资源开发
攻击者正在尝试建立可用于支持操作的资源。
资源开发包括涉及攻击者创建、购买或妥协/窃取可用于支持目标定位的资源的技术。此类资源包括基础结构、帐户或功能。攻击者可以利用这些资源在攻击者生命周期的其他阶段提供帮助,例如使用购买的域来支持命令和控制、在初始访问过程中通过电子邮件帐户进行网络钓鱼,或窃取代码签名证书以帮助防御规避。
技术: 8
| 编号 | 名字 | 描述 | |
|---|---|---|---|
| T1650 | 获取访问权限 | 攻击者可能会购买或以其他方式获取对目标系统或网络的现有访问权限。各种在线服务和初始访问代理网络可用于出售对以前受到损害的系统的访问权限。在某些情况下,敌对团体可能会形成合作伙伴关系,以相互共享受感染的系统。 | |
| T1583 | 获取基础架构 | 攻击者可能会购买、租赁或租用可在定位期间使用的基础设施。存在用于托管和编排对手操作的各种基础结构。基础架构解决方案包括物理或云服务器、域和第三方 Web 服务。此外,僵尸网络可供出租或购买。 | |
| .001 | 域 | 攻击者可能会获取可在定位期间使用的域。域名是用于表示一个或多个 IP 地址的人类可读名称。它们可以购买,或者在某些情况下可以免费获得。 | |
| .002 | 域名解析服务器 | 攻击者可以设置自己的域名系统 (DNS) 服务器,以便在定位期间使用。在入侵后活动期间,攻击者可能会利用 DNS 流量执行各种任务,包括命令和控制(例如:应用层协议)。攻击者可以选择配置和运行自己的 DNS 服务器来支持操作,而不是劫持现有的 DNS 服务器。 | |
| .003 | 虚拟专用服务器 | 攻击者可能会租用可在目标期间使用的虚拟专用服务器 (VPS)。存在各种云服务提供商将虚拟机/容器作为服务出售。通过使用VPS,对手可能很难将操作与他们进行物理联系。使用云基础架构还可以使攻击者更轻松地快速配置、修改和关闭其基础架构。 | |
| .004 | 服务器 | 攻击者可能会购买、租赁或租用可在目标定位期间使用的物理服务器。使用服务器允许对手暂存、启动和执行操作。在入侵后活动中,攻击者可能会利用服务器执行各种任务,包括命令和控制。攻击者可能会使用 Web 服务器来支持水坑操作(如偷渡式入侵),或使用电子邮件服务器来支持网络钓鱼操作。攻击者可以选择配置和运行自己的服务器来支持操作,而不是破坏第三方服务器或租用虚拟专用服务器。 | |
| .005 | 僵尸网络 | 攻击者可能会购买、租赁或租用可在目标定位期间使用的受感染系统网络。僵尸网络是一个由受感染系统组成的网络,可以指示它们执行协调任务。攻击者可以购买订阅以使用引导程序/压力程序服务中的现有僵尸网络。借助僵尸网络,攻击者可能会执行后续活动,例如大规模网络钓鱼或分布式拒绝服务 (DDoS)。 | |
| .006 | 网络服务 | 攻击者可以注册可在目标定位期间使用的 Web 服务。存在各种流行的网站供攻击者注册基于 Web 的服务,这些服务可能会在攻击者生命周期的后期阶段被滥用,例如在命令和控制(Web 服务)、通过 Web 服务外泄或网络钓鱼期间。使用常见的服务,例如谷歌或Twitter提供的服务,可以让对手更容易隐藏在预期的噪音中。通过使用 Web 服务,攻击者可能难以将操作与它们物理绑定。 | |
| .007 | 无服务器 | 攻击者可以购买和配置可在目标定位期间使用的无服务器云基础设施,例如 Cloudflare Worker 或 AWS Lambda 函数。通过利用无服务器基础设施,对手可能会更难将操作期间使用的基础设施归咎于他们。 | |
| .008 | 恶意广告 | 攻击者可能会购买可被滥用的在线广告,以向受害者分发恶意软件。可以购买广告以在线特定位置种植和有利定位工件,例如在搜索引擎结果中的显眼位置。这些广告可能会使用户更难区分实际搜索结果和广告。购买的广告还可以使用广告网络的功能针对特定受众,从而可能进一步利用搜索引擎和流行网站固有的信任。 | |
| T1586 | 泄露帐户 | 攻击者可能会使用可在定位期间使用的服务破坏帐户。对于包含社会工程的操作,在线角色的利用可能很重要。攻击者可能会破坏现有帐户,而不是创建和培养帐户(即建立帐户)。利用现有角色可能会对潜在受害者产生一定程度的信任,如果他们与受损角色有关系或知识。 | |
| .001 | 社交媒体账户 | 攻击者可能会破坏可在定位期间使用的社交媒体帐户。对于包含社会工程的操作,在线角色的利用可能很重要。对手可能会破坏现有的社交媒体帐户,而不是创建和培养社交媒体配置文件(即社交媒体帐户)。利用现有角色可能会对潜在受害者产生一定程度的信任,如果他们与受损角色有关系或知识。 | |
| .002 | 电子邮件帐户 | 攻击者可能会破坏可在定位期间使用的电子邮件帐户。攻击者可以使用受损的电子邮件帐户来进一步操作,例如利用它们进行信息网络钓鱼、网络钓鱼或大规模垃圾邮件活动。如果潜在受害者与受感染的角色有关系或了解该角色,则使用具有受感染电子邮件帐户的现有角色可能会对潜在受害者产生一定程度的信任。被盗用的电子邮件帐户也可用于获取基础设施(例如:域)。 | |
| .003 | 云帐户 | 攻击者可能会破坏可在目标定位期间使用的云帐户。攻击者可以使用受损的云帐户来进一步操作,包括利用 Dropbox、Microsoft OneDrive 或 AWS S3 存储桶等云存储服务进行渗透到云存储或上传工具。云帐户还可用于获取基础架构,例如虚拟专用服务器或无服务器基础架构。泄露云帐户可能允许攻击者在不管理自己的服务器的情况下开发复杂的功能。 | |
| T1584 | 折衷基础架构 | 攻击者可能会破坏可在目标定位期间使用的第三方基础结构。基础架构解决方案包括物理或云服务器、域以及第三方 Web 和 DNS 服务。攻击者可能会破坏基础设施,并在对手生命周期的其他阶段使用它,而不是购买、租赁或租用基础设施。此外,攻击者可能会破坏许多机器以形成他们可以利用的僵尸网络。 | |
| .001 | 域 | 攻击者可能会劫持可在定位期间使用的域和/或子域。域名注册劫持是指未经原注册人许可而更改域名注册的行为。攻击者可能会访问列为域所有者的人员的电子邮件帐户。然后,攻击者可以声称他们忘记了密码,以便对域注册进行更改。其他可能性包括对域名注册帮助台进行社会工程,以访问帐户或利用续订流程差距。 | |
| .002 | 域名解析服务器 | 攻击者可能会破坏可在目标定位期间使用的第三方 DNS 服务器。在入侵后活动期间,攻击者可能会利用 DNS 流量执行各种任务,包括命令和控制(例如:应用层协议)。攻击者可能会破坏第三方 DNS 服务器以支持操作,而不是设置自己的 DNS 服务器。 | |
| .003 | 虚拟专用服务器 | 攻击者可能会破坏可在目标定位期间使用的第三方虚拟专用服务器 (VPS)。存在各种云服务提供商将虚拟机/容器作为服务出售。攻击者可能会破坏第三方实体购买的 VPS。通过破坏 VPS 以用作基础设施,对手可能难以将操作与自己物理绑定。 | |
| .004 | 服务器 | 攻击者可能会破坏可在目标定位期间使用的第三方服务器。使用服务器允许对手暂存、启动和执行操作。在入侵后活动中,攻击者可能会利用服务器执行各种任务,包括命令和控制。攻击者可能会破坏第三方服务器以支持操作,而不是购买服务器或虚拟专用服务器。 | |
| .005 | 僵尸网络 | 攻击者可能会破坏许多第三方系统,以形成可在定位期间使用的僵尸网络。僵尸网络是一个由受感染系统组成的网络,可以指示它们执行协调任务。攻击者不是从引导程序/压力程序服务购买/租用僵尸网络,而是可以通过破坏众多第三方系统来构建自己的僵尸网络。攻击者还可能接管现有的僵尸网络,例如将机器人重定向到对手控制的 C2 服务器。借助僵尸网络,攻击者可能会执行后续活动,例如大规模网络钓鱼或分布式拒绝服务 (DDoS)。 | |
| .006 | 网络服务 | 攻击者可能会破坏对可在定位期间使用的第三方 Web 服务的访问。存在各种流行的网站供合法用户注册基于Web的服务,例如GitHub,Twitter,Dropbox,Google,SendGrid等。攻击者可能会尝试获得合法用户对 Web 服务的访问权限的所有权,并将该 Web 服务用作支持网络操作的基础设施。此类 Web 服务可能会在攻击者生命周期的后期阶段被滥用,例如在命令和控制(Web 服务)、通过 Web 服务外泄或网络钓鱼期间。使用常见的服务,例如谷歌或Twitter提供的服务,可以让对手更容易隐藏在预期的噪音中。通过使用 Web 服务,特别是当访问权从合法用户那里被盗时,攻击者可能很难将操作与它们物理绑定。此外,利用受感染的基于 Web 的电子邮件服务可能允许攻击者利用与合法域相关的信任。 | |
| .007 | 无服务器 | 攻击者可能会破坏可在目标定位期间使用的无服务器云基础设施,例如 Cloudflare Worker 或 AWS Lambda 函数。通过利用无服务器基础设施,对手可能会更难将操作期间使用的基础设施归咎于他们。 | |
| T1587 | 发展能力 | 攻击者可以构建可在瞄准期间使用的功能。与其购买、免费下载或窃取功能,对手可能会在内部开发自己的能力。这是确定开发要求和构建解决方案(如恶意软件、漏洞利用和自签名证书)的过程。攻击者可能会开发能力,以便在对手生命周期的许多阶段支持其行动。 | |
| .001 | 恶意软件 | 攻击者可能会开发可在目标定位期间使用的恶意软件和恶意软件组件。构建恶意软件可能包括开发有效负载、投放程序、入侵后工具、后门程序(包括后门映像)、打包程序、C2 协议以及创建受感染的可移动媒体。攻击者可能会开发恶意软件来支持其操作,从而创建一种保持对远程计算机的控制、逃避防御和执行入侵后行为的方法。 | |
| .002 | 代码签名证书 | 攻击者可能会创建可在目标定位期间使用的自签名代码签名证书。代码签名是对可执行文件和脚本进行数字签名的过程,以确认软件作者并保证代码未被更改或损坏。代码签名为开发人员提供程序提供了一定程度的真实性,并保证程序未被篡改。用户和/或安全工具可能更信任已签名的代码段,而不是未签名的代码段,即使他们不知道证书颁发者或作者是谁。 | |
| .003 | 数字证书 | 攻击者可能会创建可在目标定位期间使用的自签名 SSL/TLS 证书。SSL/TLS 证书旨在灌输信任。它们包括有关密钥的信息、有关其所有者身份的信息以及已验证证书内容正确的实体的数字签名。如果签名有效,并且检查证书的人员信任签名者,则他们知道可以使用该密钥与其所有者进行通信。在自签名的情况下,数字证书将缺少与第三方证书颁发机构 (CA) 签名关联的信任元素。 | |
| .004 | 利用 | 攻击者可能会开发可在瞄准期间使用的攻击。漏洞利用错误或漏洞,导致计算机硬件或软件上发生意外或意外行为。攻击者不是从在线查找/修改漏洞或从漏洞利用供应商处购买漏洞,而是可以开发自己的漏洞。攻击者可能会使用通过漏洞获取的信息来集中利用开发工作。作为漏洞利用开发过程的一部分,攻击者可以通过模糊测试和补丁分析等方法发现可利用的漏洞。 | |
| T1585 | 建立账户 | 攻击者可能会使用可在定位期间使用的服务创建和培养帐户。攻击者可以创建可用于构建角色以进一步操作的帐户。人物发展包括公共信息、存在、历史和适当隶属关系的发展。这种发展可以应用于社交媒体、网站或其他公开可用的信息,这些信息可以在使用该角色或身份的行动过程中被引用和审查合法性。 | |
| .001 | 社交媒体账户 | 攻击者可能会创建和培养可在定位期间使用的社交媒体帐户。攻击者可以创建社交媒体帐户,这些帐户可用于构建角色以进行进一步的操作。人物发展包括公共信息、存在、历史和适当隶属关系的发展。 | |
| .002 | 电子邮件帐户 | 攻击者可能会创建可在定位期间使用的电子邮件帐户。攻击者可以使用通过电子邮件提供商创建的帐户来进一步操作,例如利用它们进行信息网络钓鱼或网络钓鱼。攻击者还可能采取措施在电子邮件帐户周围培养角色,例如通过使用社交媒体帐户,以增加后续行为成功的机会。创建的电子邮件帐户也可用于获取基础设施(例如:域)。 | |
| .003 | 云帐户 | 攻击者可能会使用云提供商创建帐户,以便在定位期间使用。攻击者可以使用云帐户来进一步操作,包括利用云存储服务(如Dropbox,MEGA,Microsoft OneDrive或AWS S3存储桶)渗透到云存储或上传工具。云帐户还可用于获取基础架构,例如虚拟专用服务器或无服务器基础架构。建立云帐户可能允许攻击者在不管理自己的服务器的情况下开发复杂的功能。 | |
| T1588 | 获取能力 | 攻击者可能会购买和/或窃取可在瞄准过程中使用的功能。对手不是在内部开发自己的能力,而是可以购买、免费下载或窃取它们。活动可能包括获取恶意软件、软件(包括许可证)、漏洞利用、证书以及与漏洞相关的信息。攻击者可以获得在对手生命周期的许多阶段支持其操作的能力。 | |
| .001 | 恶意软件 | 攻击者可能会购买、窃取或下载可在定位过程中使用的恶意软件。恶意软件可能包括有效负载、投放程序、入侵后工具、后门、打包程序和 C2 协议。攻击者可能会获取恶意软件来支持其操作,从而获得保持对远程计算机的控制、逃避防御和执行入侵后行为的方法。 | |
| .002 | 工具 | 攻击者可能会购买、窃取或下载可在瞄准过程中使用的软件工具。工具可以是开源的或闭源的,免费的或商业的。工具可以被对手用于恶意目的,但(与恶意软件不同)不打算用于这些目的(例如:PsExec)。工具获取可能涉及商业软件许可证的采购,包括Cobalt Strike等红队工具的采购。商业软件可以通过购买、窃取许可证(或软件的许可副本)或破解试用版获得。 | |
| .003 | 代码签名证书 | 攻击者可能会购买和/或窃取可在定位期间使用的代码签名证书。代码签名是对可执行文件和脚本进行数字签名的过程,以确认软件作者并保证代码未被更改或损坏。代码签名为开发人员提供程序提供了一定程度的真实性,并保证程序未被篡改。用户和/或安全工具可能更信任已签名的代码段,而不是未签名的代码段,即使他们不知道证书颁发者或作者是谁。 | |
| .004 | 数字证书 | 攻击者可能会购买和/或窃取可在目标定位期间使用的 SSL/TLS 证书。SSL/TLS 证书旨在灌输信任。它们包括有关密钥的信息、有关其所有者身份的信息以及已验证证书内容正确的实体的数字签名。如果签名有效,并且检查证书的人员信任签名者,则他们知道可以使用该密钥与其所有者进行通信。 | |
| .005 | 利用 | 攻击者可能会购买、窃取或下载可在定位期间使用的漏洞利用。漏洞利用错误或漏洞,导致计算机硬件或软件上发生意外或意外行为。攻击者可能会从在线查找/修改漏洞或从漏洞利用供应商处购买漏洞,而不是开发自己的漏洞。 | |
| .006 | 漏洞 | 攻击者可能会获取有关可在目标定位期间使用的漏洞的信息。漏洞是计算机硬件或软件中的弱点,攻击者可能会利用它来导致意外或意外行为的发生。攻击者可以通过搜索开放数据库或访问封闭的漏洞数据库来查找漏洞信息。 | |
| T1608 | 舞台功能 | 攻击者可以上传、安装或以其他方式设置可在目标定位期间使用的功能。为了支持他们的行动,对手可能需要获取他们开发(开发能力)或获得的能力(获取能力),并将其暂存到他们控制的基础设施上。这些功能可能暂存于攻击者以前购买/租用的基础结构(获取基础结构)或以其他方式受到攻击者破坏的基础结构(入侵基础结构)。功能也可以暂存于 Web 服务(如 GitHub 或 Pastebin)或平台即服务 (PaaS) 产品上,使用户能够轻松配置应用程序。 | |
| .001 | 上传恶意软件 | 攻击者可能会将恶意软件上传到第三方或对手控制的基础设施,以便在攻击期间访问。恶意软件可能包括有效负载、投放程序、入侵后工具、后门和各种其他恶意内容。攻击者可能会上传恶意软件来支持其操作,例如将有效负载提供给受害网络,以便通过将有效负载放置在可访问的 Internet Web 服务器上来启用入口工具传输。 | |
| .002 | 上传工具 | 攻击者可能会将工具上传到第三方或对手控制的基础设施,以便在瞄准期间访问。工具可以是开源的或闭源的,免费的或商业的。工具可以被对手用于恶意目的,但(与恶意软件不同)不打算用于这些目的(例如:PsExec)。攻击者可以上传工具以支持其操作,例如,通过将工具放置在可访问的 Internet 服务器上,使工具可供受害网络使用,以启用入口工具传输。 | |
| .003 | 安装数字证书 | 攻击者可能会安装可在目标定位期间使用的 SSL/TLS 证书。SSL/TLS 证书是可以安装在服务器上的文件,以实现系统之间的安全通信。数字证书包括有关密钥的信息、有关其所有者身份的信息以及已验证证书内容正确的实体的数字签名。如果签名有效,并且检查证书的人员信任签名者,则他们知道可以使用该密钥与其所有者进行安全通信。可以将证书上传到服务器,然后将服务器配置为使用该证书来启用与其加密通信。 | |
| .004 | 路过目标 | 攻击者可能会准备一个操作环境来感染在正常浏览过程中访问网站的系统。终结点系统可能会通过浏览到对手控制的站点而受到威胁,如偷渡式入侵中所示。在这种情况下,用户的 Web 浏览器通常成为攻击目标(登陆网站后通常不需要任何额外的用户交互),但攻击者也可能为非利用行为(如应用程序访问令牌)设置网站。在偷渡式入侵之前,攻击者必须暂存向浏览到攻击者控制站点的用户提供该攻击所需的资源。偷渡式内容可以暂存到已获取(获取基础结构)或以前已泄露(入侵基础结构)的对手控制的基础结构上。 | |
| .005 | 链接目标 | 攻击者可能会放置由可在目标定位期间使用的链接引用的资源。攻击者可能依赖于用户单击恶意链接来泄露信息(包括凭据)或获得执行,如恶意链接中所述。链接可用于鱼叉式网络钓鱼,例如发送带有社会工程文本的电子邮件,以诱使用户主动单击或将 URL 复制并粘贴到浏览器中。在网络钓鱼获取信息(如鱼叉式网络钓鱼链接)或网络钓鱼获取对系统的初始访问权限(如鱼叉式网络钓鱼链接)之前,攻击者必须为鱼叉式网络钓鱼链接的链接目标设置资源。 | |
| .006 | 搜索引擎优化中毒 | 攻击者可能会毒害影响搜索引擎优化 (SEO) 的机制,以进一步引诱分阶段的能力接近潜在受害者。搜索引擎通常会根据购买的广告以及由其网络爬虫和算法计算的网站排名/分数/声誉向用户显示结果。 |
The adversary is trying to establish resources they can use to support operations.
Resource Development consists of techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. Such resources include infrastructure, accounts, or capabilities. These resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using purchased domains to support Command and Control, email accounts for phishing as a part of Initial Access, or stealing code signing certificates to help with Defense Evasion.
Techniques: 8
| ID | Name | Description | |
|---|---|---|---|
| T1650 | Acquire Access | Adversaries may purchase or otherwise acquire an existing access to a target system or network. A variety of online services and initial access broker networks are available to sell access to previously compromised systems. In some cases, adversary groups may form partnerships to share compromised systems with each other. | |
| T1583 | Acquire Infrastructure | Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Additionally, botnets are available for rent or purchase. | |
| .001 | Domains | Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. | |
| .002 | DNS Server | Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: Application Layer Protocol). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations. | |
| .003 | Virtual Private Server | Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure. | |
| .004 | Server | Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Adversaries may use web servers to support support watering hole operations, as in Drive-by Compromise, or email servers to support Phishing operations. Instead of compromising a third-party Server or renting a Virtual Private Server, adversaries may opt to configure and run their own servers in support of operations. | |
| .005 | Botnet | Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks. Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS). | |
| .006 | Web Services | Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service), Exfiltration Over Web Service, or Phishing. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them. | |
| .007 | Serverless | Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them. | |
| .008 | Malvertising | Adversaries may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased to plant as well as favorably position artifacts in specific locations online, such as prominently placed within search engine results. These ads may make it more difficult for users to distinguish between actual search results and advertisements. Purchased ads may also target specific audiences using the advertising network’s capabilities, potentially further taking advantage of the trust inherently given to search engines and popular websites. | |
| T1586 | Compromise Accounts | Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. Establish Accounts), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. | |
| .001 | Social Media Accounts | Adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles (i.e. Social Media Accounts), adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. | |
| .002 | Email Accounts | Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct Phishing for Information, Phishing, or large-scale spam email campaigns. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship with, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: Domains). | |
| .003 | Cloud Accounts | Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for Exfiltration to Cloud Storage or to Upload Tools. Cloud accounts can also be used in the acquisition of infrastructure, such as Virtual Private Servers or Serverless infrastructure. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers. | |
| T1584 | Compromise Infrastructure | Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle. Additionally, adversaries may compromise numerous machines to form a botnet they can leverage. | |
| .001 | Domains | Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant. Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps. | |
| .002 | DNS Server | Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: Application Layer Protocol). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations. | |
| .003 | Virtual Private Server | Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves. | |
| .004 | Server | Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a Server or Virtual Private Server, adversaries may compromise third-party servers in support of operations. | |
| .005 | Botnet | Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks. Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS). | |
| .006 | Web Services | Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, SendGrid, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service), Exfiltration Over Web Service, or Phishing. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them. Additionally, leveraging compromised web-based email services may allow adversaries to leverage the trust associated with legitimate domains. | |
| .007 | Serverless | Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them. | |
| T1587 | Develop Capabilities | Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle. | |
| .001 | Malware | Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors. | |
| .002 | Code Signing Certificates | Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with. Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. | |
| .003 | Digital Certificates | Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA). | |
| .004 | Exploits | Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits. Adversaries may use information acquired via Vulnerabilities to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis. | |
| T1585 | Establish Accounts | Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity. | |
| .001 | Social Media Accounts | Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. | |
| .002 | Email Accounts | Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct Phishing for Information or Phishing. Adversaries may also take steps to cultivate a persona around the email account, such as through use of Social Media Accounts, to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: Domains). | |
| .003 | Cloud Accounts | Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, MEGA, Microsoft OneDrive, or AWS S3 buckets for Exfiltration to Cloud Storage or to Upload Tools. Cloud accounts can also be used in the acquisition of infrastructure, such as Virtual Private Servers or Serverless infrastructure. Establishing cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers. | |
| T1588 | Obtain Capabilities | Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle. | |
| .001 | Malware | Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors. | |
| .002 | Tool | Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: PsExec). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as Cobalt Strike. Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions. | |
| .003 | Code Signing Certificates | Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with. Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. | |
| .004 | Digital Certificates | Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. | |
| .005 | Exploits | Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors. | |
| .006 | Vulnerabilities | Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases. | |
| T1608 | Stage Capabilities | Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed (Develop Capabilities) or obtained (Obtain Capabilities) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary (Acquire Infrastructure) or was otherwise compromised by them (Compromise Infrastructure). Capabilities may also be staged on web services, such as GitHub or Pastebin, or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision applications. | |
| .001 | Upload Malware | Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable Ingress Tool Transfer by placing it on an Internet accessible web server. | |
| .002 | Upload Tool | Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: PsExec). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable Ingress Tool Transfer by placing it on an Internet accessible web server. | |
| .003 | Install Digital Certificate | Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can be installed on servers to enable secure communications between systems. Digital certificates include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate securely with its owner. Certificates can be uploaded to a server, then the server can be configured to use the certificate to enable encrypted communication with it. | |
| .004 | Drive-by Target | Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in Drive-by Compromise. In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as Application Access Token. Prior to Drive-by Compromise, adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired (Acquire Infrastructure) or previously compromised (Compromise Infrastructure). | |
| .005 | Link Target | Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in Malicious Link. Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in Spearphishing Link) or a phish to gain initial access to a system (as in Spearphishing Link), an adversary must set up the resources for a link target for the spearphishing link. | |
| .006 | SEO Poisoning | Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms. |