\", \"url\": \"https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1018: User Account Management",
+ "M1047: Audit"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0423: Detection Strategy for Modify Cloud Compute Infrastructure: Create Snapshot"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-06-16 17:23:06.508000+00:00",
+ "modified": "2026-04-16 20:07:52.915000+00:00",
+ "name": "Delete Cloud Instance",
+ "description": "An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.\n\nAn adversary may also [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and later terminate the instance after achieving their objectives.(Citation: Mandiant M-Trends 2020)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1578/003",
+ "external_id": "T1578.003"
+ },
+ {
+ "source_name": "Mandiant M-Trends 2020",
+ "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.",
+ "url": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Arun Seelagan, CISA"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "IaaS"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:52.915000+00:00\", \"old_value\": \"2025-10-24 17:48:56.705000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"AWS CloudTrail Search\", \"description\": \"Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances. Retrieved June 17, 2020.\", \"url\": \"https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/\"}, \"root['external_references'][2]\": {\"source_name\": \"Cloud Audit Logs\", \"description\": \"Google. (n.d.). Audit Logs. Retrieved June 1, 2020.\", \"url\": \"https://cloud.google.com/logging/docs/audit#admin-activity\"}, \"root['external_references'][4]\": {\"source_name\": \"Azure Activity Logs\", \"description\": \"Microsoft. (n.d.). View Azure activity logs. Retrieved June 17, 2020.\", \"url\": \"https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1018: User Account Management",
+ "M1047: Audit"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0084: Detection Strategy for Modify Cloud Compute Infrastructure: Delete Cloud Instance"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--ca00366b-83a1-4c7b-a0ce-8ff950a7c87f",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2023-09-05 14:19:17.486000+00:00",
+ "modified": "2026-04-16 20:07:53.098000+00:00",
+ "name": "Modify Cloud Compute Configurations",
+ "description": "Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim\u2019s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.\n\nFor example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising suspicion by using up a victim\u2019s entire quota.(Citation: Microsoft Cryptojacking 2023) Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.(Citation: Microsoft Azure Policy)\n\nAdversaries may also modify settings that affect where cloud resources can be deployed, such as enabling [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535). ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1578/005",
+ "external_id": "T1578.005"
+ },
+ {
+ "source_name": "Microsoft Cryptojacking 2023",
+ "description": "Microsoft Threat Intelligence. (2023, July 25). Cryptojacking: Understanding and defending against cloud compute resource abuse. Retrieved September 5, 2023.",
+ "url": "https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/"
+ },
+ {
+ "source_name": "Microsoft Azure Policy",
+ "description": "Microsoft. (2023, August 30). Azure Policy built-in policy definitions. Retrieved September 5, 2023.",
+ "url": "https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#compute"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Amir Gharib, Microsoft Threat Intelligence",
+ "Blake Strom, Microsoft Threat Intelligence"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "IaaS"
+ ],
+ "x_mitre_version": "3.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:53.098000+00:00\", \"old_value\": \"2025-04-15 22:49:17.012000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.0\"}}}",
+ "previous_version": "2.0",
+ "version_change": "2.0 \u2192 3.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1018: User Account Management",
+ "M1047: Audit"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0492: Detection Strategy for Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--0708ae90-d0eb-4938-9a76-d0fc94f6eec1",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-06-16 18:42:20.734000+00:00",
+ "modified": "2026-04-16 20:07:52.953000+00:00",
+ "name": "Revert Cloud Instance",
+ "description": "An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.\n\nAnother variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.(Citation: Tech Republic - Restore AWS Snapshots)(Citation: Google - Restore Cloud Snapshot)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1578/004",
+ "external_id": "T1578.004"
+ },
+ {
+ "source_name": "Google - Restore Cloud Snapshot",
+ "description": "Google. (2019, October 7). Restoring and deleting persistent disk snapshots. Retrieved October 8, 2019.",
+ "url": "https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots"
+ },
+ {
+ "source_name": "Tech Republic - Restore AWS Snapshots",
+ "description": "Hardiman, N.. (2012, March 20). Backing up and restoring snapshots on Amazon EC2 machines. Retrieved October 8, 2019.",
+ "url": "https://www.techrepublic.com/blog/the-enterprise-cloud/backing-up-and-restoring-snapshots-on-amazon-ec2-machines/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Netskope"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "IaaS"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:52.953000+00:00\", \"old_value\": \"2025-10-24 17:48:21.210000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0337: Detection Strategy for Modify Cloud Compute Infrastructure: Revert Cloud Instance"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--0ce73446-8722-4086-9d43-514f1d0f669e",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2024-09-25 14:16:19.234000+00:00",
+ "modified": "2026-04-16 20:07:52.999000+00:00",
+ "name": "Modify Cloud Resource Hierarchy",
+ "description": "Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses. \n\nIaaS environments often group resources into a hierarchy, enabling improved resource management and application of policies to relevant groups. Hierarchical structures differ among cloud providers. For example, in AWS environments, multiple accounts can be grouped under a single organization, while in Azure environments, multiple subscriptions can be grouped under a single management group.(Citation: AWS Organizations)(Citation: Microsoft Azure Resources)\n\nAdversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. They may also engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant. This will allow the adversary to use the victim\u2019s compute resources without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm 2023)(Citation: Microsoft Subscription Hijacking 2022)\n\nIn AWS environments, adversaries with appropriate permissions in a given account may call the `LeaveOrganization` API, causing the account to be severed from the AWS Organization to which it was tied and removing any Service Control Policies, guardrails, or restrictions imposed upon it by its former Organization. Alternatively, adversaries may call the `CreateAccount` API in order to create a new account within an AWS Organization. This account will use the same payment methods registered to the payment account but may not be subject to existing detections or Service Control Policies.(Citation: AWS re Inforce Trust Mod)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1666",
+ "external_id": "T1666"
+ },
+ {
+ "source_name": "AWS re Inforce Trust Mod",
+ "description": "AWS re Inforce. (2024, June). Retrieved April 15, 2026.",
+ "url": "https://d1.awsstatic.com/onedam/marketing-channels/website/aws/en_US/events/approved/reinforce-2025/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
+ },
+ {
+ "source_name": "AWS Organizations",
+ "description": "AWS. (n.d.). Terminology and concepts for AWS Organizations. Retrieved September 25, 2024.",
+ "url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html"
+ },
+ {
+ "source_name": "Microsoft Subscription Hijacking 2022",
+ "description": "Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.",
+ "url": "https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121"
+ },
+ {
+ "source_name": "Microsoft Azure Resources",
+ "description": "Microsoft Azure. (2024, May 31). Organize your Azure resources effectively. Retrieved September 25, 2024.",
+ "url": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources"
+ },
+ {
+ "source_name": "Microsoft Peach Sandstorm 2023",
+ "description": "Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets. Retrieved September 18, 2023.",
+ "url": "https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "IaaS"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:52.999000+00:00\", \"old_value\": \"2025-04-15 22:49:45.874000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses. \\n\\nIaaS environments often group resources into a hierarchy, enabling improved resource management and application of policies to relevant groups. Hierarchical structures differ among cloud providers. For example, in AWS environments, multiple accounts can be grouped under a single organization, while in Azure environments, multiple subscriptions can be grouped under a single management group.(Citation: AWS Organizations)(Citation: Microsoft Azure Resources)\\n\\nAdversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. They may also engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant. This will allow the adversary to use the victim\\u2019s compute resources without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm 2023)(Citation: Microsoft Subscription Hijacking 2022)\\n\\nIn AWS environments, adversaries with appropriate permissions in a given account may call the `LeaveOrganization` API, causing the account to be severed from the AWS Organization to which it was tied and removing any Service Control Policies, guardrails, or restrictions imposed upon it by its former Organization. Alternatively, adversaries may call the `CreateAccount` API in order to create a new account within an AWS Organization. This account will use the same payment methods registered to the payment account but may not be subject to existing detections or Service Control Policies.(Citation: AWS re Inforce Trust Mod)\", \"old_value\": \"Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses. \\n\\nIaaS environments often group resources into a hierarchy, enabling improved resource management and application of policies to relevant groups. Hierarchical structures differ among cloud providers. For example, in AWS environments, multiple accounts can be grouped under a single organization, while in Azure environments, multiple subscriptions can be grouped under a single management group.(Citation: AWS Organizations)(Citation: Microsoft Azure Resources)\\n\\nAdversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. They may also engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant. This will allow the adversary to use the victim\\u2019s compute resources without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm 2023)(Citation: Microsoft Subscription Hijacking 2022)\\n\\nIn AWS environments, adversaries with appropriate permissions in a given account may call the `LeaveOrganization` API, causing the account to be severed from the AWS Organization to which it was tied and removing any Service Control Policies, guardrails, or restrictions imposed upon it by its former Organization. Alternatively, adversaries may call the `CreateAccount` API in order to create a new account within an AWS Organization. This account will use the same payment methods registered to the payment account but may not be subject to existing detections or Service Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024)\", \"diff\": \"--- \\n+++ \\n@@ -4,4 +4,4 @@\\n \\n Adversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. They may also engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant. This will allow the adversary to use the victim\\u2019s compute resources without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm 2023)(Citation: Microsoft Subscription Hijacking 2022)\\n \\n-In AWS environments, adversaries with appropriate permissions in a given account may call the `LeaveOrganization` API, causing the account to be severed from the AWS Organization to which it was tied and removing any Service Control Policies, guardrails, or restrictions imposed upon it by its former Organization. Alternatively, adversaries may call the `CreateAccount` API in order to create a new account within an AWS Organization. This account will use the same payment methods registered to the payment account but may not be subject to existing detections or Service Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024)\\n+In AWS environments, adversaries with appropriate permissions in a given account may call the `LeaveOrganization` API, causing the account to be severed from the AWS Organization to which it was tied and removing any Service Control Policies, guardrails, or restrictions imposed upon it by its former Organization. Alternatively, adversaries may call the `CreateAccount` API in order to create a new account within an AWS Organization. This account will use the same payment methods registered to the payment account but may not be subject to existing detections or Service Control Policies.(Citation: AWS re Inforce Trust Mod)\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"AWS re Inforce Trust Mod\", \"old_value\": \"AWS RE:Inforce Threat Detection 2024\", \"new_path\": \"root['external_references'][1]['source_name']\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"AWS re Inforce. (2024, June). Retrieved April 15, 2026.\", \"old_value\": \"Ben Fletcher and Steve de Vera. (2024, June). New tactics and techniques for proactive threat detection. Retrieved September 25, 2024.\", \"new_path\": \"root['external_references'][1]['description']\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://d1.awsstatic.com/onedam/marketing-channels/website/aws/en_US/events/approved/reinforce-2025/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf\", \"old_value\": \"https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf\", \"new_path\": \"root['external_references'][1]['url']\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
+ "previous_version": "1.0",
+ "version_change": "1.0 \u2192 2.0",
+ "description_change_table": "\n \n \n t Adversaries may attempt to modify hierarchical structures in t Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to infrastructure-as-a-service (IaaS) environments in order to evade defenses. IaaS environments often group resources evade defenses. IaaS environments often group resources into a hierarchy, enabling improved resource management and into a hierarchy, enabling improved resource management and application of policies to relevant groups. Hierarchical str application of policies to relevant groups. Hierarchical str uctures differ among cloud providers. For example, in AWS en uctures differ among cloud providers. For example, in AWS en vironments, multiple accounts can be grouped under a single vironments, multiple accounts can be grouped under a single organization, while in Azure environments, multiple subscrip organization, while in Azure environments, multiple subscrip tions can be grouped under a single management group.(Citati tions can be grouped under a single management group.(Citati on: AWS Organizations)(Citation: Microsoft Azure Resources) on: AWS Organizations)(Citation: Microsoft Azure Resources) Adversaries may add, delete, or otherwise modify resource g Adversaries may add, delete, or otherwise modify resource g roups within an IaaS hierarchy. For example, in Azure enviro roups within an IaaS hierarchy. For example, in Azure enviro nments, an adversary who has gained access to a Global Admin nments, an adversary who has gained access to a Global Admin istrator account may create new subscriptions in which to de istrator account may create new subscriptions in which to de ploy resources. They may also engage in subscription hijacki ploy resources. They may also engage in subscription hijacki ng by transferring an existing pay-as-you-go subscription fr ng by transferring an existing pay-as-you-go subscription fr om a victim tenant to an adversary-controlled tenant. This w om a victim tenant to an adversary-controlled tenant. This w ill allow the adversary to use the victim\u2019s compute resource ill allow the adversary to use the victim\u2019s compute resource s without generating logs on the victim tenant.(Citation: Mi s without generating logs on the victim tenant.(Citation: Mi crosoft Peach Sandstorm 2023)(Citation: Microsoft Subscripti crosoft Peach Sandstorm 2023)(Citation: Microsoft Subscripti on Hijacking 2022) In AWS environments, adversaries with ap on Hijacking 2022) In AWS environments, adversaries with ap propriate permissions in a given account may call the `Leave propriate permissions in a given account may call the `Leave Organization` API, causing the account to be severed from th Organization` API, causing the account to be severed from th e AWS Organization to which it was tied and removing any Ser e AWS Organization to which it was tied and removing any Ser vice Control Policies, guardrails, or restrictions imposed u vice Control Policies, guardrails, or restrictions imposed u pon it by its former Organization. Alternatively, adversarie pon it by its former Organization. Alternatively, adversarie s may call the `CreateAccount` API in order to create a new s may call the `CreateAccount` API in order to create a new account within an AWS Organization. This account will use th account within an AWS Organization. This account will use th e same payment methods registered to the payment account but e same payment methods registered to the payment account but may not be subject to existing detections or Service Contro may not be subject to existing detections or Service Contro l Policies.(Citation: AWS RE: Inforce Threat Detection 2024 ) l Policies.(Citation: AWS re Inforce Trust Mod ) \n
",
+ "changelog_mitigations": {
+ "shared": [
+ "M1018: User Account Management",
+ "M1047: Audit",
+ "M1054: Software Configuration"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0155: Detection Strategy for Modify Cloud Resource Hierarchy"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2017-05-31 21:31:23.587000+00:00",
+ "modified": "2026-04-16 20:07:53.021000+00:00",
+ "name": "Modify Registry",
+ "description": "Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.\n\nAccess to specific areas of the Registry depends on account permissions, with some keys requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification.(Citation: Microsoft Reg) Other tools, such as remote access tools, may also contain functionality to interact with the Registry through the Windows API.\n\nThe Registry may be modified in order to hide configuration information or malicious payloads via [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra 2018) The Registry may also be modified to impair defenses, such as by enabling macros for all Microsoft Office products, allowing privilege escalation without alerting the user, increasing the maximum number of allowed outbound requests, and/or modifying systems to store plaintext credentials in memory.(Citation: CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019)\n\nThe Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system.(Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.\n\nFinally, Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API.(Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.(Citation: TrendMicro POWELIKS AUG 2014)(Citation: SpectorOps Hiding Reg Jul 2017)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1112",
+ "external_id": "T1112"
+ },
+ {
+ "source_name": "CISA Russian Gov Critical Infra 2018",
+ "description": "CISA. (2018, March 16). Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved March 24, 2025.",
+ "url": "https://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors"
+ },
+ {
+ "source_name": "CISA LockBit 2023",
+ "description": "CISA. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved March 24, 2025.",
+ "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a"
+ },
+ {
+ "source_name": "Avaddon Ransomware 2021",
+ "description": "Javier Yuste and Sergio Pastrana. (2021). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved March 24, 2025.",
+ "url": "https://arxiv.org/pdf/2102.04796"
+ },
+ {
+ "source_name": "Microsoft BlackCat Jun 2022",
+ "description": "Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.",
+ "url": "https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/"
+ },
+ {
+ "source_name": "Microsoft Reg",
+ "description": "Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.",
+ "url": "https://technet.microsoft.com/en-us/library/cc732643.aspx"
+ },
+ {
+ "source_name": "Microsoft Remote",
+ "description": "Microsoft. (n.d.). Enable the Remote Registry Service. Retrieved May 1, 2015.",
+ "url": "https://technet.microsoft.com/en-us/library/cc754820.aspx"
+ },
+ {
+ "source_name": "SpectorOps Hiding Reg Jul 2017",
+ "description": "Reitz, B. (2017, July 14). Hiding Registry keys with PSReflect. Retrieved August 9, 2018.",
+ "url": "https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353"
+ },
+ {
+ "source_name": "Microsoft Reghide NOV 2006",
+ "description": "Russinovich, M. & Sharkey, K. (2006, January 10). Reghide. Retrieved August 9, 2018.",
+ "url": "https://docs.microsoft.com/sysinternals/downloads/reghide"
+ },
+ {
+ "source_name": "TrendMicro POWELIKS AUG 2014",
+ "description": "Santos, R. (2014, August 1). POWELIKS: Malware Hides In Windows Registry. Retrieved August 9, 2018.",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/"
+ },
+ {
+ "source_name": "Unit42 BabyShark Feb 2019",
+ "description": "Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.",
+ "url": "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Bartosz Jerzman",
+ "David Lu, Tripwire",
+ "Gerardo Santos",
+ "Travis Smith, Tripwire"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_version": "3.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:53.021000+00:00\", \"old_value\": \"2025-10-24 17:48:49.294000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.\\n\\nAccess to specific areas of the Registry depends on account permissions, with some keys requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification.(Citation: Microsoft Reg) Other tools, such as remote access tools, may also contain functionality to interact with the Registry through the Windows API.\\n\\nThe Registry may be modified in order to hide configuration information or malicious payloads via [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra 2018) The Registry may also be modified to impair defenses, such as by enabling macros for all Microsoft Office products, allowing privilege escalation without alerting the user, increasing the maximum number of allowed outbound requests, and/or modifying systems to store plaintext credentials in memory.(Citation: CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019)\\n\\nThe Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system.(Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.\\n\\nFinally, Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API.(Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.(Citation: TrendMicro POWELIKS AUG 2014)(Citation: SpectorOps Hiding Reg Jul 2017)\", \"old_value\": \"Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.\\n\\nAccess to specific areas of the Registry depends on account permissions, with some keys requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification.(Citation: Microsoft Reg) Other tools, such as remote access tools, may also contain functionality to interact with the Registry through the Windows API.\\n\\nThe Registry may be modified in order to hide configuration information or malicious payloads via [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra 2018) The Registry may also be modified to [Impair Defenses](https://attack.mitre.org/techniques/T1562), such as by enabling macros for all Microsoft Office products, allowing privilege escalation without alerting the user, increasing the maximum number of allowed outbound requests, and/or modifying systems to store plaintext credentials in memory.(Citation: CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019)\\n\\nThe Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system.(Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.\\n\\nFinally, Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API.(Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.(Citation: TrendMicro POWELIKS AUG 2014)(Citation: SpectorOps Hiding Reg Jul 2017)\", \"diff\": \"--- \\n+++ \\n@@ -2,7 +2,7 @@\\n \\n Access to specific areas of the Registry depends on account permissions, with some keys requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification.(Citation: Microsoft Reg) Other tools, such as remote access tools, may also contain functionality to interact with the Registry through the Windows API.\\n \\n-The Registry may be modified in order to hide configuration information or malicious payloads via [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra 2018) The Registry may also be modified to [Impair Defenses](https://attack.mitre.org/techniques/T1562), such as by enabling macros for all Microsoft Office products, allowing privilege escalation without alerting the user, increasing the maximum number of allowed outbound requests, and/or modifying systems to store plaintext credentials in memory.(Citation: CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019)\\n+The Registry may be modified in order to hide configuration information or malicious payloads via [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra 2018) The Registry may also be modified to impair defenses, such as by enabling macros for all Microsoft Office products, allowing privilege escalation without alerting the user, increasing the maximum number of allowed outbound requests, and/or modifying systems to store plaintext credentials in memory.(Citation: CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019)\\n \\n The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system.(Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.\\n \"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.0\"}}, \"iterable_item_removed\": {\"root['external_references'][7]\": {\"source_name\": \"Microsoft 4657 APR 2017\", \"description\": \"Miroshnikov, A. & Hall, J. (2017, April 18). 4657(S): A registry value was modified. Retrieved August 9, 2018.\", \"url\": \"https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657\"}, \"root['external_references'][10]\": {\"source_name\": \"Microsoft RegDelNull July 2016\", \"description\": \"Russinovich, M. & Sharkey, K. (2016, July 4). RegDelNull v1.11. Retrieved August 10, 2018.\", \"url\": \"https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull\"}}}",
+ "previous_version": "2.0",
+ "version_change": "2.0 \u2192 3.0",
+ "description_change_table": "\n \n \n t Adversaries may interact with the Windows Registry as part o t Adversaries may interact with the Windows Registry as part o f a variety of other techniques to aid in defense evasion, p f a variety of other techniques to aid in defense evasion, p ersistence, and execution. Access to specific areas of the ersistence, and execution. Access to specific areas of the Registry depends on account permissions, with some keys requ Registry depends on account permissions, with some keys requ iring administrator-level access. The built-in Windows comma iring administrator-level access. The built-in Windows comma nd-line utility [Reg](https://attack.mitre.org/software/S007 nd-line utility [Reg](https://attack.mitre.org/software/S007 5) may be used for local or remote Registry modification.(Ci 5) may be used for local or remote Registry modification.(Ci tation: Microsoft Reg) Other tools, such as remote access to tation: Microsoft Reg) Other tools, such as remote access to ols, may also contain functionality to interact with the Reg ols, may also contain functionality to interact with the Reg istry through the Windows API. The Registry may be modified istry through the Windows API. The Registry may be modified in order to hide configuration information or malicious pay in order to hide configuration information or malicious pay loads via [Obfuscated Files or Information](https://attack.m loads via [Obfuscated Files or Information](https://attack.m itre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2 itre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2 019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft 019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra 2018) The Registry may also be modified to [Impair Defenses 2018) The Registry may also be modified to impair defenses, ](https://attack.mitre.org/techni ques/T1562) , such as by ena such as by enabling macros for all Microsoft Office product bling macros for all Microsoft Office products, allowing pri s, allowing privilege escalation without alerting the user, vilege escalation without alerting the user, increasing the increasing the maximum number of allowed outbound re quests , ma ximum number of allowed outbound requests, and/or modifyin and/or modifying systems to store plainte xt credentials in mg systems to store plaintext credentials in memory.(Citationemory.(Citation: CISA LockBit 2023)(Citation: Unit42 BabySha : CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019) T rk Feb 2019) The Registry of a remote system may be modifie he Registry of a remote system may be modified to aid in exe d to aid in execution of files as part of lateral movement. cution of files as part of lateral movement. It requires the It requires the remote Registry service to be running on the remote Registry service to be running on the target system. target system.(Citation: Microsoft Remote) Often [Valid Acc (Citation: Microsoft Remote) Often [Valid Accounts](https:// ounts](https://attack.mitre.org/techniques/T1078) are requir attack.mitre.org/techniques/T1078) are required, along with ed, along with access to the remote system's [SMB/Windows Ad access to the remote system's [SMB/Windows Admin Shares](htt min Shares](https://attack.mitre.org/techniques/T1021/002) f ps://attack.mitre.org/techniques/T1021/002) for RPC communic or RPC communication. Finally, Registry modifications may a ation. Finally, Registry modifications may also include act lso include actions to hide keys, such as prepending key nam ions to hide keys, such as prepending key names with a null es with a null character, which will cause an error and/or b character, which will cause an error and/or be ignored when e ignored when read via [Reg](https://attack.mitre.org/softw read via [Reg](https://attack.mitre.org/software/S0075) or o are/S0075) or other utilities using the Win32 API.(Citation: ther utilities using the Win32 API.(Citation: Microsoft Regh Microsoft Reghide NOV 2006) Adversaries may abuse these pse ide NOV 2006) Adversaries may abuse these pseudo-hidden keys udo-hidden keys to conceal payloads/commands used to maintai to conceal payloads/commands used to maintain persistence.( n persistence.(Citation: TrendMicro POWELIKS AUG 2014)(Citat Citation: TrendMicro POWELIKS AUG 2014)(Citation: SpectorOps ion: SpectorOps Hiding Reg Jul 2017) Hiding Reg Jul 2017) \n
",
+ "changelog_mitigations": {
+ "shared": [
+ "M1024: Restrict Registry Permissions"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0280: Behavior-Based Registry Modification Detection on Windows"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-10-19 19:42:19.740000+00:00",
+ "modified": "2026-04-16 20:07:53.013000+00:00",
+ "name": "Modify System Image",
+ "description": "Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.\n\nTo change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1601",
+ "external_id": "T1601"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Network Devices"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:53.013000+00:00\", \"old_value\": \"2025-10-24 17:49:13.730000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"Cisco IOS Software Integrity Assurance - Image File Verification\", \"description\": \"Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020.\", \"url\": \"https://tools.cisco.com/security/center/resources/integrity_assurance.html#7\"}, \"root['external_references'][2]\": {\"source_name\": \"Cisco IOS Software Integrity Assurance - Run-Time Memory Verification\", \"description\": \"Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.\", \"url\": \"https://tools.cisco.com/security/center/resources/integrity_assurance.html#13\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1026: Privileged Account Management",
+ "M1027: Password Policies",
+ "M1032: Multi-factor Authentication",
+ "M1043: Credential Access Protection",
+ "M1045: Code Signing",
+ "M1046: Boot Integrity"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0170: Detection Strategy for Modify System Image on Network Devices"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-10-19 19:53:10.576000+00:00",
+ "modified": "2026-04-16 20:07:53.109000+00:00",
+ "name": "Downgrade System Image",
+ "description": "Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. (Citation: Cisco Synful Knock Evolution)\n\nOn embedded devices, downgrading the version typically only requires replacing the operating system file in storage. With most embedded devices, this can be achieved by downloading a copy of the desired version of the operating system file and reconfiguring the device to boot from that file on next system restart. The adversary could then restart the device to implement the change immediately or they could wait until the next time the system restarts.\n\nDowngrading the system image to an older versions may allow an adversary to evade defenses by enabling behaviors such as [Weaken Encryption](https://attack.mitre.org/techniques/T1600). Downgrading of a system image can be done on its own, or it can be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001). ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1601/002",
+ "external_id": "T1601.002"
+ },
+ {
+ "source_name": "Cisco Synful Knock Evolution",
+ "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.",
+ "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Network Devices"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:53.109000+00:00\", \"old_value\": \"2025-10-24 17:49:39.331000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1026: Privileged Account Management",
+ "M1027: Password Policies",
+ "M1032: Multi-factor Authentication",
+ "M1043: Credential Access Protection",
+ "M1045: Code Signing",
+ "M1046: Boot Integrity"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0569: Detection Strategy for Downgrade System Image on Network Devices"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--d245808a-7086-4310-984a-a84aaaa43f8f",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-10-19 19:49:24.129000+00:00",
+ "modified": "2026-04-16 20:07:53.106000+00:00",
+ "name": "Patch System Image",
+ "description": "Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.(Citation: Killing the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth) (Citation: Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation: Juniper Netscreen of the Dead) Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file. Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.\n\nTo change the operating system in storage, the adversary will typically use the standard procedures available to device operators. This may involve downloading a new file via typical protocols used on network devices, such as TFTP, FTP, SCP, or a console connection. The original file may be overwritten, or a new file may be written alongside of it and the device reconfigured to boot to the compromised image.\n\nTo change the operating system in memory, the adversary typically can use one of two methods. In the first, the adversary would make use of native debug commands in the original, unaltered running operating system that allow them to directly modify the relevant memory addresses containing the running operating system. This method typically requires administrative level access to the device.\n\nIn the second method for changing the operating system in memory, the adversary would make use of the boot loader. The boot loader is the first piece of software that loads when the device starts that, in turn, will launch the operating system. Adversaries may use malicious code previously implanted in the boot loader, such as through the [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) method, to directly manipulate running operating system code in memory. This malicious code in the bootloader provides the capability of direct memory manipulation to the adversary, allowing them to patch the live operating system during runtime.\n\nBy modifying the instructions stored in the system image file, adversaries may either weaken existing defenses or provision new capabilities that the device did not have before. Examples of existing defenses that can be impeded include encryption, via [Weaken Encryption](https://attack.mitre.org/techniques/T1600), authentication, via [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004), and perimeter defenses, via [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599). Adding new capabilities for the adversary\u2019s purpose include [Keylogging](https://attack.mitre.org/techniques/T1056/001), [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003), and [Port Knocking](https://attack.mitre.org/techniques/T1205/001).\n\nAdversaries may also compromise existing commands in the operating system to produce false output to mislead defenders. When this method is used in conjunction with [Downgrade System Image](https://attack.mitre.org/techniques/T1601/002), one example of a compromised system command may include changing the output of the command that shows the version of the currently running operating system. By patching the operating system, the adversary can change this command to instead display the original, higher revision number that they replaced through the system downgrade. \n\nWhen the operating system is patched in storage, this can be achieved in either the resident storage (typically a form of flash memory, which is non-volatile) or via [TFTP Boot](https://attack.mitre.org/techniques/T1542/005). \n\nWhen the technique is performed on the running operating system in memory and not on the stored copy, this technique will not survive across reboots. However, live memory modification of the operating system can be combined with [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) to achieve persistence. ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1601/001",
+ "external_id": "T1601.001"
+ },
+ {
+ "source_name": "Killing IOS diversity myth",
+ "description": "Ang Cui, Jatin Kataria, Salvatore J. Stolfo. (2011, August). Killing the myth of Cisco IOS diversity: recent advances in reliable shellcode design. Retrieved October 20, 2020.",
+ "url": "https://www.usenix.org/legacy/event/woot/tech/final_files/Cui.pdf"
+ },
+ {
+ "source_name": "Cisco IOS Forensics Developments",
+ "description": "Felix 'FX' Lindner. (2008, February). Developments in Cisco IOS Forensics. Retrieved October 21, 2020.",
+ "url": "https://www.recurity-labs.com/research/RecurityLabs_Developments_in_IOS_Forensics.pdf"
+ },
+ {
+ "source_name": "Cisco IOS Shellcode",
+ "description": "George Nosenko. (2015). CISCO IOS SHELLCODE: ALL-IN-ONE. Retrieved October 21, 2020.",
+ "url": "http://2015.zeronights.org/assets/files/05-Nosenko.pdf"
+ },
+ {
+ "source_name": "Juniper Netscreen of the Dead",
+ "description": "Graeme Neilson . (2009, August). Juniper Netscreen of the Dead. Retrieved October 20, 2020.",
+ "url": "https://www.blackhat.com/presentations/bh-usa-09/NEILSON/BHUSA09-Neilson-NetscreenDead-SLIDES.pdf"
+ },
+ {
+ "source_name": "Killing the myth of Cisco IOS rootkits",
+ "description": "Sebastian 'topo' Mu\u00f1iz. (2008, May). Killing the myth of Cisco IOS rootkits. Retrieved October 20, 2020.",
+ "url": "https://drwho.virtadpt.net/images/killing_the_myth_of_cisco_ios_rootkits.pdf"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Network Devices"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:53.106000+00:00\", \"old_value\": \"2025-10-24 17:49:26.083000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}, \"iterable_item_removed\": {\"root['external_references'][6]\": {\"source_name\": \"Cisco IOS Software Integrity Assurance - Image File Verification\", \"description\": \"Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020.\", \"url\": \"https://tools.cisco.com/security/center/resources/integrity_assurance.html#7\"}, \"root['external_references'][7]\": {\"source_name\": \"Cisco IOS Software Integrity Assurance - Run-Time Memory Verification\", \"description\": \"Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.\", \"url\": \"https://tools.cisco.com/security/center/resources/integrity_assurance.html#13\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1026: Privileged Account Management",
+ "M1027: Password Policies",
+ "M1032: Multi-factor Authentication",
+ "M1043: Credential Access Protection",
+ "M1045: Code Signing",
+ "M1046: Boot Integrity"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0469: Detection Strategy for Patch System Image on Network Devices"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--b8017880-4b1e-42de-ad10-ae7ac6705166",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-10-19 16:08:29.817000+00:00",
+ "modified": "2026-04-16 20:07:53.048000+00:00",
+ "name": "Network Boundary Bridging",
+ "description": "Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\n\nDevices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks. They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections. Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications. To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.\n\nWhen an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance. By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). Adversaries may also target internal devices responsible for network segmentation and abuse these in conjunction with [Internal Proxy](https://attack.mitre.org/techniques/T1090/001) to achieve the same goals.(Citation: Kaspersky ThreatNeedle Feb 2021) In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1599",
+ "external_id": "T1599"
+ },
+ {
+ "source_name": "Kaspersky ThreatNeedle Feb 2021",
+ "description": "Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.",
+ "url": "https://securelist.com/lazarus-threatneedle/100803/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Network Devices"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:53.048000+00:00\", \"old_value\": \"2025-10-24 17:49:16.493000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1026: Privileged Account Management",
+ "M1027: Password Policies",
+ "M1032: Multi-factor Authentication",
+ "M1037: Filter Network Traffic",
+ "M1043: Credential Access Protection"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0006: Detection Strategy for Network Boundary Bridging"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-10-19 16:48:08.241000+00:00",
+ "modified": "2026-04-16 20:07:52.887000+00:00",
+ "name": "Network Address Translation Traversal",
+ "description": "Adversaries may bridge network boundaries by modifying a network device\u2019s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\n\nNetwork devices such as routers and firewalls that connect multiple networks together may implement NAT during the process of passing packets between networks. When performing NAT, the network device will rewrite the source and/or destination addresses of the IP address header. Some network designs require NAT for the packets to cross the border device. A typical example of this is environments where internal networks make use of non-Internet routable addresses.(Citation: RFC1918)\n\nWhen an adversary gains control of a network boundary device, they may modify NAT configurations to send traffic between two separated networks, or to obscure their activities. In network designs that require NAT to function, such modifications enable the adversary to overcome inherent routing limitations that would normally prevent them from accessing protected systems behind the border device. In network designs that do not require NAT, adversaries may use address translation to further obscure their activities, as changing the addresses of packets that traverse a network boundary device can make monitoring data transmissions more challenging for defenders. \n\nAdversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-impairment"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1599/001",
+ "external_id": "T1599.001"
+ },
+ {
+ "source_name": "RFC1918",
+ "description": "IETF Network Working Group. (1996, February). Address Allocation for Private Internets. Retrieved October 20, 2020.",
+ "url": "https://tools.ietf.org/html/rfc1918"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Network Devices"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-16 20:07:52.887000+00:00\", \"old_value\": \"2025-10-24 17:48:46.071000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"defense-impairment\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1026: Privileged Account Management",
+ "M1027: Password Policies",
+ "M1032: Multi-factor Authentication",
+ "M1037: Filter Network Traffic",
+ "M1043: Credential Access Protection"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0163: Detection Strategy for Network Address Translation Traversal"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2017-05-31 21:30:32.662000+00:00",
+ "modified": "2026-04-15 22:14:56.435000+00:00",
+ "name": "Obfuscated Files or Information",
+ "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.(Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. \n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery.(Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.(Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1027",
+ "external_id": "T1027"
+ },
+ {
+ "source_name": "Volexity PowerDuke November 2016",
+ "description": "Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.",
+ "url": "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/"
+ },
+ {
+ "source_name": "FireEye Obfuscation June 2017",
+ "description": "Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.",
+ "url": "https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html"
+ },
+ {
+ "source_name": "FireEye Revoke-Obfuscation July 2017",
+ "description": "Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved November 17, 2024.",
+ "url": "https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science-wp.pdf"
+ },
+ {
+ "source_name": "Linux/Cdorked.A We Live Security Analysis",
+ "description": "Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole. Retrieved September 10, 2017.",
+ "url": "https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/"
+ },
+ {
+ "source_name": "Carbon Black Obfuscation Sept 2016",
+ "description": "Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.",
+ "url": "https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/"
+ },
+ {
+ "source_name": "PaloAlto EncodedCommand March 2017",
+ "description": "White, J. (2017, March 10). Pulling Back the Curtains on EncodedCommand PowerShell Attacks. Retrieved February 12, 2018.",
+ "url": "https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Christiaan Beek, @ChristiaanBeek",
+ "Red Canary"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "ESXi",
+ "Linux",
+ "macOS",
+ "Network Devices",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:14:56.435000+00:00\", \"old_value\": \"2025-10-24 17:49:15.265000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \\n\\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.(Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. \\n\\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery.(Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.(Citation: Carbon Black Obfuscation Sept 2016)\\n\\nAdversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) \", \"old_value\": \"Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \\n\\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. \\n\\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\\n\\nAdversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) \", \"diff\": \"--- \\n+++ \\n@@ -1,7 +1,7 @@\\n Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \\n \\n-Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. \\n+Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.(Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. \\n \\n-Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\\n+Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery.(Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.(Citation: Carbon Black Obfuscation Sept 2016)\\n \\n-Adversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) \\n+Adversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) \"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.7\"}}, \"iterable_item_removed\": {\"root['external_references'][2]\": {\"source_name\": \"GitHub Revoke-Obfuscation\", \"description\": \"Bohannon, D. (2017, July 27). Revoke-Obfuscation. Retrieved February 12, 2018.\", \"url\": \"https://github.com/danielbohannon/Revoke-Obfuscation\"}, \"root['external_references'][5]\": {\"source_name\": \"GitHub Office-Crackros Aug 2016\", \"description\": \"Carr, N. (2016, August 14). OfficeCrackros. Retrieved February 12, 2018.\", \"url\": \"https://github.com/itsreallynick/office-crackros\"}}}",
+ "previous_version": "1.7",
+ "version_change": "1.7 \u2192 2.0",
+ "description_change_table": "\n \n \n t Adversaries may attempt to make an executable or file diffic t Adversaries may attempt to make an executable or file diffic ult to discover or analyze by encrypting, encoding, or other ult to discover or analyze by encrypting, encoding, or other wise obfuscating its contents on the system or in transit. T wise obfuscating its contents on the system or in transit. T his is common behavior that can be used across different pla his is common behavior that can be used across different pla tforms and the network to evade defenses. Payloads may be tforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detecti compressed, archived, or encrypted in order to avoid detecti on. These payloads may be used during Initial Access or late on. These payloads may be used during Initial Access or late r to mitigate detection. Sometimes a user's action may be re r to mitigate detection. Sometimes a user's action may be re quired to open and [Deobfuscate/Decode Files or Information] quired to open and [Deobfuscate/Decode Files or Information] (https://attack.mitre.org/techniques/T1140) for [User Execut (https://attack.mitre.org/techniques/T1140) for [User Execut ion](https://attack.mitre.org/techniques/T1204). The user ma ion](https://attack.mitre.org/techniques/T1204). The user ma y also be required to input a password to open a password pr y also be required to input a password to open a password pr otected compressed/encrypted file that was provided by the a otected compressed/encrypted file that was provided by the a dversary. (Citation: Volexity PowerDuke November 2016) Adver dversary.(Citation: Volexity PowerDuke November 2016) Advers saries may also use compressed or archived scripts, such as aries may also use compressed or archived scripts, such as J JavaScript. Portions of files can also be encoded to hide avaScript. Portions of files can also be encoded to hide t the plain-text strings that would otherwise help defenders w he plain-text strings that would otherwise help defenders wi ith discovery. (Citation: Linux/Cdorked.A We Live Security A th discovery.(Citation: Linux/Cdorked.A We Live Security Ana nalysis) Payloads may also be split into separate, seemingly lysis) Payloads may also be split into separate, seemingly b benign files that only reveal malicious functionality when enign files that only reveal malicious functionality when re reassembled. (Citation: Carbon Black Obfuscation Sept 2016) assembled.(Citation: Carbon Black Obfuscation Sept 2016) Ad Adversaries may also abuse [Command Obfuscation](https://at versaries may also abuse [Command Obfuscation](https://attac tack.mitre.org/techniques/T1027/010) to obscure commands exe k.mitre.org/techniques/T1027/010) to obscure commands execut cuted from payloads or directly via [Command and Scripting I ed from payloads or directly via [Command and Scripting Inte nterpreter](https://attack.mitre.org/techniques/T1059). Envi rpreter](https://attack.mitre.org/techniques/T1059). Environ ronment variables, aliases, characters, and other platform/l ment variables, aliases, characters, and other platform/lang anguage specific semantics can be used to evade signature ba uage specific semantics can be used to evade signature based sed detections and application control mechanisms. (Citation detections and application control mechanisms.(Citation: Fi : FireEye Obfuscation June 2017) (Citation: FireEye Revoke-O reEye Obfuscation June 2017)(Citation: Fire Eye Revoke-Obfusc bfuscation July 2017)(Citation: PaloAlto EncodedCommand Marc ation July 2017)(Citation: PaloAlto EncodedCommand March 201 h 2017) 7) \n
",
+ "changelog_mitigations": {
+ "shared": [
+ "M1017: User Training",
+ "M1040: Behavior Prevention on Endpoint",
+ "M1047: Audit",
+ "M1049: Antivirus/Antimalware"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0378: Behavioral Detection of Obfuscated Files or Information"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-02-05 14:04:25.865000+00:00",
+ "modified": "2026-04-15 22:15:33.904000+00:00",
+ "name": "Binary Padding",
+ "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. \n\nBinary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ) ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1027/001",
+ "external_id": "T1027.001"
+ },
+ {
+ "source_name": "ESET OceanLotus",
+ "description": "Folt\u00fdn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.",
+ "url": "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/"
+ },
+ {
+ "source_name": "Securelist Malware Tricks April 2017",
+ "description": "Ishimaru, S.. (2017, April 13). Old Malware Tricks To Bypass Detection in the Age of Big Data. Retrieved May 30, 2019.",
+ "url": "https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/"
+ },
+ {
+ "source_name": "VirusTotal FAQ",
+ "description": "VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019.",
+ "url": "https://www.virustotal.com/en/faq/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Martin Jirkal, ESET"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:15:33.904000+00:00\", \"old_value\": \"2025-10-24 17:48:50.205000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.3\"}}}",
+ "previous_version": "1.3",
+ "version_change": "1.3 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0553: Detection Strategy for Obfuscated Files or Information: Binary Padding"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2023-03-14 17:36:01.022000+00:00",
+ "modified": "2026-04-15 22:16:39.249000+00:00",
+ "name": "Command Obfuscation",
+ "description": "Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)\n\nFor example, adversaries may abuse syntax that utilizes various symbols and escape characters (such as spacing, `^`, `+`. `$`, and `%`) to make commands difficult to analyze while maintaining the same intended functionality.(Citation: RC PowerShell) Many languages support built-in obfuscation in the form of base64 or URL encoding.(Citation: Microsoft PowerShellB64) Adversaries may also manually implement command obfuscation via string splitting (`\u201cWor\u201d+\u201cd.Application\u201d`), order and casing of characters (`rev <<<'dwssap/cte/ tac'`), globing (`mkdir -p '/tmp/:&$NiA'`), as well as various tricks involving passing strings through tokens/environment variables/input streams.(Citation: Bashfuscator Command Obfuscators)(Citation: FireEye Obfuscation June 2017)\n\nAdversaries may also use tricks such as directory traversals to obfuscate references to the binary being invoked by a command (`C:\\voi\\pcw\\..\\..\\Windows\\tei\\qs\\k\\..\\..\\..\\system32\\erool\\..\\wbem\\wg\\je\\..\\..\\wmic.exe shadowcopy delete`).(Citation: Twitter Richard WMIC)\n\nTools such as Invoke-Obfuscation and Invoke-DOSfucation have also been used to obfuscate commands.(Citation: Invoke-DOSfuscation)(Citation: Invoke-Obfuscation)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1027/010",
+ "external_id": "T1027.010"
+ },
+ {
+ "source_name": "Twitter Richard WMIC",
+ "description": "Ackroyd, R. (2023, March 24). Twitter. Retrieved September 12, 2024.",
+ "url": "https://x.com/rfackroyd/status/1639136000755765254"
+ },
+ {
+ "source_name": "Invoke-Obfuscation",
+ "description": "Bohannon, D. (2016, September 24). Invoke-Obfuscation. Retrieved March 17, 2023.",
+ "url": "https://github.com/danielbohannon/Invoke-Obfuscation"
+ },
+ {
+ "source_name": "Invoke-DOSfuscation",
+ "description": "Bohannon, D. (2018, March 19). Invoke-DOSfuscation. Retrieved March 17, 2023.",
+ "url": "https://github.com/danielbohannon/Invoke-DOSfuscation"
+ },
+ {
+ "source_name": "FireEye Obfuscation June 2017",
+ "description": "Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.",
+ "url": "https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html"
+ },
+ {
+ "source_name": "Malware Monday VBE",
+ "description": "Bromiley, M. (2016, December 27). Malware Monday: VBScript and VBE Files. Retrieved March 17, 2023.",
+ "url": "https://bromiley.medium.com/malware-monday-vbscript-and-vbe-files-292252c1a16"
+ },
+ {
+ "source_name": "Akamai JS",
+ "description": "Katz, O. (2020, October 26). Catch Me if You Can\u2014JavaScript Obfuscation. Retrieved March 17, 2023.",
+ "url": "https://www.akamai.com/blog/security/catch-me-if-you-can-javascript-obfuscation"
+ },
+ {
+ "source_name": "Bashfuscator Command Obfuscators",
+ "description": "LeFevre, A. (n.d.). Bashfuscator Command Obfuscators. Retrieved March 17, 2023.",
+ "url": "https://bashfuscator.readthedocs.io/en/latest/Mutators/command_obfuscators/index.html"
+ },
+ {
+ "source_name": "Microsoft PowerShellB64",
+ "description": "Microsoft. (2023, February 8). about_PowerShell_exe: EncodedCommand. Retrieved March 17, 2023.",
+ "url": "https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1#-encodedcommand-base64encodedcommand"
+ },
+ {
+ "source_name": "RC PowerShell",
+ "description": "Red Canary. (n.d.). 2022 Threat Detection Report: PowerShell. Retrieved March 17, 2023.",
+ "url": "https://redcanary.com/threat-detection-report/techniques/powershell/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "George Thomas",
+ "Tim Peck",
+ "TruKno"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:16:39.249000+00:00\", \"old_value\": \"2025-04-15 22:06:13.992000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
+ "previous_version": "1.0",
+ "version_change": "1.0 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1040: Behavior Prevention on Endpoint",
+ "M1049: Antivirus/Antimalware"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0505: Detection Strategy for Command Obfuscation"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-03-16 15:30:57.711000+00:00",
+ "modified": "2026-04-15 22:16:52.765000+00:00",
+ "name": "Compile After Delivery",
+ "description": "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)\n\nSource code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1027/004",
+ "external_id": "T1027.004"
+ },
+ {
+ "source_name": "ClearSky MuddyWater Nov 2018",
+ "description": "ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.",
+ "url": "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf"
+ },
+ {
+ "source_name": "ATTACK IQ",
+ "description": "Federico Quattrin, Nick Desler, Tin Tam, & Matthew Rutkoske. (2023, March 16). Hiding in Plain Sight: Monitoring and Testing for Living-Off-the-Land Binaries. Retrieved July 15, 2024.",
+ "url": "https://www.attackiq.com/2023/03/16/hiding-in-plain-sight/"
+ },
+ {
+ "source_name": "TrendMicro WindowsAppMac",
+ "description": "Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads Info Stealer and Adware. Retrieved April 25, 2019.",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Liran Ravich, CardinalOps",
+ "Praetorian",
+ "Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:16:52.765000+00:00\", \"old_value\": \"2025-10-24 17:49:22.358000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0501: Detection Strategy for Compile After Delivery - Source Code to Executable Transformation"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--fbd91bfc-75c2-4f0c-8116-3b4e722906b3",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2025-03-04 18:29:33.850000+00:00",
+ "modified": "2026-04-15 22:16:53.338000+00:00",
+ "name": "Compression",
+ "description": "Adversaries may use compression to obfuscate their payloads or files. Compressed file formats such as ZIP, gzip, 7z, and RAR can compress and archive multiple files together to make it easier and faster to transfer files. In addition to compressing files, adversaries may also compress shellcode directly - for example, in order to store it in a Windows Registry key (i.e., [Fileless Storage](https://attack.mitre.org/techniques/T1027/011)).(Citation: Trustwave Pillowmint June 2020)\n\nIn order to further evade detection, adversaries may combine multiple ZIP files into one archive. This process of concatenation creates an archive that appears to be a single archive but in fact contains the central directories of the embedded archives. Some ZIP readers, such as 7zip, may not be able to identify concatenated ZIP files and miss the presence of the malicious payload.(Citation: Perception Point)\n\nFile archives may be sent as one [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) through email. Adversaries have sent malicious payloads as archived files to encourage the user to interact with and extract the malicious payload onto their system (i.e., [Malicious File](https://attack.mitre.org/techniques/T1204/002)).(Citation: NTT Security Flagpro new December 2021) However, some file compression tools, such as 7zip, can be used to produce self-extracting archives. Adversaries may send self-extracting archives to hide the functionality of their payload and launch it without requiring multiple actions from the user.(Citation: The Hacker News)\n\n[Compression](https://attack.mitre.org/techniques/T1027/015) may be used in combination with [Encrypted/Encoded File](https://attack.mitre.org/techniques/T1027/013) where compressed files are encrypted and password-protected.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1027/015",
+ "external_id": "T1027.015"
+ },
+ {
+ "source_name": "Perception Point",
+ "description": "Arthur Vaiselbuh, Peleg Cabra. (2024, November 7). Evasive ZIP Concatenation: Trojan Targets Windows Users. Retrieved March 3, 2025.",
+ "url": "https://perception-point.io/blog/evasive-concatenated-zip-trojan-targets-windows-users/"
+ },
+ {
+ "source_name": "NTT Security Flagpro new December 2021",
+ "description": "Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.",
+ "url": "https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech"
+ },
+ {
+ "source_name": "The Hacker News",
+ "description": "Ravie Lakshmanan. (2023, April 5). Hackers Using Self-Extracting Archives Exploit for Stealthy Backdoor Attacks. Retrieved March 3, 2025.",
+ "url": "https://thehackernews.com/2023/04/hackers-using-self-extracting-archives.html"
+ },
+ {
+ "source_name": "Trustwave Pillowmint June 2020",
+ "description": "Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7\u2019s Monkey Thief . Retrieved July 27, 2020.",
+ "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Fernando Bacchin"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:16:53.338000+00:00\", \"old_value\": \"2025-04-15 19:59:24.125000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
+ "previous_version": "1.0",
+ "version_change": "1.0 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1049: Antivirus/Antimalware"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0281: Detection Strategy for Compressed Payload Creation and Execution"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--ea4c2f9c-9df1-477c-8c42-6da1118f2ac4",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2022-08-22 20:42:08.498000+00:00",
+ "modified": "2026-04-15 22:17:50.411000+00:00",
+ "name": "Dynamic API Resolution",
+ "description": "Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various [Native API](https://attack.mitre.org/techniques/T1106) functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.\n\nAPI functions called by malware may leave static artifacts such as strings in payload files. Defensive analysts may also uncover which functions a binary file may execute via an import address table (IAT) or other structures that help dynamically link calling code to the shared modules that provide functions.(Citation: Huntress API Hash)(Citation: IRED API Hashing)\n\nTo avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://attack.mitre.org/techniques/T1027/002), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.\n\nVarious methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1027/007",
+ "external_id": "T1027.007"
+ },
+ {
+ "source_name": "Huntress API Hash",
+ "description": "Brennan, M. (2022, February 16). Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection. Retrieved August 22, 2022.",
+ "url": "https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection"
+ },
+ {
+ "source_name": "BlackHat API Packers",
+ "description": "Choi, S. (2015, August 6). Obfuscated API Functions in Modern Packers. Retrieved August 22, 2022.",
+ "url": "https://www.blackhat.com/docs/us-15/materials/us-15-Choi-API-Deobfuscator-Resolving-Obfuscated-API-Functions-In-Modern-Packers.pdf"
+ },
+ {
+ "source_name": "Drakonia HInvoke",
+ "description": "drakonia. (2022, August 10). HInvoke and avoiding PInvoke. Retrieved August 22, 2022.",
+ "url": "https://dr4k0nia.github.io/posts/HInvoke-and-avoiding-PInvoke/"
+ },
+ {
+ "source_name": "IRED API Hashing",
+ "description": "spotheplanet. (n.d.). Windows API Hashing in Malware. Retrieved August 22, 2022.",
+ "url": "https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:17:50.411000+00:00\", \"old_value\": \"2025-04-15 22:24:25.266000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://dr4k0nia.github.io/posts/HInvoke-and-avoiding-PInvoke/\", \"old_value\": \"https://dr4k0nia.github.io/dotnet/coding/2022/08/10/HInvoke-and-avoiding-PInvoke.html?s=03\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
+ "previous_version": "1.0",
+ "version_change": "1.0 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0091: Detection Strategy for Dynamic API Resolution via Hash-Based Function Lookups"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--0533ab23-3f7d-463f-9bd8-634d27e4dee1",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2022-09-30 18:50:14.351000+00:00",
+ "modified": "2026-04-15 22:18:17.938000+00:00",
+ "name": "Embedded Payloads",
+ "description": "Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to [Subvert Trust Controls](https://attack.mitre.org/techniques/T1553) by not impacting execution controls such as digital signatures and notarization tickets.(Citation: Sentinel Labs) \n\nAdversaries may embed payloads in various file formats to hide payloads.(Citation: Microsoft Learn) This is similar to [Steganography](https://attack.mitre.org/techniques/T1027/003), though does not involve weaving malicious content into specific bytes and patterns related to legitimate digital media formats.(Citation: GitHub PSImage) \n\nFor example, adversaries have been observed embedding payloads within or as an overlay of an otherwise benign binary.(Citation: Securelist Dtrack2) Adversaries have also been observed nesting payloads (such as executables and run-only scripts) inside a file of the same format.(Citation: SentinelLabs reversing run-only applescripts 2021) \n\nEmbedded content may also be used as [Process Injection](https://attack.mitre.org/techniques/T1055) payloads used to infect benign system processes.(Citation: Trend Micro) These embedded then injected payloads may be used as part of the modules of malware designed to provide specific features such as encrypting C2 communications in support of an orchestrator module. For example, an embedded module may be injected into default browsers, allowing adversaries to then communicate via the network.(Citation: Malware Analysis Report ComRAT)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1027/009",
+ "external_id": "T1027.009"
+ },
+ {
+ "source_name": "GitHub PSImage",
+ "description": "Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022.",
+ "url": "https://github.com/peewpw/Invoke-PSImage"
+ },
+ {
+ "source_name": "Malware Analysis Report ComRAT",
+ "description": "CISA. (2020, October 29). Malware Analysis Report (AR20-303A) MAR-10310246-2.v1 \u2013 PowerShell Script: ComRAT. Retrieved September 30, 2022.",
+ "url": "https://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a"
+ },
+ {
+ "source_name": "Trend Micro",
+ "description": "Karen Victor. (2020, May 18). Reflective Loading Runs Netwalker Fileless Ransomware. Retrieved September 30, 2022.",
+ "url": "https://www.trendmicro.com/en_us/research/20/e/netwalker-fileless-ransomware-injected-via-reflective-loading.html"
+ },
+ {
+ "source_name": "Securelist Dtrack2",
+ "description": "KONSTANTIN ZYKOV. (2019, September 23). Hello! My name is Dtrack. Retrieved September 30, 2022.",
+ "url": "https://securelist.com/my-name-is-dtrack/93338/"
+ },
+ {
+ "source_name": "Microsoft Learn",
+ "description": "Microsoft. (2021, April 6). 2.5 ExtraData. Retrieved September 30, 2022.",
+ "url": "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/c41e062d-f764-4f13-bd4f-ea812ab9a4d1"
+ },
+ {
+ "source_name": "SentinelLabs reversing run-only applescripts 2021",
+ "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.",
+ "url": "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/"
+ },
+ {
+ "source_name": "Sentinel Labs",
+ "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 30, 2022.",
+ "url": "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Nick Cairns, @grotezinfosec"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:18:17.938000+00:00\", \"old_value\": \"2025-04-15 19:58:03.051000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1040: Behavior Prevention on Endpoint",
+ "M1049: Antivirus/Antimalware"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0214: Detection Strategy for Embedded Payloads"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--0d91b3c0-5e50-47c3-949a-2a796f04d144",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2024-03-29 12:38:17.135000+00:00",
+ "modified": "2026-04-15 22:18:22.179000+00:00",
+ "name": "Encrypted/Encoded File",
+ "description": "Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Steganography](https://attack.mitre.org/techniques/T1027/003), and [Embedded Payloads](https://attack.mitre.org/techniques/T1027/009), share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)) at the time of execution/use.\n\nThis type of file obfuscation can be applied to many file artifacts present on victim hosts, such as malware log/configuration and payload files.(Citation: File obfuscation) Files can be encrypted with a hardcoded or user-supplied key, as well as otherwise obfuscated using standard encoding schemes such as Base64.\n\nThe entire content of a file may be obfuscated, or just specific functions or values (such as C2 addresses). Encryption and encoding may also be applied in redundant layers for additional protection.\n\nFor example, adversaries may abuse password-protected Word documents or self-extracting (SFX) archives as a method of encrypting/encoding a file such as a [Phishing](https://attack.mitre.org/techniques/T1566) payload. These files typically function by attaching the intended archived content to a decompressor stub that is executed when the file is invoked (e.g., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: SFX - Encrypted/Encoded File) \n\nAdversaries may also abuse file-specific as well as custom encoding schemes. For example, Byte Order Mark (BOM) headers in text files may be abused to manipulate and obfuscate file content until [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) execution.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1027/013",
+ "external_id": "T1027.013"
+ },
+ {
+ "source_name": "File obfuscation",
+ "description": "Aspen Lindblom, Joseph Goodwin, and Chris Sheldon. (2021, July 19). Shlayer Malvertising Campaigns Still Using Flash Update Disguise. Retrieved March 29, 2024.",
+ "url": "https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/"
+ },
+ {
+ "source_name": "SFX - Encrypted/Encoded File",
+ "description": "Jai Minton. (2023, March 31). How Falcon OverWatch Investigates Malicious Self-Extracting Archives, Decoy Files and Their Hidden Payloads. Retrieved March 29, 2024.",
+ "url": "https://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Andrew Northern, @ex_raritas",
+ "David Galazin @themalwareman1",
+ "Jai Minton, @Cyberraiju"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:18:22.179000+00:00\", \"old_value\": \"2025-04-15 19:58:05.840000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1040: Behavior Prevention on Endpoint",
+ "M1049: Antivirus/Antimalware"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0087: Encrypted or Encoded File Payload Detection Strategy"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2023-03-23 19:55:25.546000+00:00",
+ "modified": "2026-04-15 22:18:39.119000+00:00",
+ "name": "Fileless Storage",
+ "description": "Adversaries may store data in \"fileless\" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) Shared memory directories on Linux systems (`/dev/shm`, `/run/shm`, `/var/run`, and `/var/lock`) and volatile directories on Network Devices (`/tmp` and `/volatile`) may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk.(Citation: Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell 2024)(Citation: Aquasec Muhstik Malware 2024)(Citation: Bitsight 7777 Botnet)(Citation: CISCO Nexus 900 Config).\n\nSimilar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by antivirus and other endpoint security tools that can only access specific file formats from disk storage. Leveraging fileless storage may also allow adversaries to bypass the protections offered by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\n\nAdversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored. \n\nSome forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\\System32\\Wbem\\Repository`) or Registry (e.g., `%SystemRoot%\\System32\\Config`) physical files.(Citation: Microsoft Fileless) ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1027/011",
+ "external_id": "T1027.011"
+ },
+ {
+ "source_name": "Aquasec Muhstik Malware 2024",
+ "description": " Nitzan Yaakov. (2024, June 4). Muhstik Malware Targets Message Queuing Services Applications. Retrieved September 24, 2024.",
+ "url": "https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/"
+ },
+ {
+ "source_name": "Bitsight 7777 Botnet",
+ "description": "Batista, Jo\u00e3o. Gi7w0rm. (2024, August 27). Retrieved June 5, 2025.",
+ "url": "https://www.bitsight.com/blog/7777-botnet-insights-multi-target-botnet"
+ },
+ {
+ "source_name": "CISCO Nexus 900 Config",
+ "description": "CISCO. (2021, September 14). Cisco Nexus 9000 Series NX-OS Fundamentals Configuration Guide, Release 7.x. Retrieved June 5, 2025.",
+ "url": "https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/fundamentals/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Fundamentals_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Fundamentals_Configuration_Guide_7x_chapter_01000.html"
+ },
+ {
+ "source_name": "Elastic Binary Executed from Shared Memory Directory",
+ "description": "Elastic. (n.d.). Binary Executed from Shared Memory Directory. Retrieved September 24, 2024.",
+ "url": "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html"
+ },
+ {
+ "source_name": "SecureList Fileless",
+ "description": "Legezo, D. (2022, May 4). A new secret stash for \u201cfileless\u201d malware. Retrieved March 23, 2023.",
+ "url": "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/"
+ },
+ {
+ "source_name": "Microsoft Fileless",
+ "description": "Microsoft. (2023, February 6). Fileless threats. Retrieved March 23, 2023.",
+ "url": "https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats"
+ },
+ {
+ "source_name": "Sysdig Fileless Malware 23022",
+ "description": "Nicholas Lang. (2022, May 3). Fileless malware mitigation. Retrieved September 24, 2024.",
+ "url": "https://sysdig.com/blog/containers-read-only-fileless-malware/"
+ },
+ {
+ "source_name": "Akami Frog4Shell 2024",
+ "description": "Ori David. (2024, February 1). Frog4Shell \u2014 FritzFrog Botnet Adds One-Days to Its Arsenal. Retrieved September 24, 2024.",
+ "url": "https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Christopher Peacock",
+ "Denise Tan",
+ "Mark Wee",
+ "Simona David",
+ "Vito Alfano, Group-IB",
+ "Xavier Rousseau"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows"
+ ],
+ "x_mitre_version": "3.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:18:39.119000+00:00\", \"old_value\": \"2025-06-05 15:30:20.139000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may store data in \\\"fileless\\\" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) Shared memory directories on Linux systems (`/dev/shm`, `/run/shm`, `/var/run`, and `/var/lock`) and volatile directories on Network Devices (`/tmp` and `/volatile`) may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk.(Citation: Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell 2024)(Citation: Aquasec Muhstik Malware 2024)(Citation: Bitsight 7777 Botnet)(Citation: CISCO Nexus 900 Config).\\n\\nSimilar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by antivirus and other endpoint security tools that can only access specific file formats from disk storage. Leveraging fileless storage may also allow adversaries to bypass the protections offered by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\\n\\nAdversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored. \\n\\nSome forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\\\\System32\\\\Wbem\\\\Repository`) or Registry (e.g., `%SystemRoot%\\\\System32\\\\Config`) physical files.(Citation: Microsoft Fileless) \", \"old_value\": \"Adversaries may store data in \\\"fileless\\\" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) Shared memory directories on Linux systems (`/dev/shm`, `/run/shm`, `/var/run`, and `/var/lock`) and volatile directories on Network Devices (`/tmp` and `/volatile`) may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk.(Citation: Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell 2024)(Citation: Aquasec Muhstik Malware 2024)(Citation: Bitsight 7777 Botnet)(Citation: CISCO Nexus 900 Config).\\n\\nSimilar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage. Leveraging fileless storage may also allow adversaries to bypass the protections offered by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\\n\\nAdversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored. \\n\\nSome forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\\\\System32\\\\Wbem\\\\Repository`) or Registry (e.g., `%SystemRoot%\\\\System32\\\\Config`) physical files.(Citation: Microsoft Fileless) \", \"diff\": \"--- \\n+++ \\n@@ -1,6 +1,6 @@\\n Adversaries may store data in \\\"fileless\\\" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) Shared memory directories on Linux systems (`/dev/shm`, `/run/shm`, `/var/run`, and `/var/lock`) and volatile directories on Network Devices (`/tmp` and `/volatile`) may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk.(Citation: Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell 2024)(Citation: Aquasec Muhstik Malware 2024)(Citation: Bitsight 7777 Botnet)(Citation: CISCO Nexus 900 Config).\\n \\n-Similar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage. Leveraging fileless storage may also allow adversaries to bypass the protections offered by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\\n+Similar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by antivirus and other endpoint security tools that can only access specific file formats from disk storage. Leveraging fileless storage may also allow adversaries to bypass the protections offered by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\\n \\n Adversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored. \\n \"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}}}",
+ "previous_version": "2.1",
+ "version_change": "2.1 \u2192 3.0",
+ "description_change_table": "\n \n \n t Adversaries may store data in \"fileless\" formats to conceal t Adversaries may store data in \"fileless\" formats to conceal malicious activity from defenses. Fileless storage can be br malicious activity from defenses. Fileless storage can be br oadly defined as any format other than a file. Common exampl oadly defined as any format other than a file. Common exampl es of non-volatile fileless storage in Windows systems inclu es of non-volatile fileless storage in Windows systems inclu de the Windows Registry, event logs, or WMI repository.(Cita de the Windows Registry, event logs, or WMI repository.(Cita tion: Microsoft Fileless)(Citation: SecureList Fileless) Sha tion: Microsoft Fileless)(Citation: SecureList Fileless) Sha red memory directories on Linux systems (`/dev/shm`, `/run/s red memory directories on Linux systems (`/dev/shm`, `/run/s hm`, `/var/run`, and `/var/lock`) and volatile directories o hm`, `/var/run`, and `/var/lock`) and volatile directories o n Network Devices (`/tmp` and `/volatile`) may also be consi n Network Devices (`/tmp` and `/volatile`) may also be consi dered fileless storage, as files written to these directorie dered fileless storage, as files written to these directorie s are mapped directly to RAM and not stored on the disk.(Cit s are mapped directly to RAM and not stored on the disk.(Cit ation: Elastic Binary Executed from Shared Memory Directory) ation: Elastic Binary Executed from Shared Memory Directory) (Citation: Akami Frog4Shell 2024)(Citation: Aquasec Muhstik (Citation: Akami Frog4Shell 2024)(Citation: Aquasec Muhstik Malware 2024)(Citation: Bitsight 7777 Botnet)(Citation: CISC Malware 2024)(Citation: Bitsight 7777 Botnet)(Citation: CISC O Nexus 900 Config). Similar to fileless in-memory behavior O Nexus 900 Config). Similar to fileless in-memory behavior s such as [Reflective Code Loading](https://attack.mitre.org s such as [Reflective Code Loading](https://attack.mitre.org /techniques/T1620) and [Process Injection](https://attack.mi /techniques/T1620) and [Process Injection](https://attack.mi tre.org/techniques/T1055), fileless data storage may remain tre.org/techniques/T1055), fileless data storage may remain undetected by anti-virus and other endpoint security tools t undetected by antivirus and other endpoint security tools th hat can only access specific file formats from disk storage. at can only access specific file formats from disk storage. Leveraging fileless storage may also allow adversaries to b Leveraging fileless storage may also allow adversaries to by ypass the protections offered by read-only file systems in Lpass the protections offered by read -only file systems in Liinux.(Citation: Sysdig Fileless Malware 23022) Adversaries nux.(Citation: Sysdig Fileless Malware 23022) Adversaries m may use fileless storage to conceal various types of stored ay use fileless storage to conceal various types of stored d data, including payloads/shellcode (potentially being used a ata, including payloads/shellcode (potentially being used as s part of [Persistence](https://attack.mitre.org/tactics/TA0 part of [Persistence](https://attack.mitre.org/tactics/TA00 003)) and collected data not yet exfiltrated from the victim 03)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techni (e.g., [Local Data Staging](https://attack.mitre.org/techniq ques/T1074/001)). Adversaries also often encrypt, encode, sp ues/T1074/001)). Adversaries also often encrypt, encode, spl lice, or otherwise obfuscate this fileless data when stored. ice, or otherwise obfuscate this fileless data when stored. Some forms of fileless storage activity may indirectly cr Some forms of fileless storage activity may indirectly cre eate artifacts in the file system, but in central and otherw ate artifacts in the file system, but in central and otherwi ise difficult to inspect formats such as the WMI (e.g., `%Sy se difficult to inspect formats such as the WMI (e.g., `%Sys stemRoot%\\System32\\Wbem\\Repository`) or Registry (e.g., `%Sy temRoot%\\System32\\Wbem\\Repository`) or Registry (e.g., `%Sys stemRoot%\\System32\\Config`) physical files.(Citation: Micros temRoot%\\System32\\Config`) physical files.(Citation: Microso oft Fileless) ft Fileless) \n
",
+ "changelog_mitigations": {
+ "shared": [
+ "M1047: Audit"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0344: Detection Strategy for Fileless Storage via Registry, WMI, and Shared Memory"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--d4dc46e3-5ba5-45b9-8204-010867cacfcb",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2021-05-20 12:20:42.219000+00:00",
+ "modified": "2026-04-15 22:19:27.839000+00:00",
+ "name": "HTML Smuggling",
+ "description": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)\n\nAdversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as text/plain and/or text/html. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)), potentially bypassing content filters.\n\nFor example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as msSaveBlob.(Citation: HTML Smuggling Menlo Security 2020)(Citation: MSTIC NOBELIUM May 2021)(Citation: Outlflank HTML Smuggling 2018)(Citation: nccgroup Smuggling HTA 2017)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1027/006",
+ "external_id": "T1027.006"
+ },
+ {
+ "source_name": "Outlflank HTML Smuggling 2018",
+ "description": "Hegt, S. (2018, August 14). HTML smuggling explained. Retrieved May 20, 2021.",
+ "url": "https://outflank.nl/blog/2018/08/14/html-smuggling-explained/"
+ },
+ {
+ "source_name": "MSTIC NOBELIUM May 2021",
+ "description": "Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.",
+ "url": "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
+ },
+ {
+ "source_name": "HTML Smuggling Menlo Security 2020",
+ "description": "Subramanian, K. (2020, August 18). New HTML Smuggling Attack Alert: Duri. Retrieved May 20, 2021.",
+ "url": "https://www.menlosecurity.com/blog/new-attack-alert-duri"
+ },
+ {
+ "source_name": "nccgroup Smuggling HTA 2017",
+ "description": "Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved September 12, 2024.",
+ "url": "https://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Jonathan Boucher, @crash_wave, Bank of Canada",
+ "Krishnan Subramanian, @krish203",
+ "Stan Hegt, Outflank",
+ "Vinay Pidathala"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:19:27.839000+00:00\", \"old_value\": \"2025-10-24 17:49:27.501000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.3\"}}}",
+ "previous_version": "1.3",
+ "version_change": "1.3 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1048: Application Isolation and Sandboxing"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0313: Detection Strategy for HTML Smuggling via JavaScript Blob + Dynamic File Drop"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--b0533c6e-8fea-4788-874f-b799cacc4b92",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-03-19 21:27:32.820000+00:00",
+ "modified": "2026-04-15 22:19:28.558000+00:00",
+ "name": "Indicator Removal from Tools",
+ "description": "Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.\n\nA good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1027/005",
+ "external_id": "T1027.005"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:19:28.558000+00:00\", \"old_value\": \"2025-10-24 17:49:13.906000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}",
+ "previous_version": "1.2",
+ "version_change": "1.2 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0189: Detection Strategy for Indicator Removal from Tools - Post-AV Evasion Modification"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--671cd17f-a765-48fd-adc4-dad1941b1ae3",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2025-03-04 21:38:49.913000+00:00",
+ "modified": "2026-04-15 22:19:48.489000+00:00",
+ "name": "Junk Code Insertion",
+ "description": "Adversaries may use junk code / dead code to obfuscate a malware\u2019s functionality. Junk code is code that either does not execute, or if it does execute, does not change the functionality of the code. Junk code makes analysis more difficult and time-consuming, as the analyst steps through non-functional code instead of analyzing the main code. It also may hinder detections that rely on static code analysis due to the use of benign functionality, especially when combined with [Compression](https://attack.mitre.org/techniques/T1027/015) or [Software Packing](https://attack.mitre.org/techniques/T1027/002).(Citation: ReasonLabs)(Citation: ReasonLabs Cyberpedia Junk Code)\n\nNo-Operation (NOP) instructions are an example of dead code commonly used in x86 assembly language. They are commonly used as the 0x90 opcode. When NOPs are added to malware, the disassembler may show the NOP instructions, leading to the analyst needing to step through them.(Citation: ReasonLabs)\n\nThe use of junk / dead code insertion is distinct from [Binary Padding](https://attack.mitre.org/techniques/T1027/001) because the purpose is to obfuscate the functionality of the code, rather than simply to change the malware\u2019s signature. ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1027/016",
+ "external_id": "T1027.016"
+ },
+ {
+ "source_name": "ReasonLabs",
+ "description": "ReasonLabs. (n.d.). What is Dead code insertion?. Retrieved March 4, 2025.",
+ "url": "https://cyberpedia.reasonlabs.com/EN/dead%20code%20insertion.html"
+ },
+ {
+ "source_name": "ReasonLabs Cyberpedia Junk Code",
+ "description": "What is Junk Code?. (n.d.). ReasonLabs. Retrieved April 4, 2025.",
+ "url": "https://cyberpedia.reasonlabs.com/EN/junk%20code.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Joas Antonio dos Santos, @C0d3Cr4zy"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:19:48.489000+00:00\", \"old_value\": \"2025-04-15 19:58:37.495000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
+ "previous_version": "1.0",
+ "version_change": "1.0 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1049: Antivirus/Antimalware"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0322: Detection Strategy for Junk Code Obfuscation with Suspicious Execution Patterns"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--887274fc-2d63-4bdc-82f3-fae56d1d5fdc",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2023-09-29 15:28:42.409000+00:00",
+ "modified": "2026-04-15 22:20:54.005000+00:00",
+ "name": "LNK Icon Smuggling",
+ "description": "Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the `IconEnvironmentDataBlock`) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory. \n\nAdversaries may abuse this LNK metadata to download malicious payloads. For example, adversaries have been observed using LNK files as phishing payloads to deliver malware. Once invoked (e.g., [Malicious File](https://attack.mitre.org/techniques/T1204/002)), payloads referenced via external URLs within the LNK icon location field may be downloaded. These files may also then be invoked by [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)/[System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218) arguments within the target path field of the LNK.(Citation: Unprotect Shortcut)(Citation: Booby Trap Shortcut 2017)\n\nLNK Icon Smuggling may also be utilized post compromise, such as malicious scripts executing an LNK on an infected host to download additional malicious payloads. \n",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1027/012",
+ "external_id": "T1027.012"
+ },
+ {
+ "source_name": "Unprotect Shortcut",
+ "description": "Unprotect Project. (2019, March 18). Shortcut Hiding. Retrieved October 3, 2023.",
+ "url": "https://unprotect.it/technique/shortcut-hiding/"
+ },
+ {
+ "source_name": "Booby Trap Shortcut 2017",
+ "description": "Weyne, F. (2017, April). Booby trap a shortcut with a backdoor. Retrieved October 3, 2023.",
+ "url": "https://web.archive.org/web/20171225152553/https://www.uperesia.com/booby-trapped-shortcut"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Michael Raggi @aRtAGGI",
+ "Andrew Northern, @ex_raritas",
+ "Gregory Lesnewich, @greglesnewich"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:20:54.005000+00:00\", \"old_value\": \"2025-10-24 17:49:04.385000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://web.archive.org/web/20171225152553/https://www.uperesia.com/booby-trapped-shortcut\", \"old_value\": \"https://www.uperesia.com/booby-trapped-shortcut\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}",
+ "previous_version": "1.0",
+ "version_change": "1.0 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1040: Behavior Prevention on Endpoint",
+ "M1049: Antivirus/Antimalware"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0405: Detection Strategy for LNK Icon Smuggling"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--b577dfc1-0177-4522-8d5a-782127c8592b",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2024-09-27 12:28:03.938000+00:00",
+ "modified": "2026-04-15 22:20:58.199000+00:00",
+ "name": "Polymorphic Code",
+ "description": "Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic code is a type of software capable of changing its runtime footprint during code execution.(Citation: polymorphic-blackberry) With each execution of the software, the code is mutated into a different version of itself that achieves the same purpose or objective as the original. This functionality enables the malware to evade traditional signature-based defenses, such as antivirus and antimalware tools.(Citation: polymorphic-sentinelone) \nOther obfuscation techniques can be used in conjunction with polymorphic code to accomplish the intended effects, including using mutation engines to conduct actions such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010), or [Encrypted/Encoded File](https://attack.mitre.org/techniques/T1027/013).(Citation: polymorphic-linkedin)(Citation: polymorphic-medium)\n",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "stealth"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1027/014",
+ "external_id": "T1027.014"
+ },
+ {
+ "source_name": "polymorphic-blackberry",
+ "description": "Blackberry. (n.d.). What is Polymorphic Malware?. Retrieved September 27, 2024.",
+ "url": "https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/polymorphic-malware"
+ },
+ {
+ "source_name": "polymorphic-sentinelone",
+ "description": "SentinelOne. (2023, March 18). What is Polymorphic Malware? Examples and Challenges. Retrieved September 27, 2024.",
+ "url": "https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-polymorphic-malware"
+ },
+ {
+ "source_name": "polymorphic-medium",
+ "description": "Shellseekercyber. (2024, January 7). Explainer: Packed Malware. Retrieved September 27, 2024.",
+ "url": "https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035"
+ },
+ {
+ "source_name": "polymorphic-linkedin",
+ "description": "Sherwin Akshay. (2024, May 28). Techniques for concealing malware and hindering analysis: Packing up and unpacking stuff. Retrieved September 27, 2024.",
+ "url": "https://www.linkedin.com/pulse/techniques-concealing-malware-hindering-analysis-packing-akshay-unijc"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "TruKno",
+ "Ye Yint Min Thu Htut, Active Defense Team, DBS Bank"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_version": "2.0",
+ "detailed_diff": "{\"dictionary_item_removed\": {\"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-04-15 22:20:58.199000+00:00\", \"old_value\": \"2025-04-15 19:59:00.006000+00:00\"}, \"root['kill_chain_phases'][0]['phase_name']\": {\"new_value\": \"stealth\", \"old_value\": \"defense-evasion\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}}",
+ "previous_version": "1.1",
+ "version_change": "1.1 \u2192 2.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1040: Behavior Prevention on Endpoint",
+ "M1049: Antivirus/Antimalware"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_datacomponent_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detectionstrategy_detections": {
+ "shared": [
+ "DET0324: Detection Strategy for Polymorphic Code Mutation and Execution"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--78b9e70d-1605-459c-b23d-e3a25036968c",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2025-03-25 15:31:09.697000+00:00",
+ "modified": "2026-04-15 22:22:02.298000+00:00",
+ "name": "SVG Smuggling",
+ "description": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG files.(Citation: Trustwave SVG Smuggling 2025) SVGs, or Scalable Vector Graphics, are vector-based image files constructed using XML. As such, they can legitimately include `
+
+{% endblock %}
diff --git a/modules/resources/templates/attack-advisory-council.html b/modules/resources/templates/attack-advisory-council.html
new file mode 100644
index 00000000000..bbdd55580cb
--- /dev/null
+++ b/modules/resources/templates/attack-advisory-council.html
@@ -0,0 +1,48 @@
+{% extends "general/two-column.html" %}
+{% set active_page = "resources" -%}
+{% set title = page.title + " | MITRE ATT&CK®" -%}
+
+{% block innerleft %}
+
+{% endblock %}
+
+{% block innerright %}
+
+ Home Resources ATT&CK Advisory Council
+
+
+
+
+
+
+
{{ page.title }}
+
MITRE announced the ATT&CK Advisory Council on February 25, 2026, to strengthen long-term stewardship of the ATT&CK program.
+
The council is an independent advisory body created to support the long-term sustainability, integrity, and global impact of the MITRE ATT&CK program.
+
The ATT&CK Advisory Council brings together experienced leaders from government, industry, and academia to provide strategic guidance on ATT&CK's continued evolution.
+
+
What the Council Advises On
+
Members of the ATT&CK Advisory Council will advise MITRE on the following items.
+
+ Long-term strategy for ATT&CK
+ Content and roadmap development
+ Methodology and quality standards
+ Community engagement and transparency
+ Program sustainability
+ Emerging risks, opportunities, and trends across the cybersecurity landscape
+
+
+
Advisory Role
+
The ATT&CK Advisory Council offers guidance and advice but does not have governing authority over ATT&CK.
+
MITRE will consider the Council's recommendations as part of managing and advancing the program, reinforcing a shared commitment to responsible, inclusive stewardship of ATT&CK for the benefit of the global cybersecurity community.
+
+
+
+
Sub-techniques ({{parsed.subtechniques|leng
Sub-techniques:
{% if parsed.subtechniques %}
{% for subtechnique in parsed.subtechniques %}
- {{subtechnique.id}} {% if not loop.last %},{% endif %}
+ {{subtechnique.id}} {% if not loop.last %},{% endif %}
{% endfor %}
{% else %}
No sub-techniques
diff --git a/modules/util/relationshipgetters.py b/modules/util/relationshipgetters.py
index a20bb2c2a7b..3f2afc47827 100644
--- a/modules/util/relationshipgetters.py
+++ b/modules/util/relationshipgetters.py
@@ -1,3 +1,5 @@
+from loguru import logger
+
from . import relationshiphelpers as rsh
from . import stixhelpers
@@ -473,6 +475,9 @@ def get_logsource_to_detections_mapping():
for detection_strategy in detectionstrategy_list:
analytics_list_for_detection_strategy = stixhelpers.get_analytics_from_detection_strategy(detection_strategy)
for analytic_list_for_detection_strategy in analytics_list_for_detection_strategy.values():
+ if analytic_list_for_detection_strategy is None:
+ logger.error(f"No analytic relationships found for Detection strategy {detection_strategy['id']}")
+ continue
log_sources = analytic_list_for_detection_strategy.get("x_mitre_log_source_references", [])
for log_source in log_sources:
log_source_id = log_source.get("x_mitre_data_component_ref")
diff --git a/modules/util/stixhelpers.py b/modules/util/stixhelpers.py
index 7f1117ab861..b8635f31249 100644
--- a/modules/util/stixhelpers.py
+++ b/modules/util/stixhelpers.py
@@ -102,6 +102,15 @@ def get_datacomponents(srcs):
return results
+def _append_tactic_if_present(src, tactics, tactic_id, matrix_ref):
+ """Append tactic to list when present, otherwise log and skip missing refs."""
+ tactic_matches = src.query([stix2.Filter("id", "=", tactic_id)])
+ if tactic_matches:
+ tactics.append(tactic_matches[0])
+ else:
+ logger.warning(f"Skipping missing tactic ref '{tactic_id}' from matrix '{matrix_ref}'")
+
+
def get_tactic_list(src, domain, matrix_id=None):
"""Read the STIX and return a list of all tactics in the STIX."""
tactics = []
@@ -117,11 +126,13 @@ def get_tactic_list(src, domain, matrix_id=None):
for curr_matrix in matrices:
if curr_matrix["id"] == matrix_id:
for tactic_id in curr_matrix["tactic_refs"]:
- tactics.append(src.query([stix2.Filter("id", "=", tactic_id)])[0])
+ _append_tactic_if_present(
+ src=src, tactics=tactics, tactic_id=tactic_id, matrix_ref=curr_matrix["id"]
+ )
else:
for matrix in matrices:
for tactic_id in matrix["tactic_refs"]:
- tactics.append(src.query([stix2.Filter("id", "=", tactic_id)])[0])
+ _append_tactic_if_present(src=src, tactics=tactics, tactic_id=tactic_id, matrix_ref=matrix["id"])
# Filter out by domain
tactics = [x for x in tactics if not hasattr(x, "x_mitre_domains") or domain in x.get("x_mitre_domains")]
@@ -297,7 +308,19 @@ def get_analytics_from_detection_strategy(detection_strategy):
all_analytics = relationshipgetters.get_analytic_list()
analytics_map = {analytic["id"]: analytic for analytic in all_analytics}
analytic_refs = detection_strategy.get("x_mitre_analytic_refs", [])
- return {ref: analytics_map.get(ref) for ref in analytic_refs}
+ detection_strategy_id = buildhelpers.get_attack_id(detection_strategy) or detection_strategy.get("id")
+ detection_strategy_name = detection_strategy.get("name", "")
+ analytics_for_detection_strategy = {}
+
+ for analytic_ref in analytic_refs:
+ analytic = analytics_map.get(analytic_ref)
+ if analytic is None:
+ logger.error(
+ f"Detection strategy {detection_strategy_id} ({detection_strategy_name}) references missing analytic {analytic_ref}"
+ )
+ analytics_for_detection_strategy[analytic_ref] = analytic
+
+ return analytics_for_detection_strategy
def add_replace_or_ignore(stix_objs, attack_id_objs, obj_in_question):
diff --git a/modules/website_build/static_pages/terms-of-use-redirect.md b/modules/website_build/static_pages/terms-of-use-redirect.md
index 87a7428be2f..3c3498ea630 100644
--- a/modules/website_build/static_pages/terms-of-use-redirect.md
+++ b/modules/website_build/static_pages/terms-of-use-redirect.md
@@ -1,4 +1,5 @@
Title: Terms of Use
Template: general/redirect-index
RedirectLink: /resources/legal-and-branding/terms-of-use
+private: True
save_as: terms/index.html
diff --git a/modules/website_build/static_pages/terms-of-use.md b/modules/website_build/static_pages/terms-of-use.md
index f4722b8709d..18c547541fb 100644
--- a/modules/website_build/static_pages/terms-of-use.md
+++ b/modules/website_build/static_pages/terms-of-use.md
@@ -10,7 +10,7 @@ save_as: resources/legal-and-branding/terms-of-use/index.html
The MITRE Corporation (MITRE) hereby grants you a non-exclusive, royalty-free license to use ATT&CK® for research, development, and commercial purposes. Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy.
-"© 2025 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation."
+"© 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation."
#### DISCLAIMERS
diff --git a/modules/website_build/website_build.py b/modules/website_build/website_build.py
index 586b7131d46..2fedc1f1003 100644
--- a/modules/website_build/website_build.py
+++ b/modules/website_build/website_build.py
@@ -257,7 +257,15 @@ def pelican_content():
logger.debug(f"{pelican_cmd=}")
- subprocess.check_output(pelican_cmd, shell=True)
+ try:
+ subprocess.run(pelican_cmd, shell=True, check=True, capture_output=True, text=True)
+ except subprocess.CalledProcessError as err:
+ stdout = err.stdout if err.stdout is not None else err.output
+ if stdout:
+ logger.error("Pelican stdout:\n{}", stdout.rstrip())
+ if err.stderr:
+ logger.error("Pelican stderr:\n{}", err.stderr.rstrip())
+ raise
def remove_pelican_settings():
diff --git a/pelicanconf.py b/pelicanconf.py
index f59d77118a6..98c9ae4ed01 100644
--- a/pelicanconf.py
+++ b/pelicanconf.py
@@ -22,6 +22,24 @@
DEFAULT_LANG = os.environ.get("PELICAN_DEFAULT_LANG", "en")
THEME = "attack-theme"
+PLUGINS = ["sitemap"]
+SITEMAP = {
+ "format": "xml",
+ "priorities": {
+ "articles": 0.5,
+ "indexes": 0.5,
+ "pages": 0.5,
+ },
+ "changefreqs": {
+ "articles": "monthly",
+ "indexes": "daily",
+ "pages": "monthly",
+ },
+ "exclude": [
+ r"^404\.html$",
+ r"^versions/",
+ ],
+}
ARCHIVES_SAVE_AS = ""
AUTHOR_SAVE_AS = ""
AUTHORS_SAVE_AS = ""
diff --git a/pyproject.toml b/pyproject.toml
index e67ffb24f66..c1be39ce3b0 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -6,7 +6,7 @@ profile = "black"
[tool.towncrier]
name = "ATT&CK website"
- version = "4.4.1"
+ version = "4.4.2"
filename = "CHANGELOG.md"
issue_format = "[#{issue}](https://github.com/mitre-attack/attack-website/issues/{issue})"
template = ".towncrier.template.md"
diff --git a/requirements.txt b/requirements.txt
index 8b624a370e3..3ebc0e0c60d 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,20 +1,18 @@
-GitPython==3.1.43
-Markdown==3.6
-bleach==6.1.0
+GitPython==3.1.47
+Markdown==3.10.2
+bleach==6.3.0
colorama==0.4.6
future==1.0.0
-loguru==0.7.2
-mitreattack-python==5.4.0
-pelican==4.10.2
-python-dotenv==1.0.1
-requests==2.32.3
-stix2==3.0.1
+loguru==0.7.3
+mitreattack-python==5.5.0
+pelican==4.12.0
+pelican-sitemap==1.2.2
+python-dotenv==1.2.2
+requests==2.33.1
+stix2==3.0.2
stix2-validator==3.2.0
toml==0.10.2
-towncrier==24.7.1
+towncrier==25.8.0
# dev dependencies
-black==24.3.0
-isort==5.12.0
-pylint==2.17.2
-ruff>=0.0.277
+ruff>=0.15.11
diff --git a/website-banner.production b/website-banner.production
index d223dfd5514..347580b768b 100644
--- a/website-banner.production
+++ b/website-banner.production
@@ -1 +1 @@
-ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release.
\ No newline at end of file
+ATT&CK v19 has been released! Check out the blog post for more information.
\ No newline at end of file