Subtechniques support

This commit is contained in:
mrblacyk 2020-08-23 19:51:03 +02:00
parent 62ff711b16
commit 05f1b69292
2 changed files with 658 additions and 263 deletions

View File

@ -49,272 +49,667 @@ ta_mapping = {
] ]
} }
te_mapping = { te_mapping = {
"T1156": ".bash_profile and .bashrc",
"T1134": "Access Token Manipulation",
"T1015": "Accessibility Features",
"T1531": "Account Access Removal",
"T1087": "Account Discovery",
"T1098": "Account Manipulation",
"T1182": "AppCert DLLs",
"T1103": "AppInit DLLs",
"T1155": "AppleScript",
"T1527": "Application Access Token",
"T1017": "Application Deployment Software",
"T1138": "Application Shimming",
"T1010": "Application Window Discovery",
"T1123": "Audio Capture",
"T1131": "Authentication Package",
"T1119": "Automated Collection",
"T1020": "Automated Exfiltration",
"T1197": "BITS Jobs",
"T1139": "Bash History",
"T1009": "Binary Padding",
"T1067": "Bootkit",
"T1217": "Browser Bookmark Discovery",
"T1176": "Browser Extensions",
"T1110": "Brute Force",
"T1088": "Bypass User Account Control",
"T1191": "CMSTP",
"T1042": "Change Default File Association",
"T1146": "Clear Command History",
"T1115": "Clipboard Data",
"T1522": "Cloud Instance Metadata API",
"T1538": "Cloud Service Dashboard",
"T1526": "Cloud Service Discovery",
"T1116": "Code Signing",
"T1059": "Command-Line Interface",
"T1043": "Commonly Used Port",
"T1092": "Communication Through Removable Media",
"T1500": "Compile After Delivery",
"T1223": "Compiled HTML File",
"T1109": "Component Firmware",
"T1122": "Component Object Model Hijacking",
"T1175": "Component Object Model and Distributed COM",
"T1090": "Connection Proxy",
"T1196": "Control Panel Items",
"T1136": "Create Account",
"T1003": "Credential Dumping",
"T1503": "Credentials from Web Browsers",
"T1081": "Credentials in Files",
"T1214": "Credentials in Registry",
"T1094": "Custom Command and Control Protocol",
"T1024": "Custom Cryptographic Protocol",
"T1207": "DCShadow",
"T1038": "DLL Search Order Hijacking",
"T1073": "DLL Side-Loading",
"T1002": "Data Compressed",
"T1485": "Data Destruction",
"T1132": "Data Encoding",
"T1022": "Data Encrypted",
"T1486": "Data Encrypted for Impact",
"T1001": "Data Obfuscation", "T1001": "Data Obfuscation",
"T1074": "Data Staged", "T1001.001": "Data Obfuscation : Junk Data",
"T1030": "Data Transfer Size Limits", "T1001.002": "Data Obfuscation : Steganography",
"T1530": "Data from Cloud Storage Object", "T1001.003": "Data Obfuscation : Protocol Impersonation",
"T1213": "Data from Information Repositories", "T1003": "OS Credential Dumping",
"T1003.001": "OS Credential Dumping : LSASS Memory",
"T1003.002": "OS Credential Dumping : Security Account Manager",
"T1003.003": "OS Credential Dumping : NTDS",
"T1003.004": "OS Credential Dumping : LSA Secrets",
"T1003.005": "OS Credential Dumping : Cached Domain Credentials",
"T1003.006": "OS Credential Dumping : DCSync",
"T1003.007": "OS Credential Dumping : Proc Filesystem",
"T1003.008": "OS Credential Dumping : /etc/passwd and /etc/shadow",
"T1005": "Data from Local System", "T1005": "Data from Local System",
"T1039": "Data from Network Shared Drive", "T1006": "Direct Volume Access",
"T1025": "Data from Removable Media",
"T1491": "Defacement",
"T1140": "Deobfuscate/Decode Files or Information",
"T1089": "Disabling Security Tools",
"T1488": "Disk Content Wipe",
"T1487": "Disk Structure Wipe",
"T1172": "Domain Fronting",
"T1483": "Domain Generation Algorithms",
"T1482": "Domain Trust Discovery",
"T1189": "Drive-by Compromise",
"T1157": "Dylib Hijacking",
"T1173": "Dynamic Data Exchange",
"T1514": "Elevated Execution with Prompt",
"T1114": "Email Collection",
"T1519": "Emond",
"T1499": "Endpoint Denial of Service",
"T1480": "Execution Guardrails",
"T1106": "Execution through API",
"T1129": "Execution through Module Load",
"T1048": "Exfiltration Over Alternative Protocol",
"T1041": "Exfiltration Over Command and Control Channel",
"T1011": "Exfiltration Over Other Network Medium",
"T1052": "Exfiltration Over Physical Medium",
"T1190": "Exploit Public-Facing Application",
"T1203": "Exploitation for Client Execution",
"T1212": "Exploitation for Credential Access",
"T1211": "Exploitation for Defense Evasion",
"T1068": "Exploitation for Privilege Escalation",
"T1210": "Exploitation of Remote Services",
"T1133": "External Remote Services",
"T1181": "Extra Window Memory Injection",
"T1008": "Fallback Channels",
"T1107": "File Deletion",
"T1006": "File System Logical Offsets",
"T1044": "File System Permissions Weakness",
"T1083": "File and Directory Discovery",
"T1222": "File and Directory Permissions Modification",
"T1495": "Firmware Corruption",
"T1187": "Forced Authentication",
"T1144": "Gatekeeper Bypass",
"T1061": "Graphical User Interface",
"T1484": "Group Policy Modification",
"T1148": "HISTCONTROL",
"T1200": "Hardware Additions",
"T1158": "Hidden Files and Directories",
"T1147": "Hidden Users",
"T1143": "Hidden Window",
"T1179": "Hooking",
"T1062": "Hypervisor",
"T1183": "Image File Execution Options Injection",
"T1525": "Implant Container Image",
"T1054": "Indicator Blocking",
"T1066": "Indicator Removal from Tools",
"T1070": "Indicator Removal on Host",
"T1202": "Indirect Command Execution",
"T1490": "Inhibit System Recovery",
"T1056": "Input Capture",
"T1141": "Input Prompt",
"T1130": "Install Root Certificate",
"T1118": "InstallUtil",
"T1534": "Internal Spearphishing",
"T1208": "Kerberoasting",
"T1215": "Kernel Modules and Extensions",
"T1142": "Keychain",
"T1161": "LC_LOAD_DYLIB Addition",
"T1149": "LC_MAIN Hijacking",
"T1171": "LLMNR/NBT-NS Poisoning and Relay",
"T1177": "LSASS Driver",
"T1159": "Launch Agent",
"T1160": "Launch Daemon",
"T1152": "Launchctl",
"T1168": "Local Job Scheduling",
"T1162": "Login Item",
"T1037": "Logon Scripts",
"T1185": "Man in the Browser",
"T1036": "Masquerading",
"T1031": "Modify Existing Service",
"T1112": "Modify Registry",
"T1170": "Mshta",
"T1104": "Multi-Stage Channels",
"T1188": "Multi-hop Proxy",
"T1026": "Multiband Communication",
"T1079": "Multilayer Encryption",
"T1096": "NTFS File Attributes",
"T1128": "Netsh Helper DLL",
"T1498": "Network Denial of Service",
"T1046": "Network Service Scanning",
"T1126": "Network Share Connection Removal",
"T1135": "Network Share Discovery",
"T1040": "Network Sniffing",
"T1050": "New Service",
"T1027": "Obfuscated Files or Information",
"T1137": "Office Application Startup",
"T1502": "Parent PID Spoofing",
"T1075": "Pass the Hash",
"T1097": "Pass the Ticket",
"T1174": "Password Filter DLL",
"T1201": "Password Policy Discovery",
"T1034": "Path Interception",
"T1120": "Peripheral Device Discovery",
"T1069": "Permission Groups Discovery",
"T1150": "Plist Modification",
"T1205": "Port Knocking",
"T1013": "Port Monitors",
"T1086": "PowerShell",
"T1504": "PowerShell Profile",
"T1145": "Private Keys",
"T1057": "Process Discovery",
"T1186": "Process Doppelg\u00e4nging",
"T1093": "Process Hollowing",
"T1055": "Process Injection",
"T1012": "Query Registry",
"T1163": "Rc.common",
"T1164": "Re-opened Applications",
"T1108": "Redundant Access",
"T1060": "Registry Run Keys / Startup Folder",
"T1121": "Regsvcs/Regasm",
"T1117": "Regsvr32",
"T1219": "Remote Access Tools",
"T1076": "Remote Desktop Protocol",
"T1105": "Remote File Copy",
"T1021": "Remote Services",
"T1018": "Remote System Discovery",
"T1091": "Replication Through Removable Media",
"T1496": "Resource Hijacking",
"T1536": "Revert Cloud Instance",
"T1014": "Rootkit",
"T1085": "Rundll32",
"T1494": "Runtime Data Manipulation",
"T1178": "SID-History Injection",
"T1198": "SIP and Trust Provider Hijacking",
"T1184": "SSH Hijacking",
"T1053": "Scheduled Task",
"T1029": "Scheduled Transfer",
"T1113": "Screen Capture",
"T1180": "Screensaver",
"T1064": "Scripting",
"T1063": "Security Software Discovery",
"T1101": "Security Support Provider",
"T1167": "Securityd Memory",
"T1505": "Server Software Component",
"T1035": "Service Execution",
"T1058": "Service Registry Permissions Weakness",
"T1489": "Service Stop",
"T1166": "Setuid and Setgid",
"T1051": "Shared Webroot",
"T1023": "Shortcut Modification",
"T1218": "Signed Binary Proxy Execution",
"T1216": "Signed Script Proxy Execution",
"T1518": "Software Discovery",
"T1045": "Software Packing",
"T1153": "Source",
"T1151": "Space after Filename",
"T1193": "Spearphishing Attachment",
"T1192": "Spearphishing Link",
"T1194": "Spearphishing via Service",
"T1071": "Standard Application Layer Protocol",
"T1032": "Standard Cryptographic Protocol",
"T1095": "Standard Non-Application Layer Protocol",
"T1165": "Startup Items",
"T1528": "Steal Application Access Token",
"T1539": "Steal Web Session Cookie",
"T1492": "Stored Data Manipulation",
"T1169": "Sudo",
"T1206": "Sudo Caching",
"T1195": "Supply Chain Compromise",
"T1019": "System Firmware",
"T1082": "System Information Discovery",
"T1016": "System Network Configuration Discovery",
"T1049": "System Network Connections Discovery",
"T1033": "System Owner/User Discovery",
"T1007": "System Service Discovery", "T1007": "System Service Discovery",
"T1529": "System Shutdown/Reboot", "T1008": "Fallback Channels",
"T1124": "System Time Discovery", "T1010": "Application Window Discovery",
"T1501": "Systemd Service", "T1011": "Exfiltration Over Other Network Medium",
"T1080": "Taint Shared Content", "T1011.001": "Exfiltration Over Other Network Medium : Exfiltration Over Bluetooth",
"T1221": "Template Injection", "T1012": "Query Registry",
"T1072": "Third-party Software", "T1014": "Rootkit",
"T1209": "Time Providers", "T1016": "System Network Configuration Discovery",
"T1099": "Timestomp", "T1018": "Remote System Discovery",
"T1537": "Transfer Data to Cloud Account", "T1020": "Automated Exfiltration",
"T1493": "Transmitted Data Manipulation", "T1021": "Remote Services",
"T1154": "Trap", "T1021.001": "Remote Services : Remote Desktop Protocol",
"T1127": "Trusted Developer Utilities", "T1021.002": "Remote Services : SMB/Windows Admin Shares",
"T1199": "Trusted Relationship", "T1021.003": "Remote Services : Distributed Component Object Model",
"T1111": "Two-Factor Authentication Interception", "T1021.004": "Remote Services : SSH",
"T1065": "Uncommonly Used Port", "T1021.005": "Remote Services : VNC",
"T1535": "Unused/Unsupported Cloud Regions", "T1021.006": "Remote Services : Windows Remote Management",
"T1204": "User Execution", "T1025": "Data from Removable Media",
"T1078": "Valid Accounts", "T1027": "Obfuscated Files or Information",
"T1125": "Video Capture", "T1027.001": "Obfuscated Files or Information : Binary Padding",
"T1497": "Virtualization/Sandbox Evasion", "T1027.002": "Obfuscated Files or Information : Software Packing",
"T1102": "Web Service", "T1027.003": "Obfuscated Files or Information : Steganography",
"T1506": "Web Session Cookie", "T1027.004": "Obfuscated Files or Information : Compile After Delivery",
"T1100": "Web Shell", "T1027.005": "Obfuscated Files or Information : Indicator Removal from Tools",
"T1077": "Windows Admin Shares", "T1029": "Scheduled Transfer",
"T1030": "Data Transfer Size Limits",
"T1033": "System Owner/User Discovery",
"T1036": "Masquerading",
"T1036.001": "Masquerading : Invalid Code Signature",
"T1036.002": "Masquerading : Right-to-Left Override",
"T1036.003": "Masquerading : Rename System Utilities",
"T1036.004": "Masquerading : Masquerade Task or Service",
"T1036.005": "Masquerading : Match Legitimate Name or Location",
"T1036.006": "Masquerading : Space after Filename",
"T1037": "Boot or Logon Initialization Scripts",
"T1037.001": "Boot or Logon Initialization Scripts : Logon Script (Windows)",
"T1037.002": "Boot or Logon Initialization Scripts : Logon Script (Mac)",
"T1037.003": "Boot or Logon Initialization Scripts : Network Logon Script",
"T1037.004": "Boot or Logon Initialization Scripts : Rc.common",
"T1037.005": "Boot or Logon Initialization Scripts : Startup Items",
"T1039": "Data from Network Shared Drive",
"T1040": "Network Sniffing",
"T1041": "Exfiltration Over C2 Channel",
"T1046": "Network Service Scanning",
"T1047": "Windows Management Instrumentation", "T1047": "Windows Management Instrumentation",
"T1084": "Windows Management Instrumentation Event Subscription", "T1048": "Exfiltration Over Alternative Protocol",
"T1028": "Windows Remote Management", "T1048.001": "Exfiltration Over Alternative Protocol : Exfiltration Over Symmetric Encrypted Non-C2 Protocol",
"T1004": "Winlogon Helper DLL", "T1048.002": "Exfiltration Over Alternative Protocol : Exfiltration Over Asymmetric Encrypted Non-C2 Protocol",
"T1220": "XSL Script Processing" "T1048.003": "Exfiltration Over Alternative Protocol : Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
"T1049": "System Network Connections Discovery",
"T1052": "Exfiltration Over Physical Medium",
"T1052.001": "Exfiltration Over Physical Medium : Exfiltration over USB",
"T1053": "Scheduled Task/Job",
"T1053.001": "Scheduled Task/Job : At (Linux)",
"T1053.002": "Scheduled Task/Job : At (Windows)",
"T1053.003": "Scheduled Task/Job : Cron",
"T1053.004": "Scheduled Task/Job : Launchd",
"T1053.005": "Scheduled Task/Job : Scheduled Task",
"T1055": "Process Injection",
"T1055.001": "Process Injection : Dynamic-link Library Injection",
"T1055.002": "Process Injection : Portable Executable Injection",
"T1055.003": "Process Injection : Thread Execution Hijacking",
"T1055.004": "Process Injection : Asynchronous Procedure Call",
"T1055.005": "Process Injection : Thread Local Storage",
"T1055.008": "Process Injection : Ptrace System Calls",
"T1055.009": "Process Injection : Proc Memory",
"T1055.011": "Process Injection : Extra Window Memory Injection",
"T1055.012": "Process Injection : Process Hollowing",
"T1055.013": "Process Injection : Process Doppelgänging",
"T1055.014": "Process Injection : VDSO Hijacking",
"T1056": "Input Capture",
"T1056.001": "Input Capture : Keylogging",
"T1056.002": "Input Capture : GUI Input Capture",
"T1056.003": "Input Capture : Web Portal Capture",
"T1056.004": "Input Capture : Credential API Hooking",
"T1057": "Process Discovery",
"T1059": "Command and Scripting Interpreter",
"T1059.001": "Command and Scripting Interpreter : PowerShell",
"T1059.002": "Command and Scripting Interpreter : AppleScript",
"T1059.003": "Command and Scripting Interpreter : Windows Command Shell",
"T1059.004": "Command and Scripting Interpreter : Unix Shell",
"T1059.005": "Command and Scripting Interpreter : Visual Basic",
"T1059.006": "Command and Scripting Interpreter : Python",
"T1059.007": "Command and Scripting Interpreter : JavaScript/JScript",
"T1068": "Exploitation for Privilege Escalation",
"T1069": "Permission Groups Discovery",
"T1069.001": "Permission Groups Discovery : Local Groups",
"T1069.002": "Permission Groups Discovery : Domain Groups",
"T1069.003": "Permission Groups Discovery : Cloud Groups",
"T1070": "Indicator Removal on Host",
"T1070.001": "Indicator Removal on Host : Clear Windows Event Logs",
"T1070.002": "Indicator Removal on Host : Clear Linux or Mac System Logs",
"T1070.003": "Indicator Removal on Host : Clear Command History",
"T1070.004": "Indicator Removal on Host : File Deletion",
"T1070.005": "Indicator Removal on Host : Network Share Connection Removal",
"T1070.006": "Indicator Removal on Host : Timestomp",
"T1071": "Application Layer Protocol",
"T1071.001": "Application Layer Protocol : Web Protocols",
"T1071.002": "Application Layer Protocol : File Transfer Protocols",
"T1071.003": "Application Layer Protocol : Mail Protocols",
"T1071.004": "Application Layer Protocol : DNS",
"T1072": "Software Deployment Tools",
"T1074": "Data Staged",
"T1074.001": "Data Staged : Local Data Staging",
"T1074.002": "Data Staged : Remote Data Staging",
"T1078": "Valid Accounts",
"T1078.001": "Valid Accounts : Default Accounts",
"T1078.002": "Valid Accounts : Domain Accounts",
"T1078.003": "Valid Accounts : Local Accounts",
"T1078.004": "Valid Accounts : Cloud Accounts",
"T1080": "Taint Shared Content",
"T1082": "System Information Discovery",
"T1083": "File and Directory Discovery",
"T1087": "Account Discovery",
"T1087.001": "Account Discovery : Local Account",
"T1087.002": "Account Discovery : Domain Account",
"T1087.003": "Account Discovery : Email Account",
"T1087.004": "Account Discovery : Cloud Account",
"T1090": "Proxy",
"T1090.001": "Proxy : Internal Proxy",
"T1090.002": "Proxy : External Proxy",
"T1090.003": "Proxy : Multi-hop Proxy",
"T1090.004": "Proxy : Domain Fronting",
"T1091": "Replication Through Removable Media",
"T1092": "Communication Through Removable Media",
"T1095": "Non-Application Layer Protocol",
"T1098": "Account Manipulation",
"T1098.001": "Account Manipulation : Additional Azure Service Principal Credentials",
"T1098.002": "Account Manipulation : Exchange Email Delegate Permissions",
"T1098.003": "Account Manipulation : Add Office 365 Global Administrator Role",
"T1098.004": "Account Manipulation : SSH Authorized Keys",
"T1102": "Web Service",
"T1102.001": "Web Service : Dead Drop Resolver",
"T1102.002": "Web Service : Bidirectional Communication",
"T1102.003": "Web Service : One-Way Communication",
"T1104": "Multi-Stage Channels",
"T1105": "Ingress Tool Transfer",
"T1106": "Native API",
"T1110": "Brute Force",
"T1110.001": "Brute Force : Password Guessing",
"T1110.002": "Brute Force : Password Cracking",
"T1110.003": "Brute Force : Password Spraying",
"T1110.004": "Brute Force : Credential Stuffing",
"T1111": "Two-Factor Authentication Interception",
"T1112": "Modify Registry",
"T1113": "Screen Capture",
"T1114": "Email Collection",
"T1114.001": "Email Collection : Local Email Collection",
"T1114.002": "Email Collection : Remote Email Collection",
"T1114.003": "Email Collection : Email Forwarding Rule",
"T1115": "Clipboard Data",
"T1119": "Automated Collection",
"T1120": "Peripheral Device Discovery",
"T1123": "Audio Capture",
"T1124": "System Time Discovery",
"T1125": "Video Capture",
"T1127": "Trusted Developer Utilities Proxy Execution",
"T1127.001": "Trusted Developer Utilities Proxy Execution : MSBuild",
"T1129": "Shared Modules",
"T1132": "Data Encoding",
"T1132.001": "Data Encoding : Standard Encoding",
"T1132.002": "Data Encoding : Non-Standard Encoding",
"T1133": "External Remote Services",
"T1134": "Access Token Manipulation",
"T1134.001": "Access Token Manipulation : Token Impersonation/Theft",
"T1134.002": "Access Token Manipulation : Create Process with Token",
"T1134.003": "Access Token Manipulation : Make and Impersonate Token",
"T1134.004": "Access Token Manipulation : Parent PID Spoofing",
"T1134.005": "Access Token Manipulation : SID-History Injection",
"T1135": "Network Share Discovery",
"T1136": "Create Account",
"T1136.001": "Create Account : Local Account",
"T1136.002": "Create Account : Domain Account",
"T1136.003": "Create Account : Cloud Account",
"T1137": "Office Application Startup",
"T1137.001": "Office Application Startup : Office Template Macros",
"T1137.002": "Office Application Startup : Office Test",
"T1137.003": "Office Application Startup : Outlook Forms",
"T1137.004": "Office Application Startup : Outlook Home Page",
"T1137.005": "Office Application Startup : Outlook Rules",
"T1137.006": "Office Application Startup : Add-ins",
"T1140": "Deobfuscate/Decode Files or Information",
"T1176": "Browser Extensions",
"T1185": "Man in the Browser",
"T1187": "Forced Authentication",
"T1189": "Drive-by Compromise",
"T1190": "Exploit Public-Facing Application",
"T1195": "Supply Chain Compromise",
"T1195.001": "Supply Chain Compromise : Compromise Software Dependencies and Development Tools",
"T1195.002": "Supply Chain Compromise : Compromise Software Supply Chain",
"T1195.003": "Supply Chain Compromise : Compromise Hardware Supply Chain",
"T1197": "BITS Jobs",
"T1199": "Trusted Relationship",
"T1200": "Hardware Additions",
"T1201": "Password Policy Discovery",
"T1202": "Indirect Command Execution",
"T1203": "Exploitation for Client Execution",
"T1204": "User Execution",
"T1204.001": "User Execution : Malicious Link",
"T1204.002": "User Execution : Malicious File",
"T1205": "Traffic Signaling",
"T1205.001": "Traffic Signaling : Port Knocking",
"T1207": "Rogue Domain Controller",
"T1210": "Exploitation of Remote Services",
"T1211": "Exploitation for Defense Evasion",
"T1212": "Exploitation for Credential Access",
"T1213": "Data from Information Repositories",
"T1213.001": "Data from Information Repositories : Confluence",
"T1213.002": "Data from Information Repositories : Sharepoint",
"T1216": "Signed Script Proxy Execution",
"T1216.001": "Signed Script Proxy Execution : PubPrn",
"T1217": "Browser Bookmark Discovery",
"T1218": "Signed Binary Proxy Execution",
"T1218.001": "Signed Binary Proxy Execution : Compiled HTML File",
"T1218.002": "Signed Binary Proxy Execution : Control Panel",
"T1218.003": "Signed Binary Proxy Execution : CMSTP",
"T1218.004": "Signed Binary Proxy Execution : InstallUtil",
"T1218.005": "Signed Binary Proxy Execution : Mshta",
"T1218.007": "Signed Binary Proxy Execution : Msiexec",
"T1218.008": "Signed Binary Proxy Execution : Odbcconf",
"T1218.009": "Signed Binary Proxy Execution : Regsvcs/Regasm",
"T1218.010": "Signed Binary Proxy Execution : Regsvr32",
"T1218.011": "Signed Binary Proxy Execution : Rundll32",
"T1219": "Remote Access Software",
"T1220": "XSL Script Processing",
"T1221": "Template Injection",
"T1222": "File and Directory Permissions Modification",
"T1222.001": "File and Directory Permissions Modification : Windows File and Directory Permissions Modification",
"T1222.002": "File and Directory Permissions Modification : Linux and Mac File and Directory Permissions Modification",
"T1224": "Assess leadership areas of interest",
"T1225": "Identify gap areas",
"T1226": "Conduct cost/benefit analysis",
"T1227": "Develop KITs/KIQs",
"T1228": "Assign KITs/KIQs into categories",
"T1229": "Assess KITs/KIQs benefits",
"T1230": "Derive intelligence requirements",
"T1231": "Create strategic plan",
"T1232": "Create implementation plan",
"T1233": "Identify analyst level gaps",
"T1234": "Generate analyst intelligence requirements",
"T1235": "Receive operator KITs/KIQs tasking",
"T1236": "Assess current holdings, needs, and wants",
"T1237": "Submit KITs, KIQs, and intelligence requirements",
"T1238": "Assign KITs, KIQs, and/or intelligence requirements",
"T1239": "Receive KITs/KIQs and determine requirements",
"T1240": "Task requirements",
"T1241": "Determine strategic target",
"T1242": "Determine operational element",
"T1243": "Determine highest level tactical element",
"T1244": "Determine secondary level tactical element",
"T1245": "Determine approach/attack vector",
"T1246": "Identify supply chains",
"T1247": "Acquire OSINT data sets and information",
"T1248": "Identify job postings and needs/gaps",
"T1249": "Conduct social engineering",
"T1250": "Determine domain and IP address space",
"T1251": "Obtain domain/IP registration information",
"T1252": "Map network topology",
"T1253": "Conduct passive scanning",
"T1254": "Conduct active scanning",
"T1255": "Discover target logon/email address format",
"T1256": "Identify web defensive services",
"T1257": "Mine technical blogs/forums",
"T1258": "Determine firmware version",
"T1259": "Determine external network trust dependencies",
"T1260": "Determine 3rd party infrastructure services",
"T1261": "Enumerate externally facing software applications technologies, languages, and dependencies",
"T1262": "Enumerate client configurations",
"T1263": "Identify security defensive capabilities",
"T1264": "Identify technology usage patterns",
"T1265": "Identify supply chains",
"T1266": "Acquire OSINT data sets and information",
"T1267": "Identify job postings and needs/gaps",
"T1268": "Conduct social engineering",
"T1269": "Identify people of interest",
"T1270": "Identify groups/roles",
"T1271": "Identify personnel with an authority/privilege",
"T1272": "Identify business relationships",
"T1273": "Mine social media",
"T1274": "Identify sensitive personnel information",
"T1275": "Aggregate individual's digital footprint",
"T1276": "Identify supply chains",
"T1277": "Acquire OSINT data sets and information",
"T1278": "Identify job postings and needs/gaps",
"T1279": "Conduct social engineering",
"T1280": "Identify business processes/tempo",
"T1281": "Obtain templates/branding materials",
"T1282": "Determine physical locations",
"T1283": "Identify business relationships",
"T1284": "Determine 3rd party infrastructure services",
"T1285": "Determine centralization of IT management",
"T1286": "Dumpster dive",
"T1287": "Analyze data collected",
"T1288": "Analyze architecture and configuration posture",
"T1289": "Analyze organizational skillsets and deficiencies",
"T1290": "Research visibility gap of security vendors",
"T1291": "Research relevant vulnerabilities/CVEs",
"T1292": "Test signature detection",
"T1293": "Analyze application security posture",
"T1294": "Analyze hardware/software security defensive capabilities",
"T1295": "Analyze social and business relationships, interests, and affiliations",
"T1296": "Assess targeting options",
"T1297": "Analyze organizational skillsets and deficiencies",
"T1298": "Assess vulnerability of 3rd party vendors",
"T1299": "Assess opportunities created by business deals",
"T1300": "Analyze organizational skillsets and deficiencies",
"T1301": "Analyze business processes",
"T1302": "Assess security posture of physical locations",
"T1303": "Analyze presence of outsourced capabilities",
"T1304": "Proxy/protocol relays",
"T1305": "Private whois services",
"T1306": "Anonymity services",
"T1307": "Acquire and/or use 3rd party infrastructure services",
"T1308": "Acquire and/or use 3rd party software services",
"T1309": "Obfuscate infrastructure",
"T1310": "Acquire or compromise 3rd party signing certificates",
"T1311": "Dynamic DNS",
"T1312": "Compromise 3rd party infrastructure to support delivery",
"T1313": "Obfuscation or cryptography",
"T1314": "Host-based hiding techniques",
"T1315": "Network-based hiding techniques",
"T1316": "Non-traditional or less attributable payment options",
"T1317": "Secure and protect infrastructure",
"T1318": "Obfuscate operational infrastructure",
"T1319": "Obfuscate or encrypt code",
"T1320": "Data Hiding",
"T1321": "Common, high volume protocols and software",
"T1322": "Misattributable credentials",
"T1326": "Domain registration hijacking",
"T1327": "Use multiple DNS infrastructures",
"T1328": "Buy domain name",
"T1329": "Acquire and/or use 3rd party infrastructure services",
"T1330": "Acquire and/or use 3rd party software services",
"T1331": "Obfuscate infrastructure",
"T1332": "Acquire or compromise 3rd party signing certificates",
"T1333": "Dynamic DNS",
"T1334": "Compromise 3rd party infrastructure to support delivery",
"T1335": "Procure required equipment and software",
"T1336": "Install and configure hardware, network, and systems",
"T1337": "SSL certificate acquisition for domain",
"T1338": "SSL certificate acquisition for trust breaking",
"T1339": "Create backup infrastructure",
"T1340": "Shadow DNS",
"T1341": "Build social network persona",
"T1342": "Develop social network persona digital footprint",
"T1343": "Choose pre-compromised persona and affiliated accounts",
"T1344": "Friend/Follow/Connect to targets of interest",
"T1345": "Create custom payloads",
"T1346": "Obtain/re-use payloads",
"T1347": "Build and configure delivery systems",
"T1348": "Identify resources required to build capabilities",
"T1349": "Build or acquire exploits",
"T1350": "Discover new exploits and monitor exploit-provider forums",
"T1351": "Remote access tool development",
"T1352": "C2 protocol development",
"T1353": "Post compromise tool development",
"T1354": "Compromise 3rd party or closed-source vulnerability/exploit information",
"T1355": "Create infected removable media",
"T1356": "Test callback functionality",
"T1357": "Test malware in various execution environments",
"T1358": "Review logs and residual traces",
"T1359": "Test malware to evade detection",
"T1360": "Test physical access",
"T1361": "Test signature detection for file upload/email filters",
"T1362": "Upload, install, and configure software/tools",
"T1363": "Port redirector",
"T1364": "Friend/Follow/Connect to targets of interest",
"T1365": "Hardware or software supply chain implant",
"T1379": "Disseminate removable media",
"T1389": "Identify vulnerabilities in third-party software libraries",
"T1390": "OS-vendor provided communication channels",
"T1391": "Choose pre-compromised mobile app developer account credentials or signing keys",
"T1392": "Obtain Apple iOS enterprise distribution key pair and certificate",
"T1393": "Test ability to evade automated mobile application security analysis performed by app stores",
"T1394": "Distribute malicious software development tools",
"T1396": "Obtain booter/stressor subscription",
"T1397": "Spearphishing for Information",
"T1398": "Modify OS Kernel or Boot Partition",
"T1399": "Modify Trusted Execution Environment",
"T1400": "Modify System Partition",
"T1401": "Abuse Device Administrator Access to Prevent Removal",
"T1402": "Broadcast Receivers",
"T1403": "Modify Cached Executable Code",
"T1404": "Exploit OS Vulnerability",
"T1405": "Exploit TEE Vulnerability",
"T1406": "Obfuscated Files or Information",
"T1407": "Download New Code at Runtime",
"T1408": "Disguise Root/Jailbreak Indicators",
"T1409": "Access Stored Application Data",
"T1410": "Network Traffic Capture or Redirection",
"T1411": "Input Prompt",
"T1412": "Capture SMS Messages",
"T1413": "Access Sensitive Data in Device Logs",
"T1414": "Capture Clipboard Data",
"T1415": "URL Scheme Hijacking",
"T1416": "Android Intent Hijacking",
"T1417": "Input Capture",
"T1418": "Application Discovery",
"T1420": "File and Directory Discovery",
"T1421": "System Network Connections Discovery",
"T1422": "System Network Configuration Discovery",
"T1423": "Network Service Scanning",
"T1424": "Process Discovery",
"T1426": "System Information Discovery",
"T1427": "Attack PC via USB Connection",
"T1428": "Exploit Enterprise Resources",
"T1429": "Capture Audio",
"T1430": "Location Tracking",
"T1432": "Access Contact List",
"T1433": "Access Call Log",
"T1435": "Access Calendar Entries",
"T1436": "Commonly Used Port",
"T1437": "Standard Application Layer Protocol",
"T1438": "Alternate Network Mediums",
"T1439": "Eavesdrop on Insecure Network Communication",
"T1444": "Masquerade as Legitimate Application",
"T1446": "Device Lockout",
"T1447": "Delete Device Data",
"T1448": "Carrier Billing Fraud",
"T1449": "Exploit SS7 to Redirect Phone Calls/SMS",
"T1450": "Exploit SS7 to Track Device Location",
"T1451": "SIM Card Swap",
"T1452": "Manipulate App Store Rankings or Ratings",
"T1456": "Drive-by Compromise",
"T1458": "Exploit via Charging Station or PC",
"T1461": "Lockscreen Bypass",
"T1463": "Manipulate Device Communication",
"T1464": "Jamming or Denial of Service",
"T1465": "Rogue Wi-Fi Access Points",
"T1466": "Downgrade to Insecure Protocols",
"T1467": "Rogue Cellular Base Station",
"T1468": "Remotely Track Device Without Authorization",
"T1469": "Remotely Wipe Data Without Authorization",
"T1470": "Obtain Device Cloud Backups",
"T1471": "Data Encrypted for Impact",
"T1472": "Generate Fraudulent Advertising Revenue",
"T1474": "Supply Chain Compromise",
"T1475": "Deliver Malicious App via Authorized App Store",
"T1476": "Deliver Malicious App via Other Means",
"T1477": "Exploit via Radio Interfaces",
"T1478": "Install Insecure or Malicious Configuration",
"T1480": "Execution Guardrails",
"T1480.001": "Execution Guardrails : Environmental Keying",
"T1481": "Web Service",
"T1482": "Domain Trust Discovery",
"T1484": "Group Policy Modification",
"T1485": "Data Destruction",
"T1486": "Data Encrypted for Impact",
"T1489": "Service Stop",
"T1490": "Inhibit System Recovery",
"T1491": "Defacement",
"T1491.001": "Defacement : Internal Defacement",
"T1491.002": "Defacement : External Defacement",
"T1495": "Firmware Corruption",
"T1496": "Resource Hijacking",
"T1497": "Virtualization/Sandbox Evasion",
"T1497.001": "Virtualization/Sandbox Evasion : System Checks",
"T1497.002": "Virtualization/Sandbox Evasion : User Activity Based Checks",
"T1497.003": "Virtualization/Sandbox Evasion : Time Based Evasion",
"T1498": "Network Denial of Service",
"T1498.001": "Network Denial of Service : Direct Network Flood",
"T1498.002": "Network Denial of Service : Reflection Amplification",
"T1499": "Endpoint Denial of Service",
"T1499.001": "Endpoint Denial of Service : OS Exhaustion Flood",
"T1499.002": "Endpoint Denial of Service : Service Exhaustion Flood",
"T1499.003": "Endpoint Denial of Service : Application Exhaustion Flood",
"T1499.004": "Endpoint Denial of Service : Application or System Exploitation",
"T1505": "Server Software Component",
"T1505.001": "Server Software Component : SQL Stored Procedures",
"T1505.002": "Server Software Component : Transport Agent",
"T1505.003": "Server Software Component : Web Shell",
"T1507": "Network Information Discovery",
"T1508": "Suppress Application Icon",
"T1509": "Uncommonly Used Port",
"T1510": "Clipboard Modification",
"T1512": "Capture Camera",
"T1513": "Screen Capture",
"T1516": "Input Injection",
"T1517": "Access Notifications",
"T1518": "Software Discovery",
"T1518.001": "Software Discovery : Security Software Discovery",
"T1520": "Domain Generation Algorithms",
"T1521": "Standard Cryptographic Protocol",
"T1523": "Evade Analysis Environment",
"T1525": "Implant Container Image",
"T1526": "Cloud Service Discovery",
"T1528": "Steal Application Access Token",
"T1529": "System Shutdown/Reboot",
"T1530": "Data from Cloud Storage Object",
"T1531": "Account Access Removal",
"T1532": "Data Encrypted",
"T1533": "Data from Local System",
"T1534": "Internal Spearphishing",
"T1535": "Unused/Unsupported Cloud Regions",
"T1537": "Transfer Data to Cloud Account",
"T1538": "Cloud Service Dashboard",
"T1539": "Steal Web Session Cookie",
"T1540": "Code Injection",
"T1541": "Foreground Persistence",
"T1542": "Pre-OS Boot",
"T1542.001": "Pre-OS Boot : System Firmware",
"T1542.002": "Pre-OS Boot : Component Firmware",
"T1542.003": "Pre-OS Boot : Bootkit",
"T1543": "Create or Modify System Process",
"T1543.001": "Create or Modify System Process : Launch Agent",
"T1543.002": "Create or Modify System Process : Systemd Service",
"T1543.003": "Create or Modify System Process : Windows Service",
"T1543.004": "Create or Modify System Process : Launch Daemon",
"T1544": "Remote File Copy",
"T1546": "Event Triggered Execution",
"T1546.001": "Event Triggered Execution : Change Default File Association",
"T1546.002": "Event Triggered Execution : Screensaver",
"T1546.003": "Event Triggered Execution : Windows Management Instrumentation Event Subscription",
"T1546.004": "Event Triggered Execution : .bash_profile and .bashrc",
"T1546.005": "Event Triggered Execution : Trap",
"T1546.006": "Event Triggered Execution : LC_LOAD_DYLIB Addition",
"T1546.007": "Event Triggered Execution : Netsh Helper DLL",
"T1546.008": "Event Triggered Execution : Accessibility Features",
"T1546.009": "Event Triggered Execution : AppCert DLLs",
"T1546.010": "Event Triggered Execution : AppInit DLLs",
"T1546.011": "Event Triggered Execution : Application Shimming",
"T1546.012": "Event Triggered Execution : Image File Execution Options Injection",
"T1546.013": "Event Triggered Execution : PowerShell Profile",
"T1546.014": "Event Triggered Execution : Emond",
"T1546.015": "Event Triggered Execution : Component Object Model Hijacking",
"T1547": "Boot or Logon Autostart Execution",
"T1547.001": "Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder",
"T1547.002": "Boot or Logon Autostart Execution : Authentication Package",
"T1547.003": "Boot or Logon Autostart Execution : Time Providers",
"T1547.004": "Boot or Logon Autostart Execution : Winlogon Helper DLL",
"T1547.005": "Boot or Logon Autostart Execution : Security Support Provider",
"T1547.006": "Boot or Logon Autostart Execution : Kernel Modules and Extensions",
"T1547.007": "Boot or Logon Autostart Execution : Re-opened Applications",
"T1547.008": "Boot or Logon Autostart Execution : LSASS Driver",
"T1547.009": "Boot or Logon Autostart Execution : Shortcut Modification",
"T1547.010": "Boot or Logon Autostart Execution : Port Monitors",
"T1547.011": "Boot or Logon Autostart Execution : Plist Modification",
"T1548": "Abuse Elevation Control Mechanism",
"T1548.001": "Abuse Elevation Control Mechanism : Setuid and Setgid",
"T1548.002": "Abuse Elevation Control Mechanism : Bypass User Access Control",
"T1548.003": "Abuse Elevation Control Mechanism : Sudo and Sudo Caching",
"T1548.004": "Abuse Elevation Control Mechanism : Elevated Execution with Prompt",
"T1550": "Use Alternate Authentication Material",
"T1550.001": "Use Alternate Authentication Material : Application Access Token",
"T1550.002": "Use Alternate Authentication Material : Pass the Hash",
"T1550.003": "Use Alternate Authentication Material : Pass the Ticket",
"T1550.004": "Use Alternate Authentication Material : Web Session Cookie",
"T1552": "Unsecured Credentials",
"T1552.001": "Unsecured Credentials : Credentials In Files",
"T1552.002": "Unsecured Credentials : Credentials in Registry",
"T1552.003": "Unsecured Credentials : Bash History",
"T1552.004": "Unsecured Credentials : Private Keys",
"T1552.005": "Unsecured Credentials : Cloud Instance Metadata API",
"T1552.006": "Unsecured Credentials : Group Policy Preferences",
"T1553": "Subvert Trust Controls",
"T1553.001": "Subvert Trust Controls : Gatekeeper Bypass",
"T1553.002": "Subvert Trust Controls : Code Signing",
"T1553.003": "Subvert Trust Controls : SIP and Trust Provider Hijacking",
"T1553.004": "Subvert Trust Controls : Install Root Certificate",
"T1554": "Compromise Client Software Binary",
"T1555": "Credentials from Password Stores",
"T1555.001": "Credentials from Password Stores : Keychain",
"T1555.002": "Credentials from Password Stores : Securityd Memory",
"T1555.003": "Credentials from Password Stores : Credentials from Web Browsers",
"T1556": "Modify Authentication Process",
"T1556.001": "Modify Authentication Process : Domain Controller Authentication",
"T1556.002": "Modify Authentication Process : Password Filter DLL",
"T1556.003": "Modify Authentication Process : Pluggable Authentication Modules",
"T1557": "Man-in-the-Middle",
"T1557.001": "Man-in-the-Middle : LLMNR/NBT-NS Poisoning and SMB Relay",
"T1558": "Steal or Forge Kerberos Tickets",
"T1558.001": "Steal or Forge Kerberos Tickets : Golden Ticket",
"T1558.002": "Steal or Forge Kerberos Tickets : Silver Ticket",
"T1558.003": "Steal or Forge Kerberos Tickets : Kerberoasting",
"T1559": "Inter-Process Communication",
"T1559.001": "Inter-Process Communication : Component Object Model",
"T1559.002": "Inter-Process Communication : Dynamic Data Exchange",
"T1560": "Archive Collected Data",
"T1560.001": "Archive Collected Data : Archive via Utility",
"T1560.002": "Archive Collected Data : Archive via Library",
"T1560.003": "Archive Collected Data : Archive via Custom Method",
"T1561": "Disk Wipe",
"T1561.001": "Disk Wipe : Disk Content Wipe",
"T1561.002": "Disk Wipe : Disk Structure Wipe",
"T1562": "Impair Defenses",
"T1562.001": "Impair Defenses : Disable or Modify Tools",
"T1562.002": "Impair Defenses : Disable Windows Event Logging",
"T1562.003": "Impair Defenses : HISTCONTROL",
"T1562.004": "Impair Defenses : Disable or Modify System Firewall",
"T1562.006": "Impair Defenses : Indicator Blocking",
"T1562.007": "Impair Defenses : Disable or Modify Cloud Firewall",
"T1563": "Remote Service Session Hijacking",
"T1563.001": "Remote Service Session Hijacking : SSH Hijacking",
"T1563.002": "Remote Service Session Hijacking : RDP Hijacking",
"T1564": "Hide Artifacts",
"T1564.001": "Hide Artifacts : Hidden Files and Directories",
"T1564.002": "Hide Artifacts : Hidden Users",
"T1564.003": "Hide Artifacts : Hidden Window",
"T1564.004": "Hide Artifacts : NTFS File Attributes",
"T1564.005": "Hide Artifacts : Hidden File System",
"T1564.006": "Hide Artifacts : Run Virtual Instance",
"T1565": "Data Manipulation",
"T1565.001": "Data Manipulation : Stored Data Manipulation",
"T1565.002": "Data Manipulation : Transmitted Data Manipulation",
"T1565.003": "Data Manipulation : Runtime Data Manipulation",
"T1566": "Phishing",
"T1566.001": "Phishing : Spearphishing Attachment",
"T1566.002": "Phishing : Spearphishing Link",
"T1566.003": "Phishing : Spearphishing via Service",
"T1567": "Exfiltration Over Web Service",
"T1567.001": "Exfiltration Over Web Service : Exfiltration to Code Repository",
"T1567.002": "Exfiltration Over Web Service : Exfiltration to Cloud Storage",
"T1568": "Dynamic Resolution",
"T1568.001": "Dynamic Resolution : Fast Flux DNS",
"T1568.002": "Dynamic Resolution : Domain Generation Algorithms",
"T1568.003": "Dynamic Resolution : DNS Calculation",
"T1569": "System Services",
"T1569.001": "System Services : Launchctl",
"T1569.002": "System Services : Service Execution",
"T1570": "Lateral Tool Transfer",
"T1571": "Non-Standard Port",
"T1572": "Protocol Tunneling",
"T1573": "Encrypted Channel",
"T1573.001": "Encrypted Channel : Symmetric Cryptography",
"T1573.002": "Encrypted Channel : Asymmetric Cryptography",
"T1574": "Hijack Execution Flow",
"T1574.001": "Hijack Execution Flow : DLL Search Order Hijacking",
"T1574.002": "Hijack Execution Flow : DLL Side-Loading",
"T1574.004": "Hijack Execution Flow : Dylib Hijacking",
"T1574.005": "Hijack Execution Flow : Executable Installer File Permissions Weakness",
"T1574.006": "Hijack Execution Flow : LD_PRELOAD",
"T1574.007": "Hijack Execution Flow : Path Interception by PATH Environment Variable",
"T1574.008": "Hijack Execution Flow : Path Interception by Search Order Hijacking",
"T1574.009": "Hijack Execution Flow : Path Interception by Unquoted Path",
"T1574.010": "Hijack Execution Flow : Services File Permissions Weakness",
"T1574.011": "Hijack Execution Flow : Services Registry Permissions Weakness",
"T1574.012": "Hijack Execution Flow : COR_PROFILER",
"T1575": "Native Code",
"T1576": "Uninstall Malicious Application",
"T1577": "Compromise Application Executable",
"T1578": "Modify Cloud Compute Infrastructure",
"T1578.001": "Modify Cloud Compute Infrastructure : Create Snapshot",
"T1578.002": "Modify Cloud Compute Infrastructure : Create Cloud Instance",
"T1578.003": "Modify Cloud Compute Infrastructure : Delete Cloud Instance",
"T1578.004": "Modify Cloud Compute Infrastructure : Revert Cloud Instance",
"T1579": "Keychain"
} }
mi_mapping = { mi_mapping = {
"M1036": "Account Use Policies", "M1036": "Account Use Policies",

View File

@ -146,7 +146,7 @@ class DetectionRule:
tactic = [] tactic = []
tactic_re = re.compile(r'attack\.\w\D+$') tactic_re = re.compile(r'attack\.\w\D+$')
technique = [] technique = []
technique_re = re.compile(r'attack\.t\d{1,5}$') technique_re = re.compile(r'(?:attack\.t\d{4}$|attack\.t\d{4}\.\d{3}$)')
# AM!TT Tactics and Techniques # AM!TT Tactics and Techniques
amitt_tactic = [] amitt_tactic = []
amitt_tactic_re = re.compile(r'amitt\.\w\D+$') amitt_tactic_re = re.compile(r'amitt\.\w\D+$')