ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
f7f3518457
CyberThreatIntel/China/APT/IceFog/6-11-19/JSON/Mitre_TTPs.json
StrangerealIntel d5ea2f93f3
Add files via upload
2019-12-14 17:15:03 +01:00

38 lines
2.7 KiB
JSON
Raw Blame History

[
{
"Id": "T1012",
"Name": "Query Registry",
"Type": "Discovery ",
"Description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.",
"URL": "https://attack.mitre.org/techniques/T1012/"
},
{
"Id": "T1085",
"Name": "Rundll32",
"Type": "Defense Evasion, Execution ",
"Description": "The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.",
"URL": "https://attack.mitre.org/techniques/T1085/"
},
{
"Id": "T1129",
"Name": "Execution through Module Load",
"Type": "Execution ",
"Description": "The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess(), LoadLibrary(), etc. of the Win32 API.",
"URL": "https://attack.mitre.org/techniques/T1129/"
},
{
"Id": "T1137",
"Name": "Office Application Startup",
"Type": "Persistence ",
"Description": "Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started.",
"URL": "https://attack.mitre.org/techniques/T1137/"
},
{
"Id": "T1204",
"Name": "User Execution",
"Type": "Execution ",
"Description": "An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via Spearphishing Attachment with the icon and apparent extension of a document file. It also may lead to other execution techniques, such as when a user clicks on a link delivered via Spearphishing Link that leads to exploitation of a browser or application vulnerability via Exploitation for Client Execution. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user\u0027s desktop hoping that a user will click on it.",
"URL": "https://attack.mitre.org/techniques/T1204/"
}
]
Reference in New Issue View Git Blame Copy Permalink