From f2a8facb41d1965b5354197ab6512529ad56b255 Mon Sep 17 00:00:00 2001 From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com> Date: Sat, 21 Mar 2020 17:12:00 +0100 Subject: [PATCH] Create Mitre-Kimsuky-2020-03-20.json --- .../JSON/Mitre-Kimsuky-2020-03-20.json | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 North Korea/APT/Kimsuky/2020-03-20/JSON/Mitre-Kimsuky-2020-03-20.json diff --git a/North Korea/APT/Kimsuky/2020-03-20/JSON/Mitre-Kimsuky-2020-03-20.json b/North Korea/APT/Kimsuky/2020-03-20/JSON/Mitre-Kimsuky-2020-03-20.json new file mode 100644 index 0000000..46395b5 --- /dev/null +++ b/North Korea/APT/Kimsuky/2020-03-20/JSON/Mitre-Kimsuky-2020-03-20.json @@ -0,0 +1,44 @@ +[ + { + "Id": "T1012", + "Name": "Query Registry", + "Type": "Discovery ", + "Description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.", + "URL": "https://attack.mitre.org/techniques/T1012/" + }, + { + "Id": "T1057", + "Name": "Process Discovery", + "Type": "Discovery ", + "Description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.", + "URL": "https://attack.mitre.org/techniques/T1057/" + }, + { + "Id": "T1060", + "Name": "Registry Run Keys / Startup Folder", + "Type": "Persistence ", + "Description": "Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account\u0027s associated permissions level.", + "URL": "https://attack.mitre.org/techniques/T1060/" + }, + { + "Id": "T1064", + "Name": "Scripting", + "Type": "Defense Evasion, Execution ", + "Description": "Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.", + "URL": "https://attack.mitre.org/techniques/T1064/" + }, + { + "Id": "T1082", + "Name": "System Information Discovery", + "Type": "Discovery ", + "Description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.", + "URL": "https://attack.mitre.org/techniques/T1082/" + }, + { + "Id": "T1086", + "Name": "PowerShell", + "Type": "Execution ", + "Description": "PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer.", + "URL": "https://attack.mitre.org/techniques/T1086/" + } +]