Merge branch 'development'

master
Marcus Bakker 2019-11-06 12:58:06 +01:00
commit 370071bb7e
6 changed files with 13069 additions and 0 deletions

View File

@ -0,0 +1,47 @@
# Targeted adversary tools
*Source: page 8 - CrowdStrike OverWatch 2019 mid-year report*
### Legitimate Tools Used by Targeted Adversaries
| prevalence | Software | ATT&CK ID |
|:-----------|:-----------------|:----------|
| 1 | PsExec | S0029 |
| 2 | ProcDump | |
| 3 | PC Hunter | |
| 4 | 7-Zip | |
| 5 | Nmap | |
| 6 | Netcat | |
| 7 | Process Hacker | |
| 8 | SMBexec | |
| 9 | RemotelyAnywhere | |
| 10 | PuTTY | |
### Pen-Testing Tools Used in Targeted Intrusions
| Prevalence | Software | ATT&CK ID |
|:-----------|:------------------|:----------|
| 1 | Mimikatz | S0002 |
| 2 | PowerShell Empire | S0363 |
| 3 | Cobalt Strike | S0154 |
| 4 | reGeorg | |
| 5 | Powerkatz | |
| 6 | PowerSploit | S0194 |
| 7 | Meterpreter | |
| 8 | Masscan | |
| 9 | RottenPotatoNG | |
| 10 | Powercat | |
### Implants Typically Associated with State-Sponsored Actors
| Prevalence | Software | ATT&CK ID |
|:-----------|:--------------|:----------|
| 1 | China Chopper | S0020 |
| 2 | Winnti | S0141 |
| 3 | BabyShark | S0414 |
| 4 | RbDoor | |
| 5 | QuasarRAT | S0262 |
| 6 | PlugX | S0013 |
| 7 | Mozi RAT | |
| 8 | Hawup | |
| 9 | Evora | |
| 10 | Elise | S0081 |

View File

@ -0,0 +1,150 @@
%YAML 1.2
---
version: 1.0
file_type: group-administration
groups:
- group_name: CrowdStrike Overwatch 2019 mid-year report
campaign: Heat map first half of 2019
technique_id:
T1220 : 10
T1134 : 10
T1098 : 10
T1103 : 10
T1020 : 10
T1139 : 10
T1176 : 10
T1110 : 10
T1146 : 10
T1115 : 10
T1191 : 10
T1116 : 10
T1500 : 10
T1090 : 10
T1196 : 10
T1024 : 10
T1132 : 10
T1213 : 10
T1039 : 10
T1001 : 10
T1038 : 10
T1073 : 10
T1212 : 10
T1068 : 10
T1147 : 10
T1066 : 10
T1056 : 10
T1118 : 10
T1215 : 10
T1159 : 10
T1168 : 10
T1031 : 10
T1170 : 10
T1026 : 10
T1126 : 10
T1135 : 10
T1040 : 10
T1201 : 10
T1120 : 10
T1093 : 10
T1012 : 10
T1021 : 10
T1014 : 10
T1494 : 10
T1035 : 10
T1058 : 10
T1489 : 10
T1166 : 10
T1045 : 10
T1032 : 10
T1095 : 10
T1169 : 10
T1007 : 10
T1099 : 10
T1204 : 10
T1102 : 10
T1028 : 10
T1015 : 20
T1197 : 20
T1088 : 20
T1081 : 20
T1214 : 20
T1074 : 20
T1041 : 20
T1203 : 20
T1133 : 20
T1158 : 20
T1183 : 20
T1070 : 20
T1050 : 20
T1069 : 20
T1145 : 20
T1055 : 20
T1108 : 20
T1063 : 20
T1192 : 20
T1124 : 20
T1094 : 25
T1002 : 25
T1140 : 25
T1482 : 25
T1048 : 25
T1190 : 25
T1107 : 25
T1219 : 25
T1053 : 25
T1072 : 25
T1119 : 30
T1136 : 30
T1089 : 30
T1036 : 30
T1112 : 30
T1193 : 30
T1065 : 30
T1100 : 30
T1061 : 40
T1046 : 40
T1060 : 40
T1076 : 40
T1496 : 40
T1085 : 40
T1071 : 40
T1077 : 40
T1047 : 40
T1005 : 45
T1490 : 45
T1043 : 50
T1083 : 50
T1027 : 50
T1117 : 50
T1016 : 50
T1222 : 55
T1082 : 55
T1049 : 55
T1003 : 60
T1057 : 60
T1064 : 60
T1033 : 60
T1086 : 65
T1078 : 65
T1087 : 75
T1486 : 75
T1105 : 75
T1018 : 75
T1059 : 100
software_id: []
enabled: True
- group_name: CrowdStrike Overwatch 2019 mid-year report
campaign: Seen in first half of 2019
technique_id: [T1001, T1002, T1003, T1005, T1007, T1012, T1014, T1015, T1016, T1018, T1020, T1021, T1024, T1026, T1027, T1028, T1031, T1032, T1033, T1035, T1036, T1038, T1039, T1040, T1041, T1043, T1045, T1046, T1047, T1047, T1048, T1049, T1050, T1053, T1055, T1056, T1057, T1058, T1059, T1060, T1061, T1063, T1064, T1065, T1066, T1068, T1069, T1070, T1071, T1072, T1073, T1074, T1076, T1077, T1078, T1081, T1082, T1083, T1085, T1086, T1087, T1088, T1089, T1090, T1093, T1094, T1095, T1098, T1099, T1100, T1102, T1103, T1105, T1107, T1108, T1110, T1112, T1115, T1116, T1117, T1118, T1119, T1120, T1124, T1126, T1132, T1133, T1134, T1135, T1136, T1139, T1140, T1145, T1146, T1147, T1158, T1159, T1166, T1168, T1169, T1170, T1176, T1183, T1190, T1191, T1192, T1193, T1196, T1197, T1201, T1203, T1204, T1212, T1213, T1214, T1215, T1219, T1220, T1222, T1482, T1486, T1489, T1490, T1494, T1496, T1500]
software_id: []
enabled: False
- group_name: CrowdStrike Overwatch 2019 mid-year report
campaign: Seen in 2018
technique_id: [T1001, T1002, T1003, T1005, T1007, T1008, T1012, T1014, T1015, T1016, T1018, T1020, T1021, T1022, T1023, T1024, T1027, T1028, T1029, T1030, T1032, T1033, T1035, T1036, T1037, T1038, T1039, T1040, T1041, T1043, T1044, T1045, T1046, T1047, T1047, T1048, T1049, T1050, T1053, T1055, T1056, T1057, T1058, T1060, T1061, T1063, T1064, T1065, T1066, T1068, T1069, T1070, T1071, T1072, T1073, T1074, T1075, T1076, T1077, T1078, T1079, T1081, T1082, T1083, T1085, T1086, T1087, T1088, T1089, T1090, T1091, T1093, T1094, T1095, T1098, T1099, T1100, T1102, T1105, T1106, T1107, T1108, T1110, T1112, T1113, T1114, T1116, T1117, T1118, T1119, T1120, T1122, T1124, T1126, T1127, T1127, T1128, T1129, T1132, T1133, T1135, T1136, T1139, T1140, T1142, T1145, T1146, T1148, T1151, T1156, T1158, T1160, T1166, T1168, T1169, T1170, T1175, T1185, T1189, T1190, T1192, T1193, T1195, T1197, T1201, T1203, T1204, T1208, T1210, T1211, T1212, T1213, T1214, T1219, T1222]
software_id: []
enabled: False
- group_name: CrowdStrike Overwatch 2019 mid-year report
campaign: Seen in 2018 and first half of 2019
technique_id: [T1001, T1002, T1003, T1005, T1007, T1008, T1012, T1014, T1015, T1016, T1018, T1020, T1021, T1022, T1023, T1024, T1026, T1027, T1028, T1029, T1030, T1031, T1032, T1033, T1035, T1036, T1037, T1038, T1039, T1040, T1041, T1043, T1044, T1045, T1046, T1047, T1048, T1049, T1050, T1053, T1055, T1056, T1057, T1058, T1059, T1060, T1061, T1063, T1064, T1065, T1066, T1068, T1069, T1070, T1071, T1072, T1073, T1074, T1075, T1076, T1077, T1078, T1079, T1081, T1082, T1083, T1085, T1086, T1087, T1088, T1089, T1090, T1091, T1093, T1094, T1095, T1098, T1099, T1100, T1102, T1103, T1105, T1106, T1107, T1108, T1110, T1112, T1113, T1114, T1115, T1116, T1117, T1118, T1119, T1120, T1122, T1124, T1126, T1127, T1127, T1128, T1129, T1132, T1133, T1134, T1135, T1136, T1139, T1140, T1142, T1145, T1146, T1147, T1148, T1151, T1156, T1158, T1159, T1160, T1166, T1168, T1169, T1170, T1175, T1176, T1183, T1185, T1189, T1190, T1191, T1192, T1193, T1195, T1196, T1197, T1201, T1203, T1204, T1208, T1210, T1211, T1212, T1213, T1214, T1215, T1219, T1220, T1222, T1482, T1486, T1489, T1490, T1494, T1496, T1500]
software_id: []
enabled: False