{ "source": "MITRE ATT&CK Enterprise v19.1", "note": "非公式日本語参照データ。© The MITRE Corporation. https://attack.mitre.org/", "generated": "2026-06-04", "tactics": [ { "tactic": "TA0043", "tactic_en": "Reconnaissance", "tactic_ja": "偵察", "techniques": [ { "tid": "T1595", "ja": "アクティブスキャン", "en": "Active Scanning", "desc_en": "Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.", "desc_ja": "敵対者は標的選定に使える情報を集めるため、能動的な偵察スキャンを実行することがある。能動的スキャンは、直接的な相互作用を伴わない他の偵察と異なり、ネットワークトラフィックを介して標的インフラを直接探査するものを指す。", "platforms": "PRE", "version": "1.0", "created": "02 October 2020", "modified": "24 October 2025", "subs": [ { "sid": ".001", "tid": "T1595.001", "ja": "IPブロックのスキャン", "en": "Scanning IP Blocks", "desc_en": "Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.", "desc_ja": "敵対者は標的選定に使える情報を集めるため、標的のIPブロックをスキャンすることがある。公開IPアドレスは組織にブロック単位、または連続するアドレス範囲で割り当てられることがある。" }, { "sid": ".002", "tid": "T1595.002", "ja": "脆弱性スキャン", "en": "Vulnerability Scanning", "desc_en": "Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application potentially aligns with the target of a specific exploit.", "desc_ja": "敵対者は標的選定に使える脆弱性を求めて標的をスキャンすることがある。脆弱性スキャンは通常、標的のホスト/アプリの構成(ソフトとバージョン等)が特定のエクスプロイトの対象と合致しうるかを確認する。" }, { "sid": ".003", "tid": "T1595.003", "ja": "ワードリストスキャン", "en": "Wordlist Scanning", "desc_en": "Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. Its goal is the identification of content and infrastructure rather than the discovery of valid credentials.", "desc_ja": "敵対者はブルートフォースやクローリングの手法でインフラを反復的に探査することがある。Brute Force(T1110)と似た手法だが、目的は有効な認証情報の発見ではなくコンテンツやインフラの特定にある。汎用的な名称やファイル拡張子、特定ソフト固有の語などを含むワードリストが使われる。" } ], "procedures": [ { "id": "C0030", "name": "Triton Safety Instrumented System Attack", "desc_en": "In the Triton Safety Instrumented System Attack, TEMP.Veles engaged in network reconnaissance against targets of interest." } ], "mitigations": [ { "id": "M1056", "name": "Pre-compromise", "name_ja": "侵害前対策", "desc_en": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", "desc_ja": "本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。" } ], "detections": [ { "id": "DET0830", "name": "Detection of Active Scanning", "name_ja": "アクティブスキャンの検知", "desc_en": "Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Monitor and analyze traffic patterns and packet inspection associated to protocols that do not follow expected standards and traffic flows.", "desc_ja": "通常と異なるデータフローがないかネットワークデータを監視する。普段ネットワーク通信を行わない、または初めて観測されるプロセスがネットワークを使用している場合は不審である。期待される標準やトラフィックフローに従わないプロトコルに関連するトラフィックパターンやパケット検査を監視・分析する。" } ] }, { "tid": "T1592", "ja": "標的ホスト情報の収集", "en": "Gather Victim Host Information", "desc_en": "Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include administrative data (name, assigned IP, functionality) as well as configuration specifics (operating system, language, etc.).", "desc_ja": "敵対者は標的選定に使える、標的のホストに関する情報を収集することがある。名称・割当IP・機能などの管理データや、OS・言語などの構成情報が含まれうる。", "platforms": "PRE", "version": "1.2", "created": "02 October 2020", "modified": "24 October 2025", "subs": [ { "sid": ".001", "tid": "T1592.001", "ja": "ハードウェア", "en": "Hardware", "desc_en": "Adversaries may gather information about the victim's host hardware that can be used during targeting, including types and versions, as well as the presence of additional components that might indicate added defensive protections (ex: card/biometric readers, dedicated encryption hardware).", "desc_ja": "敵対者は標的のホストハードウェアに関する情報を収集することがある。種類やバージョンに加え、防御強化を示唆する追加コンポーネント(カード/生体認証リーダー、専用暗号化ハードウェア等)の有無が含まれうる。" }, { "sid": ".002", "tid": "T1592.002", "ja": "ソフトウェア", "en": "Software", "desc_en": "Adversaries may gather information about the victim's host software, including types and versions, as well as the presence of additional components that might indicate added defensive protections (ex: antivirus, SIEMs).", "desc_ja": "敵対者は標的のホストソフトウェアに関する情報を収集することがある。種類やバージョンに加え、防御強化を示唆する追加コンポーネント(アンチウイルス、SIEM等)の有無が含まれうる。" }, { "sid": ".003", "tid": "T1592.003", "ja": "ファームウェア", "en": "Firmware", "desc_en": "Adversaries may gather information about the victim's host firmware, including type and versions, which may be used to infer more information about hosts (ex: configuration, purpose, age/patch level).", "desc_ja": "敵対者は標的のホストファームウェアに関する情報を収集することがある。種類やバージョンから、構成・用途・経年/パッチ適用状況など、ホストに関するさらなる情報を推測しうる。" }, { "sid": ".004", "tid": "T1592.004", "ja": "クライアント構成", "en": "Client Configurations", "desc_en": "Adversaries may gather information about the victim's client configurations, including OS/version, virtualization, architecture (32/64 bit), language, and/or time zone.", "desc_ja": "敵対者は標的のクライアント構成に関する情報を収集することがある。OS/バージョン、仮想化、アーキテクチャ(32/64ビット)、言語、タイムゾーンなどが含まれうる。" } ], "procedures": [ { "id": "G1017", "name": "Volt Typhoon", "desc_en": "Volt Typhoon has conducted pre-compromise reconnaissance for victim host information." } ], "mitigations": [ { "id": "M1056", "name": "Pre-compromise", "name_ja": "侵害前対策", "desc_en": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", "desc_ja": "本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。" } ], "detections": [ { "id": "DET0826", "name": "Detection of Gather Victim Host Information", "name_ja": "標的ホスト情報収集の検知", "desc_en": "Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors. Much of this activity may have a very high occurrence and associated false positive rate, making detection difficult; detection efforts may be focused on related stages such as Initial Access.", "desc_ja": "訪問者からホスト情報を収集するよう設計された悪意あるコンテンツのパターンを、インターネットスキャナで探索しうる。この活動は発生頻度・誤検知率が非常に高く、標的組織の可視範囲外で行われることも多いため検知は困難。初期アクセス等の関連段階での検知に注力するとよい。" } ] }, { "tid": "T1589", "ja": "標的ID情報の収集", "en": "Gather Victim Identity Information", "desc_en": "Adversaries may gather information about the victim's identity, including personal data (employee names, email addresses) as well as sensitive details such as credentials or MFA configurations.", "desc_ja": "敵対者は標的のID情報を収集することがある。従業員名・メールアドレスといった個人データや、認証情報・MFA構成などの機密情報が含まれうる。", "platforms": "PRE", "version": "1.3", "created": "02 October 2020", "modified": "24 October 2025", "subs": [ { "sid": ".001", "tid": "T1589.001", "ja": "認証情報", "en": "Credentials", "desc_en": "Adversaries may gather credentials that can be used during targeting, taking advantage of the tendency for users to reuse passwords across personal and business accounts.", "desc_ja": "敵対者は標的選定に使える認証情報を収集することがある。標的組織に直接関連するものや、個人・業務アカウントでパスワードを使い回す傾向を悪用したものがある。" }, { "sid": ".002", "tid": "T1589.002", "ja": "メールアドレス", "en": "Email Addresses", "desc_en": "Adversaries may gather email addresses that can be used during targeting. Organizations may have public-facing email infrastructure and addresses for employees.", "desc_ja": "敵対者は標的選定に使えるメールアドレスを収集することがある。内部インスタンスがあっても、組織は公開向けのメールインフラや従業員アドレスを持つことがある。" }, { "sid": ".003", "tid": "T1589.003", "ja": "従業員名", "en": "Employee Names", "desc_en": "Adversaries may gather employee names, which can be used to derive email addresses and to help guide other reconnaissance efforts or craft more-believable lures.", "desc_ja": "敵対者は標的選定に使える従業員名を収集することがある。メールアドレスの導出や、他の偵察活動の方向付け、より信憑性のある誘い(ルアー)の作成に役立てられる。" } ], "procedures": [ { "id": "G0050", "name": "APT32", "desc_en": "APT32 has conducted targeted surveillance against activists and bloggers." }, { "id": "G1052", "name": "Contagious Interview", "desc_en": "Contagious Interview has researched specific professional groups such as software developers for targeting, and also individuals working in cryptocurrency and blockchain roles." }, { "id": "G1016", "name": "FIN13", "desc_en": "FIN13 has researched employees to target for social engineering attacks." }, { "id": "G1001", "name": "HEXANE", "desc_en": "HEXANE has identified specific potential victims at targeted organizations." }, { "id": "G1004", "name": "LAPSUS$", "desc_en": "LAPSUS$ has gathered detailed information of target employees to enhance their social engineering lures." }, { "id": "G0059", "name": "Magic Hound", "desc_en": "Magic Hound has acquired mobile phone numbers of potential targets, possibly for mobile malware or additional phishing operations." }, { "id": "C0022", "name": "Operation Dream Job", "desc_en": "For Operation Dream Job, Lazarus Group conducted extensive reconnaissance research on potential targets." }, { "id": "C0014", "name": "Operation Wocao", "desc_en": "During Operation Wocao, threat actors targeted people based on their organizational roles and privileges." }, { "id": "G1015", "name": "Scattered Spider", "desc_en": "Scattered Spider has used information from previous data breaches to identify employee names to be used in social engineering." }, { "id": "G1033", "name": "Star Blizzard", "desc_en": "Star Blizzard has identified ways to engage targets by researching potential victims' interests and social or professional contacts." }, { "id": "G1017", "name": "Volt Typhoon", "desc_en": "Volt Typhoon has gathered victim identity information during pre-compromise reconnaissance." } ], "mitigations": [ { "id": "M1056", "name": "Pre-compromise", "name_ja": "侵害前対策", "desc_en": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", "desc_ja": "本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。" } ], "detections": [ { "id": "DET0841", "name": "Detection of Gather Victim Identity Information", "name_ja": "標的ID情報収集の検知", "desc_en": "Monitor for suspicious network traffic that could be indicative of probing for user information, such as large/iterative quantities of authentication requests originating from a single source. Analyzing web metadata may also reveal artifacts attributable to malicious activity, such as referer or user-agent string HTTP/S fields.", "desc_ja": "単一の送信元からの大量・反復的な認証リクエストなど、ユーザー情報の探索を示唆しうる不審なネットワークトラフィックを監視する。Webメタデータの分析により、referer や user-agent 文字列などのHTTP/Sフィールドから悪意ある活動に帰属しうる痕跡が判明することもある。" } ] }, { "tid": "T1590", "ja": "標的ネットワーク情報の収集", "en": "Gather Victim Network Information", "desc_en": "Adversaries may gather information about the victim's networks, including administrative data (IP ranges, domain names) as well as specifics regarding topology and operations.", "desc_ja": "敵対者は標的のネットワークに関する情報を収集することがある。IPレンジ・ドメイン名などの管理データや、トポロジー・運用に関する詳細が含まれうる。", "platforms": "PRE", "version": "1.0", "created": "02 October 2020", "modified": "24 October 2025", "subs": [ { "sid": ".001", "tid": "T1590.001", "ja": "ドメインプロパティ", "en": "Domain Properties", "desc_en": "Adversaries may gather information about the victim's network domains, including registrar, contacts (emails, phone numbers), business addresses, and name servers.", "desc_ja": "敵対者は標的のネットワークドメインに関する情報を収集することがある。所有ドメイン、管理データ(名称・レジストラ等)、連絡先(メール・電話番号)、事業所住所、ネームサーバなどが含まれうる。" }, { "sid": ".002", "tid": "T1590.002", "ja": "DNS", "en": "DNS", "desc_en": "Adversaries may gather information about the victim's DNS, including registered name servers and records that outline addressing for subdomains, mail servers, and other hosts. MX/TXT/SPF records may reveal third-party cloud/SaaS providers.", "desc_ja": "敵対者は標的のDNSに関する情報を収集することがある。登録ネームサーバや、サブドメイン・メールサーバ・他ホストのアドレッシングを示すレコードが含まれうる。MX/TXT/SPFレコードはOffice 365やG Suite等の第三者クラウド/SaaS利用を露呈しうる。" }, { "sid": ".003", "tid": "T1590.003", "ja": "ネットワーク信頼依存関係", "en": "Network Trust Dependencies", "desc_en": "Adversaries may gather information about the victim's network trust dependencies, including second- or third-party organizations/domains (ex: MSPs, contractors) that have connected and potentially elevated network access.", "desc_ja": "敵対者は標的のネットワーク信頼依存関係に関する情報を収集することがある。接続済みで(場合により昇格された)ネットワークアクセスを持つ第二者・第三者組織/ドメイン(MSP、請負業者等)が含まれうる。" }, { "sid": ".004", "tid": "T1590.004", "ja": "ネットワークトポロジー", "en": "Network Topology", "desc_en": "Adversaries may gather information about the victim's network topology, including the physical and/or logical arrangement of external-facing and internal network environments, and specifics regarding network devices (gateways, routers).", "desc_ja": "敵対者は標的のネットワークトポロジーに関する情報を収集することがある。外部公開・内部ネットワーク環境の物理的/論理的配置や、ネットワーク機器(ゲートウェイ、ルータ等)の詳細が含まれうる。" }, { "sid": ".005", "tid": "T1590.005", "ja": "IPアドレス", "en": "IP Addresses", "desc_en": "Adversaries may gather the victim's IP addresses, which may enable an adversary to derive other details such as organizational size, physical location, ISP, and where/how their public-facing infrastructure is hosted.", "desc_ja": "敵対者は標的のIPアドレスを収集することがある。使用中のIPの把握に加え、組織規模・物理的所在地・ISP・公開インフラのホスティング先や方法など、標的に関する他の詳細の導出を可能にしうる。" }, { "sid": ".006", "tid": "T1590.006", "ja": "ネットワークセキュリティアプライアンス", "en": "Network Security Appliances", "desc_en": "Adversaries may gather information about the victim's network security appliances, such as deployed firewalls, content filters, proxies/bastion hosts, and NIDS.", "desc_ja": "敵対者は標的のネットワークセキュリティアプライアンスに関する情報を収集することがある。配備されたファイアウォール、コンテンツフィルタ、プロキシ/踏み台ホストの有無や詳細、NIDS等の防御運用関連機器の情報が含まれうる。" } ], "procedures": [ { "id": "G0125", "name": "HAFNIUM", "desc_en": "HAFNIUM gathered the fully qualified domain names (FQDNs) for targeted Exchange servers in the victim's environment." }, { "id": "G0119", "name": "Indrik Spider", "desc_en": "Indrik Spider has downloaded tools such as Advanced Port Scanner and Lansweeper to conduct internal reconnaissance of the victim network, and accessed the victim's VMware vCenter which had host configuration and cluster information." }, { "id": "G1017", "name": "Volt Typhoon", "desc_en": "Volt Typhoon has conducted extensive pre-compromise reconnaissance to learn about the target organization's network." } ], "mitigations": [ { "id": "M1056", "name": "Pre-compromise", "name_ja": "侵害前対策", "desc_en": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", "desc_ja": "本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。" } ], "detections": [ { "id": "DET0869", "name": "Detection of Gather Victim Network Information", "name_ja": "標的ネットワーク情報収集の検知", "desc_en": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "desc_ja": "この活動は発生頻度・誤検知率が非常に高く、標的組織の可視範囲外で行われることも多いため検知は困難。初期アクセスなど、敵対者ライフサイクルの関連段階での検知に注力するとよい。" } ] }, { "tid": "T1591", "ja": "標的組織情報の収集", "en": "Gather Victim Org Information", "desc_en": "Adversaries may gather information about the victim's organization, including names of divisions/departments, specifics of business operations, and the roles and responsibilities of key employees.", "desc_ja": "敵対者は標的の組織に関する情報を収集することがある。部門名、事業運営の詳細、主要従業員の役割と責任などが含まれうる。", "platforms": "PRE", "version": "1.1", "created": "02 October 2020", "modified": "24 October 2025", "subs": [ { "sid": ".001", "tid": "T1591.001", "ja": "物理的所在地の特定", "en": "Determine Physical Locations", "desc_en": "Adversaries may gather the victim's physical location(s), including where key resources and infrastructure are housed. Physical locations may also indicate legal jurisdiction/authorities.", "desc_ja": "敵対者は標的の物理的所在地を収集することがある。主要なリソースやインフラの所在地が含まれうる。所在地は、標的が属する法域や管轄当局も示しうる。" }, { "sid": ".002", "tid": "T1591.002", "ja": "取引関係", "en": "Business Relationships", "desc_en": "Adversaries may gather information about the victim's business relationships, including second- or third-party organizations/domains with connected network access, and supply chains/shipment paths.", "desc_ja": "敵対者は標的の取引関係に関する情報を収集することがある。接続されたネットワークアクセスを持つ第二者・第三者組織/ドメイン(MSP、請負業者等)が含まれうる。ハードやソフトのサプライチェーンや配送経路も露呈しうる。" }, { "sid": ".003", "tid": "T1591.003", "ja": "業務テンポの特定", "en": "Identify Business Tempo", "desc_en": "Adversaries may gather information about the victim's business tempo, including operational hours/days, and times/dates of purchases and shipments.", "desc_ja": "敵対者は標的の業務テンポに関する情報を収集することがある。稼働時間・曜日が含まれうる。ハードやソフトの購入・配送の時期や日付も露呈しうる。" }, { "sid": ".004", "tid": "T1591.004", "ja": "役割の特定", "en": "Identify Roles", "desc_en": "Adversaries may gather information about identities and roles within the victim organization, revealing identifiable information for key personnel as well as what data/resources they have access to.", "desc_ja": "敵対者は標的組織内のIDや役割に関する情報を収集することがある。主要人物の識別可能情報や、その人物がアクセスできるデータ/リソースなど、標的とすべき詳細が露呈しうる。" } ], "procedures": [ { "id": "G0007", "name": "APT28", "desc_en": "APT28 has used large language models (LLMs) to gather information about satellite capabilities." }, { "id": "G0046", "name": "FIN7", "desc_en": "FIN7 has compiled a list of victims by filtering companies by revenue using Zoominfo, a business information service." }, { "id": "G0094", "name": "Kimsuky", "desc_en": "Kimsuky has collected victim organization information including organization hierarchy, functions, and press releases, and has used LLMs to gather information about potential targets." }, { "id": "G0032", "name": "Lazarus Group", "desc_en": "Lazarus Group has studied publicly available information about a targeted organization to tailor spearphishing efforts against specific departments and/or individuals." }, { "id": "G1036", "name": "Moonstone Sleet", "desc_en": "Moonstone Sleet has gathered information on victim organizations through email and social media interaction." }, { "id": "C0022", "name": "Operation Dream Job", "desc_en": "For Operation Dream Job, Lazarus Group gathered victim organization information to identify specific targets." }, { "id": "G1017", "name": "Volt Typhoon", "desc_en": "Volt Typhoon has conducted extensive reconnaissance pre-compromise to gain information about the targeted organization." } ], "mitigations": [ { "id": "M1056", "name": "Pre-compromise", "name_ja": "侵害前対策", "desc_en": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", "desc_ja": "本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。" } ], "detections": [ { "id": "DET0890", "name": "Detection of Gather Victim Org Information", "name_ja": "標的組織情報収集の検知", "desc_en": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "desc_ja": "この活動は発生頻度・誤検知率が非常に高く、標的組織の可視範囲外で行われることも多いため検知は困難。初期アクセスなど、敵対者ライフサイクルの関連段階での検知に注力するとよい。" } ] }, { "tid": "T1598", "ja": "情報収集型フィッシング", "en": "Phishing for Information", "desc_en": "Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. It differs from Phishing in that the objective is gathering data from the victim rather than executing malicious code.", "desc_ja": "敵対者は標的選定に使える機密情報を引き出すため、フィッシングメッセージを送ることがある。悪意あるコードの実行ではなく標的からのデータ収集を目的とする点で、フィッシング(T1566)と異なる。", "platforms": "", "version": "", "created": "", "modified": "", "subs": [ { "sid": ".001", "tid": "T1598.001", "ja": "スピアフィッシングサービス", "en": "Spearphishing Service", "desc_en": "Adversaries may send spearphishing messages via third-party services to elicit sensitive information, often using social engineering such as posing as a source with a reason to collect information.", "desc_ja": "敵対者は第三者サービス経由でスピアフィッシングメッセージを送り、機密情報を引き出すことがある。情報収集の正当な理由を持つ送り手を装う等のソーシャルエンジニアリングを伴うことが多い。" }, { "sid": ".002", "tid": "T1598.002", "ja": "スピアフィッシング添付ファイル", "en": "Spearphishing Attachment", "desc_en": "Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information, frequently using social engineering techniques.", "desc_ja": "敵対者は悪意ある添付ファイル付きのスピアフィッシングメッセージを送り、機密情報を引き出すことがある。ソーシャルエンジニアリング手法を伴うことが多い。" }, { "sid": ".003", "tid": "T1598.003", "ja": "スピアフィッシングリンク", "en": "Spearphishing Link", "desc_en": "Adversaries may send spearphishing messages with a malicious link to elicit sensitive information, frequently using social engineering techniques.", "desc_ja": "敵対者は悪意あるリンク付きのスピアフィッシングメッセージを送り、機密情報を引き出すことがある。ソーシャルエンジニアリング手法を伴うことが多い。" }, { "sid": ".004", "tid": "T1598.004", "ja": "スピアフィッシング音声", "en": "Spearphishing Voice", "desc_en": "Adversaries may use voice communications to elicit sensitive information, often using social engineering such as impersonation and creating a sense of urgency.", "desc_ja": "敵対者は音声通信を用いて機密情報を引き出すことがある。なりすまし(Impersonation)や、受け手に緊急感・警戒感を抱かせる等のソーシャルエンジニアリングを伴うことが多い。" } ], "procedures": [], "mitigations": [], "detections": [] }, { "tid": "T1682", "ja": "公開AIサービスへの照会", "en": "Query Public AI Services", "desc_en": "Adversaries may query publicly accessible AI services, such as large language models (LLMs), to support targeting. They may use AI services to synthesize, aggregate, and analyze publicly available information at scale.", "desc_ja": "敵対者は標的選定と作戦を支援するため、LLM等の公開AIサービスに照会することがある。Webやデータベースを直接検索する(T1593)のに加え、公開情報を大規模に統合・集約・分析するためにAIサービスを利用しうる。対象組織・人物の特定、組織構造の調査、利用技術の特定、フィッシング向け連絡先の収集などに用いられる。", "platforms": "", "version": "", "created": "", "modified": "", "subs": [], "procedures": [], "mitigations": [], "detections": [] }, { "tid": "T1597", "ja": "非公開ソースの探索", "en": "Search Closed Sources", "desc_en": "Adversaries may search and gather information about victims from closed (paid, private, or otherwise not freely available) sources, such as paid subscriptions to threat intelligence feeds or dark web markets.", "desc_ja": "敵対者は標的選定に使える情報を、非公開(有料・私的・自由に入手できない)ソースから探索・収集することがある。脅威インテリジェンスフィードの有料購読といった信頼できる私的ソースや、ダークウェブ・サイバー犯罪市場などが含まれる。", "platforms": "", "version": "", "created": "", "modified": "", "subs": [ { "sid": ".001", "tid": "T1597.001", "ja": "脅威インテリベンダー", "en": "Threat Intel Vendors", "desc_en": "Adversaries may search private data from threat intelligence vendors, which may offer paid feeds or portals with more data than what is publicly reported, including trends regarding breaches.", "desc_ja": "敵対者は標的選定に使える情報を、脅威インテリベンダーの私的データから探索することがある。有料フィードやポータルは公開報告より多くのデータを提供しうる。顧客名等は秘匿されても、対象業界・帰属主張・有効なTTP/対策の傾向が含まれうる。" }, { "sid": ".002", "tid": "T1597.002", "ja": "技術データの購入", "en": "Purchase Technical Data", "desc_en": "Adversaries may purchase technical information about victims, such as paid subscriptions to feeds of scan databases or other data aggregation services.", "desc_ja": "敵対者は標的選定に使える技術情報を購入することがある。スキャンデータベースのフィードやデータ集約サービスの有料購読といった信頼できる私的ソースから入手しうる。ダークウェブ等の信頼性の低いソースからの購入もある。" } ], "procedures": [], "mitigations": [], "detections": [] }, { "tid": "T1596", "ja": "公開技術データベースの探索", "en": "Search Open Technical Databases", "desc_en": "Adversaries may search freely available technical databases for information about victims, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.", "desc_ja": "敵対者は標的選定に使える情報を、無料で入手可能な技術データベースから探索することがある。ドメイン/証明書の登録情報や、トラフィック・スキャンから収集されたネットワークデータ/アーティファクトの公開コレクションなどが含まれうる。", "platforms": "", "version": "", "created": "", "modified": "", "subs": [ { "sid": ".001", "tid": "T1596.001", "ja": "DNS/パッシブDNS", "en": "DNS/Passive DNS", "desc_en": "Adversaries may search DNS data for information about victims, including registered name servers and records that outline addressing for subdomains, mail servers, and other hosts.", "desc_ja": "敵対者は標的選定に使える情報を、DNSデータから探索することがある。登録ネームサーバや、サブドメイン・メールサーバ・他ホストのアドレッシングを示すレコードが含まれうる。" }, { "sid": ".002", "tid": "T1596.002", "ja": "WHOIS", "en": "WHOIS", "desc_en": "Adversaries may search public WHOIS data, stored by regional Internet registries (RIR). Anyone can query WHOIS for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.", "desc_ja": "敵対者は標的選定に使える情報を、公開WHOISデータから探索することがある。WHOISは地域インターネットレジストリ(RIR)が保持し、誰でも登録ドメインの割当IPブロック・連絡先・DNSネームサーバ等を照会できる。" }, { "sid": ".003", "tid": "T1596.003", "ja": "デジタル証明書", "en": "Digital Certificates", "desc_en": "Adversaries may search public digital certificate data. Certificates issued by a CA (ex: for HTTPS SSL/TLS) contain information about the registered organization such as name and location.", "desc_ja": "敵対者は標的選定に使える情報を、公開デジタル証明書データから探索することがある。CAが発行する証明書(HTTPS SSL/TLS用等)には、登録組織の名称や所在地などの情報が含まれる。" }, { "sid": ".004", "tid": "T1596.004", "ja": "CDN", "en": "CDNs", "desc_en": "Adversaries may search content delivery network (CDN) data about victims. CDNs allow hosting content from a distributed array of servers and may customize delivery based on the requestor's geographical region.", "desc_ja": "敵対者は標的選定に使えるCDNデータを探索することがある。CDNは分散・負荷分散されたサーバ群からコンテンツをホストでき、要求元の地域に応じて配信を最適化しうる。" }, { "sid": ".005", "tid": "T1596.005", "ja": "スキャンデータベース", "en": "Scan Databases", "desc_en": "Adversaries may search within public scan databases. Various online services continuously publish results of Internet scans/surveys, harvesting information such as active IP addresses, hostnames, open ports, certificates, and server banners.", "desc_ja": "敵対者は標的選定に使える情報を、公開スキャンデータベースから探索することがある。各種オンラインサービスがインターネットスキャン/調査の結果を継続的に公開し、アクティブIP・ホスト名・開放ポート・証明書・サーババナー等を収集している。" } ], "procedures": [], "mitigations": [], "detections": [] }, { "tid": "T1593", "ja": "公開ウェブサイト/ドメインの探索", "en": "Search Open Websites/Domains", "desc_en": "Adversaries may search freely available websites and/or domains for information about victims, such as social media, news sites, or sites hosting information about business operations such as hiring or rewarded contracts.", "desc_ja": "敵対者は標的選定に使える情報を、無料で入手可能なウェブサイトやドメインから探索することがある。ソーシャルメディア、ニュースサイト、採用や受注契約など事業運営情報を扱うサイトなどが対象となりうる。", "platforms": "", "version": "", "created": "", "modified": "", "subs": [ { "sid": ".001", "tid": "T1593.001", "ja": "ソーシャルメディア", "en": "Social Media", "desc_en": "Adversaries may search social media for information about victims, such as business announcements as well as information about the roles, locations, and interests of staff.", "desc_ja": "敵対者は標的選定に使える情報を、ソーシャルメディアから探索することがある。事業に関する告知や、従業員の役割・所在地・関心事など、標的組織に関する様々な情報を含みうる。" }, { "sid": ".002", "tid": "T1593.002", "ja": "検索エンジン", "en": "Search Engines", "desc_en": "Adversaries may use search engines to collect information about victims. Search engines crawl online sites and may provide specialized syntax to search for specific keywords or content types (filetypes).", "desc_ja": "敵対者は標的選定に使える情報を、検索エンジンを用いて収集することがある。検索エンジンはオンラインサイトをクロールしてインデックス化し、特定のキーワードやコンテンツ種別(ファイル形式等)を検索する専用構文を提供しうる。" }, { "sid": ".003", "tid": "T1593.003", "ja": "コードリポジトリ", "en": "Code Repositories", "desc_en": "Adversaries may search public code repositories for information about victims. Victims may store code in repositories on third-party sites such as GitHub, GitLab, SourceForge, and BitBucket.", "desc_ja": "敵対者は標的選定に使える情報を、公開コードリポジトリから探索することがある。標的はGitHub・GitLab・SourceForge・BitBucket等の第三者サイトのリポジトリにコードを保管していることがある。" } ], "procedures": [], "mitigations": [], "detections": [] }, { "tid": "T1681", "ja": "脅威ベンダーデータの探索", "en": "Search Threat Vendor Data", "desc_en": "Threat actors may seek information/indicators from closed or open threat intelligence sources gathered about their own campaigns, as well as those by other adversaries aligning with their target industries or objectives. Adversaries may change their behavior when planning future operations.", "desc_ja": "脅威アクターは、自身のキャンペーンや、対象業界・能力・目的が合致する他の敵対者の活動について、非公開または公開の脅威インテリジェンスソースから情報・指標を探索することがある。行動の記述、攻撃の詳細分析、マルウェアハッシュやIP等のアトミックな指標、活動のタイムラインなどが含まれうる。これにより将来の作戦計画時に行動を変化させることがある。", "platforms": "", "version": "", "created": "", "modified": "", "subs": [], "procedures": [], "mitigations": [], "detections": [] }, { "tid": "T1594", "ja": "標的所有ウェブサイトの探索", "en": "Search Victim-Owned Websites", "desc_en": "Adversaries may search websites owned by the victim for information, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info. These sites may also reveal business operations and relationships.", "desc_ja": "敵対者は標的選定に使える情報を、標的が所有するウェブサイトから探索することがある。部門名、物理的所在地、主要従業員の名前・役割・連絡先(メールアドレス等)といった詳細が含まれうる。事業運営や取引関係を示す情報も得られることがある。", "platforms": "", "version": "", "created": "", "modified": "", "subs": [], "procedures": [], "mitigations": [], "detections": [] } ] }, { "tactic": "TA0042", "tactic_en": "Resource Development", "tactic_ja": "リソース開発", "techniques": [ { "tid": "T1583", "ja": "インフラの取得", "en": "Acquire Infrastructure", "desc_en": "Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost. Additionally, botnets are available for rent or purchase.", "desc_ja": "敵対者は標的選定に使えるインフラを購入・リース・レンタル・取得することがある。敵対者の作戦をホスト・統制するための多様なインフラが存在し、物理/クラウドサーバ、ドメイン、第三者Webサービスなどが含まれる。一部は無料で取得できる。インフラの取得により、敵対者は自身の作戦インフラを難読化し、検知・帰属を困難にしうる。", "platforms": "PRE", "version": "1.5", "created": "2020-09-30", "modified": "2025-10-24", "subs": [ { "sid": ".001", "tid": "T1583.001", "ja": "ドメイン", "en": "Domains", "desc_en": "Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.", "desc_ja": "敵対者は標的選定に使えるドメインを取得することがある。ドメイン名は1つ以上のIPアドレスを表す人間可読な名前で、購入したり、場合により無料で取得したりできる。" }, { "sid": ".002", "tid": "T1583.002", "ja": "DNSサーバ", "en": "DNS Server", "desc_en": "Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: Application Layer Protocol). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.", "desc_ja": "敵対者は標的選定に使える独自のDNSサーバを構築することがある。侵害後の活動でDNSトラフィックをC2等の様々な用途に利用しうる。" }, { "sid": ".003", "tid": "T1583.003", "ja": "仮想プライベートサーバ", "en": "Virtual Private Server", "desc_en": "Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.", "desc_ja": "敵対者は標的選定に使えるVPSをレンタルすることがある。仮想マシン/コンテナをサービスとして販売するクラウド事業者を利用し、作戦インフラを難読化しうる。" }, { "sid": ".004", "tid": "T1583.004", "ja": "サーバ", "en": "Server", "desc_en": "Adversaries may buy, lease, rent, or obtain physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, such as watering hole operations in Drive-by Compromise, enabling Phishing operations, or facilitating Command and Control. Instead of compromising a third-party Server or renting a Virtual Private Server, adversaries may opt to configure and run their own servers in support of operations. Free trial periods of cloud servers may also be abused.", "desc_ja": "敵対者は標的選定に使える物理サーバを購入・リース・レンタル・取得することがある。サーバを用いて作戦のステージング・起動・実行を行う。" }, { "sid": ".005", "tid": "T1583.005", "ja": "ボットネット", "en": "Botnet", "desc_en": "Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks. Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service.", "desc_ja": "敵対者は標的選定に使える侵害済みシステムのネットワーク(ボットネット)を購入・リース・レンタルすることがある。協調的なタスクの実行を指示できる。" }, { "sid": ".006", "tid": "T1583.006", "ja": "Webサービス", "en": "Web Services", "desc_en": "Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service), Exfiltration Over Web Service, or Phishing. Using common services, such as those offered by Google, GitHub, or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.", "desc_ja": "敵対者は標的選定に使えるWebサービスに登録することがある。後続段階で悪用できる、人気のWebサービスへ登録しうる。" }, { "sid": ".007", "tid": "T1583.007", "ja": "サーバーレス", "en": "Serverless", "desc_en": "Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.", "desc_ja": "敵対者は標的選定に使えるサーバーレスのクラウドインフラ(Cloudflare Workers、AWS Lambda、Google Apps Script等)を購入・設定することがある。サーバーレスを利用してインフラを難読化しうる。" }, { "sid": ".008", "tid": "T1583.008", "ja": "マルバタイジング", "en": "Malvertising", "desc_en": "Adversaries may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased to plant as well as favorably position artifacts in specific locations online, such as prominently placed within search engine results. These ads may make it more difficult for users to distinguish between actual search results and advertisements. Purchased ads may also target specific audiences using the advertising network’s capabilities, potentially further taking advantage of the trust inherently given to search engines and popular websites.", "desc_ja": "敵対者は被害者へのマルウェア配布に悪用できるオンライン広告を購入することがある。広告を用いて、特定の場所に成果物を仕込み、有利な位置に表示しうる。" } ], "procedures": [ { "id": "G0034", "name": "Sandworm Team", "desc_en": "Sandworm Team used various third-party email campaign management services to deliver phishing emails." }, { "id": "G0094", "name": "Kimsuky", "desc_en": "Kimsuky has used funds from stolen and laundered cryptocurrency to acquire operational infrastructure." }, { "id": "G0119", "name": "Indrik Spider", "desc_en": "Indrik Spider has purchased access to victim VPNs to facilitate access to victim environments." }, { "id": "G1003", "name": "Ember Bear", "desc_en": "Ember Bear uses services such as IVPN, SurfShark, and Tor to add anonymization to operations." }, { "id": "G1030", "name": "Agrius", "desc_en": "Agrius typically uses commercial VPN services for anonymizing last-hop traffic to victim networks, such as ProtonVPN." }, { "id": "G1033", "name": "Star Blizzard", "desc_en": "Star Blizzard has used HubSpot and MailerLite marketing platform services to hide the true sender of phishing emails." }, { "id": "G1041", "name": "Sea Turtle", "desc_en": "Sea Turtle accessed victim networks from VPN service provider networks." }, { "id": "G1052", "name": "Contagious Interview", "desc_en": "Contagious Interview has used services such as Astrill VPN." } ], "mitigations": [ { "id": "M1056", "name": "Pre-compromise", "name_ja": "侵害前対策", "desc_en": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", "desc_ja": "本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。" } ], "detections": [ { "id": "DET0895", "name": "Detection of Acquire Infrastructure", "name_ja": "インフラ取得の検知", "desc_en": "", "desc_ja": "この活動の多くは標的組織の可視範囲外で行われるため検知が難しい。インフラ取得は外部データセット(ドメイン登録、証明書透明性ログ等)の監視で検知を試み、初期アクセス等の後続段階での検知にも注力するとよい。" } ] }, { "tid": "T1584", "ja": "インフラの侵害", "en": "Compromise Infrastructure", "desc_en": "Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle. Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.", "desc_ja": "敵対者は標的選定に使える第三者のインフラを侵害することがある。物理/クラウドサーバ、ドメイン、ネットワーク機器、第三者のWeb・DNSサービスなどが対象。購入・リース・レンタルの代わりにインフラを侵害することで、作戦中の追跡を困難にし、正規の侵害済み資産に紛れることができる。", "platforms": "PRE", "version": "1.6", "created": "2020-10-01", "modified": "2025-10-24", "subs": [ { "sid": ".001", "tid": "T1584.001", "ja": "ドメイン", "en": "Domains", "desc_en": "Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant. Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account, taking advantage of renewal process gaps, or compromising a cloud service that enables managing domains (e.g., AWS Route53).", "desc_ja": "敵対者は標的選定に使えるドメイン/サブドメインを乗っ取ることがある。ドメイン登録ハイジャックは、所有者の許可なくドメイン名の登録を変更する行為を指す。" }, { "sid": ".002", "tid": "T1584.002", "ja": "DNSサーバ", "en": "DNS Server", "desc_en": "Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: Application Layer Protocol). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.", "desc_ja": "敵対者は標的選定に使える第三者のDNSサーバを侵害することがある。侵害後の活動でDNSトラフィックをC2等に利用しうる。" }, { "sid": ".003", "tid": "T1584.003", "ja": "仮想プライベートサーバ", "en": "Virtual Private Server", "desc_en": "Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.", "desc_ja": "敵対者は標的選定に使える第三者のVPSを侵害することがある。侵害したVPSを利用して作戦インフラを難読化しうる。" }, { "sid": ".004", "tid": "T1584.004", "ja": "サーバ", "en": "Server", "desc_en": "Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a Server or Virtual Private Server, adversaries may compromise third-party servers in support of operations.", "desc_ja": "敵対者は標的選定に使える第三者のサーバを侵害することがある。侵害したサーバで作戦のステージング・起動・実行を行う。" }, { "sid": ".005", "tid": "T1584.005", "ja": "ボットネット", "en": "Botnet", "desc_en": "Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks. Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS).", "desc_ja": "敵対者は多数の第三者システムを侵害してボットネットを形成し、標的選定に使うことがある。協調的なタスクの実行を指示できる。" }, { "sid": ".006", "tid": "T1584.006", "ja": "Webサービス", "en": "Web Services", "desc_en": "Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, SendGrid, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service), Exfiltration Over Web Service, or Phishing. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them. Additionally, leveraging compromised web-based email services may allow adversaries to leverage the trust associated with legitimate domains.", "desc_ja": "敵対者は標的選定に使える第三者のWebサービスへのアクセスを侵害することがある。GitHub等の正規Webサービスのアカウントを乗っ取りうる。" }, { "sid": ".007", "tid": "T1584.007", "ja": "サーバーレス", "en": "Serverless", "desc_en": "Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.", "desc_ja": "敵対者は標的選定に使えるサーバーレスのクラウドインフラ(Cloudflare Workers、AWS Lambda、Google Apps Script等)を侵害することがある。" }, { "sid": ".008", "tid": "T1584.008", "ja": "ネットワーク機器", "en": "Network Devices", "desc_en": "Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not Initial Access to that environment, but rather to leverage these devices to support additional targeting.", "desc_ja": "敵対者は標的選定に使える第三者のネットワーク機器(SOHOルータ等)を侵害することがある。侵害した機器を中継・難読化に利用しうる。" } ], "procedures": [ { "id": "C0043", "name": "Indian Critical Infrastructure Intrusions", "desc_en": "Indian Critical Infrastructure Intrusions included the use of compromised infrastructure, such as DVR and IP camera devices, for command and control purposes in ShadowPad activity." }, { "id": "C0051", "name": "APT28 Nearest Neighbor Campaign", "desc_en": "During APT28 Nearest Neighbor Campaign, APT28 compromised third-party infrastructure in physical proximity to targets of interest for follow-on activities." } ], "mitigations": [ { "id": "M1056", "name": "Pre-compromise", "name_ja": "侵害前対策", "desc_en": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", "desc_ja": "本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。" } ], "detections": [ { "id": "DET0885", "name": "Detection of Compromise Infrastructure", "name_ja": "インフラ侵害の検知", "desc_en": "", "desc_ja": "この活動の多くは標的組織の可視範囲外で行われるため検知が難しい。後続段階(C2等)での検知に注力するとよい。" } ] }, { "tid": "T1585", "ja": "アカウントの確立", "en": "Establish Accounts", "desc_en": "Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.", "desc_ja": "敵対者は標的選定に使えるアカウントを各種サービスで作成・育成することがある。アカウントは作戦を進めるためのペルソナ(人物像)構築に使われる。ペルソナ開発には、公開情報・存在感・履歴・適切な所属の構築が含まれ、ソーシャルメディアやメール等で行われる。", "platforms": "PRE", "version": "1.3", "created": "2020-10-01", "modified": "2026-05-12", "subs": [ { "sid": ".001", "tid": "T1585.001", "ja": "ソーシャルメディアアカウント", "en": "Social Media Accounts", "desc_en": "Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.", "desc_ja": "敵対者は標的選定に使えるソーシャルメディアアカウントを作成・育成することがある。ペルソナ構築に利用しうる。" }, { "sid": ".002", "tid": "T1585.002", "ja": "メールアカウント", "en": "Email Accounts", "desc_en": "Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct Phishing for Information or Phishing. Establishing email accounts may also allow adversaries to abuse free services – such as trial periods – to Acquire Infrastructure for follow-on purposes.", "desc_ja": "敵対者は標的選定に使えるメールアカウントを作成することがある。フィッシング等の作戦に利用しうる。" }, { "sid": ".003", "tid": "T1585.003", "ja": "クラウドアカウント", "en": "Cloud Accounts", "desc_en": "Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, MEGA, Microsoft OneDrive, or AWS S3 buckets for Exfiltration to Cloud Storage or to Upload Tools. Cloud accounts can also be used in the acquisition of infrastructure, such as Virtual Private Servers or Serverless infrastructure. Establishing cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.", "desc_ja": "敵対者は標的選定に使えるクラウド事業者のアカウントを作成することがある。クラウドストレージ等を作戦に利用しうる。" } ], "procedures": [ { "id": "C0059", "name": "Salesforce Data Exfiltration", "desc_en": "During Salesforce Data Exfiltration, threat actors created Salesforce trial accounts to register their malicious applications." }, { "id": "G0025", "name": "APT17", "desc_en": "APT17 has created and cultivated profile pages in Microsoft TechNet. To make profile pages appear more legitimate, APT17 has created biographical sections and posted in forum threads." }, { "id": "G0094", "name": "Kimsuky", "desc_en": "Kimsuky has leveraged stolen PII to create accounts." }, { "id": "G0117", "name": "Fox Kitten", "desc_en": "Fox Kitten has created KeyBase accounts to communicate with ransomware victims." }, { "id": "G1003", "name": "Ember Bear", "desc_en": "Ember Bear has created accounts on dark web forums to obtain various tools and malware." }, { "id": "G1052", "name": "Contagious Interview", "desc_en": "Contagious Interview has created and maintained personas on code repositories to distribute malicious payloads." } ], "mitigations": [ { "id": "M1056", "name": "Pre-compromise", "name_ja": "侵害前対策", "desc_en": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", "desc_ja": "本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。" } ], "detections": [ { "id": "DET0873", "name": "Detection of Establish Accounts", "name_ja": "アカウント確立の検知", "desc_en": "", "desc_ja": "この活動の多くは標的組織の可視範囲外で行われるため検知が難しい。後続段階での検知に注力するとよい。" } ] }, { "tid": "T1586", "ja": "アカウントの侵害", "en": "Compromise Accounts", "desc_en": "Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. Establish Accounts), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.", "desc_ja": "敵対者は標的選定に使える既存アカウントを侵害することがある。ソーシャルエンジニアリングを伴う作戦では、オンライン上のペルソナの利用が重要となりうる。新規にアカウントを作成・育成(アカウントの確立)する代わりに、既存アカウントを侵害して乗っ取ることで、既成のペルソナや信頼関係を悪用できる。", "platforms": "PRE", "version": "1.2", "created": "2020-10-01", "modified": "2025-10-24", "subs": [ { "sid": ".001", "tid": "T1586.001", "ja": "ソーシャルメディアアカウント", "en": "Social Media Accounts", "desc_en": "Adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles (i.e. Social Media Accounts), adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.", "desc_ja": "敵対者は標的選定に使えるソーシャルメディアアカウントを侵害することがある。既成のペルソナを悪用しうる。" }, { "sid": ".002", "tid": "T1586.002", "ja": "メールアカウント", "en": "Email Accounts", "desc_en": "Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct Phishing for Information, Phishing, or large-scale spam email campaigns. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship with, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: Domains).", "desc_ja": "敵対者は標的選定に使えるメールアカウントを侵害することがある。フィッシング等の作戦に利用しうる。" }, { "sid": ".003", "tid": "T1586.003", "ja": "クラウドアカウント", "en": "Cloud Accounts", "desc_en": "Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for Exfiltration to Cloud Storage or to Upload Tools. Cloud accounts can also be used in the acquisition of infrastructure, such as Virtual Private Servers or Serverless infrastructure. Additionally, cloud-based messaging services such as Twilio, SendGrid, AWS End User Messaging, AWS SNS (Simple Notification Service), or AWS SES (Simple Email Service) may be leveraged for spam or Phishing. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.", "desc_ja": "敵対者は標的選定に使えるクラウドアカウントを侵害することがある。クラウドストレージ等を作戦に利用しうる。" } ], "procedures": [], "mitigations": [ { "id": "M1056", "name": "Pre-compromise", "name_ja": "侵害前対策", "desc_en": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", "desc_ja": "本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。" } ], "detections": [ { "id": "DET0876", "name": "Detection of Compromise Accounts", "name_ja": "アカウント侵害の検知", "desc_en": "", "desc_ja": "この活動の多くは標的組織の可視範囲外で行われるため検知が難しい。後続段階での検知に注力するとよい。" } ] }, { "tid": "T1587", "ja": "能力の開発", "en": "Develop Capabilities", "desc_en": "Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.", "desc_ja": "敵対者は標的選定に使える能力(capabilities)を構築することがある。購入・無料ダウンロード・窃取の代わりに、自前で能力を開発しうる。これは開発要件を特定し、マルウェア・エクスプロイト・証明書などのソリューションを構築する過程を指す。", "platforms": "PRE", "version": "1.1", "created": "2020-10-01", "modified": "2025-10-24", "subs": [ { "sid": ".001", "tid": "T1587.001", "ja": "マルウェア", "en": "Malware", "desc_en": "Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.", "desc_ja": "敵対者は標的選定に使えるマルウェアおよびその構成要素を開発することがある。ペイロード・ドロッパー・侵害後ツール・バックドア等の開発が含まれる。" }, { "sid": ".002", "tid": "T1587.002", "ja": "コード署名証明書", "en": "Code Signing Certificates", "desc_en": "Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with. Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.", "desc_ja": "敵対者は標的選定に使える自己署名のコード署名証明書を作成することがある。コード署名は実行ファイルやスクリプトに作者を示す電子署名を施す。" }, { "sid": ".003", "tid": "T1587.003", "ja": "デジタル証明書", "en": "Digital Certificates", "desc_en": "Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).", "desc_ja": "敵対者は標的選定に使える自己署名のSSL/TLS証明書を作成することがある。証明書は信頼を植え付けるよう設計されている。" }, { "sid": ".004", "tid": "T1587.004", "ja": "エクスプロイト", "en": "Exploits", "desc_en": "Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits. Adversaries may use information acquired via Vulnerabilities to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.", "desc_ja": "敵対者は標的選定に使えるエクスプロイトを開発することがある。脆弱性を悪用するコードを自前で作成しうる。" } ], "procedures": [ { "id": "G0094", "name": "Kimsuky", "desc_en": "Kimsuky created and used a mailing toolkit to use in spearphishing attacks." }, { "id": "G1036", "name": "Moonstone Sleet", "desc_en": "Moonstone Sleet developed malicious npm packages for delivery to or retrieval by victims." }, { "id": "G1052", "name": "Contagious Interview", "desc_en": "Contagious Interview developed malicious NPM packages for delivery to or retrieval by victims." } ], "mitigations": [ { "id": "M1056", "name": "Pre-compromise", "name_ja": "侵害前対策", "desc_en": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", "desc_ja": "本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。" } ], "detections": [ { "id": "DET0853", "name": "Detection of Develop Capabilities", "name_ja": "能力開発の検知", "desc_en": "", "desc_ja": "この活動の多くは標的組織の可視範囲外で行われるため検知が難しい。後続段階での検知に注力するとよい。" } ] }, { "tid": "T1588", "ja": "能力の入手", "en": "Obtain Capabilities", "desc_en": "Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.", "desc_ja": "敵対者は標的選定に使える能力を購入・無料取得・窃取することがある。自前で開発(能力の開発)する代わりに、マルウェア・ソフトウェア・エクスプロイト・証明書などの能力を入手しうる。", "platforms": "PRE", "version": "1.1", "created": "2020-10-01", "modified": "2025-10-24", "subs": [ { "sid": ".001", "tid": "T1588.001", "ja": "マルウェア", "en": "Malware", "desc_en": "Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.", "desc_ja": "敵対者は標的選定に使えるマルウェアを購入・窃取・ダウンロードすることがある。" }, { "sid": ".002", "tid": "T1588.002", "ja": "ツール", "en": "Tool", "desc_en": "Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: PsExec).", "desc_ja": "敵対者は標的選定に使えるソフトウェアツールを取得することがある。無料・商用のソフトを入手しうる。" }, { "sid": ".003", "tid": "T1588.003", "ja": "コード署名証明書", "en": "Code Signing Certificates", "desc_en": "Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with. Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.", "desc_ja": "敵対者は標的選定に使えるコード署名証明書を購入・窃取することがある。正規の証明書を入手して信頼を悪用しうる。" }, { "sid": ".004", "tid": "T1588.004", "ja": "デジタル証明書", "en": "Digital Certificates", "desc_en": "Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.", "desc_ja": "敵対者は標的選定に使えるSSL/TLS証明書を購入・窃取することがある。" }, { "sid": ".005", "tid": "T1588.005", "ja": "エクスプロイト", "en": "Exploits", "desc_en": "Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.", "desc_ja": "敵対者は標的選定に使えるエクスプロイトを購入・窃取・ダウンロードすることがある。" }, { "sid": ".006", "tid": "T1588.006", "ja": "脆弱性", "en": "Vulnerabilities", "desc_en": "Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.", "desc_ja": "敵対者は標的選定に使える脆弱性情報を入手することがある。公開・非公開の脆弱性情報を活用しうる。" }, { "sid": ".007", "tid": "T1588.007", "ja": "人工知能", "en": "Artificial Intelligence", "desc_en": "Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks, including conducting Reconnaissance, creating basic scripts, assisting social engineering, and even developing payloads.", "desc_ja": "敵対者は標的選定や作戦支援のためにAI(生成AI・LLM等)を入手・利用することがある。" } ], "procedures": [], "mitigations": [ { "id": "M1056", "name": "Pre-compromise", "name_ja": "侵害前対策", "desc_en": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", "desc_ja": "本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。" } ], "detections": [ { "id": "DET0850", "name": "Detection of Obtain Capabilities", "name_ja": "能力入手の検知", "desc_en": "", "desc_ja": "この活動の多くは標的組織の可視範囲外で行われるため検知が難しい。後続段階での検知に注力するとよい。" } ] }, { "tid": "T1608", "ja": "能力の配置(ステージング)", "en": "Stage Capabilities", "desc_en": "Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed (Develop Capabilities) or obtained (Obtain Capabilities) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary (Acquire Infrastructure) or was otherwise compromised by them (Compromise Infrastructure). Capabilities may also be staged on web services, such as GitHub or Pastebin, or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision applications.", "desc_ja": "敵対者は標的選定に使える能力を、自身が取得・侵害したインフラ上に配置(ステージング)することがある。能力をアップロード・インストール・設定して、初期アクセスや実行などの後続段階で使える状態にする。", "platforms": "PRE", "version": "1.2", "created": "2021-03-17", "modified": "2025-10-24", "subs": [ { "sid": ".001", "tid": "T1608.001", "ja": "マルウェアのアップロード", "en": "Upload Malware", "desc_en": "Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable Ingress Tool Transfer by placing it on an Internet accessible web server.", "desc_ja": "敵対者はインフラ上にマルウェアをアップロードして後続段階で使える状態にすることがある。" }, { "sid": ".002", "tid": "T1608.002", "ja": "ツールのアップロード", "en": "Upload Tool", "desc_en": "Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: PsExec). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable Ingress Tool Transfer by placing it on an Internet accessible web server.", "desc_ja": "敵対者はインフラ上にツールをアップロードして配置することがある。" }, { "sid": ".003", "tid": "T1608.003", "ja": "デジタル証明書のインストール", "en": "Install Digital Certificate", "desc_en": "Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can be installed on servers to enable secure communications between systems. Digital certificates include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate securely with its owner. Certificates can be uploaded to a server, then the server can be configured to use the certificate to enable encrypted communication with it.", "desc_ja": "敵対者は取得・侵害したインフラにSSL/TLS証明書をインストールすることがある。" }, { "sid": ".004", "tid": "T1608.004", "ja": "ドライブバイ標的の準備", "en": "Drive-by Target", "desc_en": "Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in Drive-by Compromise. In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as Application Access Token. Prior to Drive-by Compromise, adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired (Acquire Infrastructure) or previously compromised (Compromise Infrastructure).", "desc_ja": "敵対者はドライブバイ侵害のため、Webコンテンツを準備・配置することがある。" }, { "sid": ".005", "tid": "T1608.005", "ja": "リンク標的の準備", "en": "Link Target", "desc_en": "Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in Malicious Link. Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in Spearphishing Link) or a phish to gain initial access to a system (as in Spearphishing Link), an adversary must set up the resources for a link target for the spearphishing link.", "desc_ja": "敵対者はフィッシングのリンク先となる悪意あるコンテンツを準備・配置することがある。" }, { "sid": ".006", "tid": "T1608.006", "ja": "SEOポイズニング", "en": "SEO Poisoning", "desc_en": "Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.", "desc_ja": "敵対者は検索エンジン最適化(SEO)を操作し、悪意あるコンテンツを検索結果の上位に表示させることがある。" } ], "procedures": [ { "id": "G0129", "name": "Mustang Panda", "desc_en": "Mustang Panda has used servers under their control to validate tracking pixels sent to phishing victims." } ], "mitigations": [ { "id": "M1056", "name": "Pre-compromise", "name_ja": "侵害前対策", "desc_en": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", "desc_ja": "本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。" } ], "detections": [ { "id": "DET0839", "name": "Detection of Stage Capabilities", "name_ja": "能力配置の検知", "desc_en": "", "desc_ja": "この活動の多くは標的組織の可視範囲外で行われるため検知が難しい。後続段階での検知に注力するとよい。" } ] }, { "tid": "T1650", "ja": "アクセスの取得", "en": "Acquire Access", "desc_en": "Adversaries may purchase or otherwise acquire an existing access to a target system or network. A variety of online services and initial access broker networks are available to sell access to previously compromised systems. In some cases, adversary groups may form partnerships to share compromised systems with each other.", "desc_ja": "敵対者は標的環境へのアクセスを、第三者(イニシャルアクセスブローカー等)から購入することがある。自前で初期アクセスを得る代わりに、既に侵害済みのアクセスを購入することで、作戦を加速できる。", "platforms": "PRE", "version": "1.0", "created": "2023-03-10", "modified": "2025-10-24", "subs": [], "procedures": [ { "id": "G1051", "name": "Medusa Group", "desc_en": "Medusa Group has purchased user credentials and other sensitive data from Initial Access Brokers (IABs)." } ], "mitigations": [ { "id": "M1056", "name": "Pre-compromise", "name_ja": "侵害前対策", "desc_en": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", "desc_ja": "本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。" } ], "detections": [ { "id": "DET0884", "name": "Detection of Acquire Access", "name_ja": "アクセス取得の検知", "desc_en": "", "desc_ja": "この活動の多くは標的組織の可視範囲外で行われるため検知が難しい。後続段階での検知に注力するとよい。" } ] }, { "tid": "T1683", "ja": "コンテンツの生成", "en": "Generate Content", "desc_en": "Adversaries may create or generate content to support targeting and operations. This content may be used to establish personas, impersonate known individuals or organizations, and support Social Engineering, fraud, or influence activities. Written materials, audio, images, video, or other media may be developed and tailored to the target and objective.", "desc_ja": "敵対者は標的選定や作戦支援のためにコンテンツを生成することがある。AIツールを用いて、フィッシング用テキスト、偽のペルソナ向け画像・文章、マルウェアコードなどを大規模に作成しうる。", "platforms": "PRE", "version": "1.0", "created": "2026-03-25", "modified": "2026-05-12", "subs": [ { "sid": ".001", "tid": "T1683.001", "ja": "テキスト", "en": "Written Content", "desc_en": "Adversaries may create or tailor written materials to support targeting and malicious operations. Content may include phishing lures, fraudulent financial communications, fabricated job postings, fabricated employment credentials and documentation, decoy documents, social media persona content, and supporting narratives used to sustain fabricated personas over time. Content may be authored manually, commissioned through third parties, or produced using AI-assisted tools.", "desc_ja": "敵対者はAIを用いてフィッシング用などのテキストコンテンツを生成することがある。" }, { "sid": ".002", "tid": "T1683.002", "ja": "画像・音声・動画", "en": "Audio-Visual Content", "desc_en": "Adversaries may create or manipulate audio, image, and video content to support targeting and malicious operations. Adversaries may also use synthetic voice recordings, real-time altered audio or video during live interactions, fabricated profile photos and identity documents, or video content depicting fabricated or impersonated individuals.", "desc_ja": "敵対者はAIを用いて偽の画像・音声・動画(ディープフェイク等)を生成することがある。" } ], "procedures": [ { "id": "C0062", "name": "Anthropic AI-orchestrated Campaign", "desc_en": "During the Anthropic AI-orchestrated Campaign, the adversary utilized Claude Code to automatically generate comprehensive documentation throughout the phases of the attack, including discovered services, harvested credentials, sensitive data, exploitation techniques, and complete attack progression." } ], "mitigations": [ { "id": "M1056", "name": "Pre-compromise", "name_ja": "侵害前対策", "desc_en": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on designing defenses that are not reliant on atomic indicators.", "desc_ja": "本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。" } ], "detections": [ { "id": "DET0916", "name": "Detection of Generate Content", "name_ja": "コンテンツ生成の検知", "desc_en": "", "desc_ja": "この活動の多くは標的組織の可視範囲外で行われるため検知が難しい。後続段階での検知に注力するとよい。" } ] } ] }, { "tactic": "TA0001", "tactic_en": "Initial Access", "tactic_ja": "初期アクセス", "techniques": [ { "tid": "T1078", "ja": "有効なアカウント", "en": "Valid Accounts", "desc_en": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.", "desc_ja": "敵対者は、初期アクセス・永続化・権限昇格・ステルス(防御回避)の手段として、既存アカウントの認証情報を入手し悪用することがある。侵害された認証情報は、防御策を回避したり、リモートシステムや外部サービス(VPN・OWA・リモートデスクトップ等)へアクセスしたりするのに使われ、標的ネットワーク内での権限上昇にもつながりうる。", "platforms": "Containers, ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows", "version": "3.0", "created": "2017-05-31", "modified": "2026-05-12", "subs": [ { "sid": ".001", "tid": "T1078.001", "ja": "デフォルトアカウント", "en": "Default Accounts", "desc_en": "Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.", "desc_ja": "敵対者は、初期アクセス・永続化・権限昇格・ステルスの手段として、デフォルトアカウントの認証情報を入手・悪用することがある。出荷時設定の既知の認証情報が悪用されうる。" }, { "sid": ".002", "tid": "T1078.002", "ja": "ドメインアカウント", "en": "Domain Accounts", "desc_en": "Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.", "desc_ja": "敵対者は、ドメインアカウントの認証情報を入手・悪用することがある。ドメインアカウントはActive Directory等で管理され、広範なアクセスを持ちうる。" }, { "sid": ".003", "tid": "T1078.003", "ja": "ローカルアカウント", "en": "Local Accounts", "desc_en": "Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.", "desc_ja": "敵対者は、ローカルアカウントの認証情報を入手・悪用することがある。単一システムやサービス用に構成されたローカルアカウントが対象。" }, { "sid": ".004", "tid": "T1078.004", "ja": "クラウドアカウント", "en": "Cloud Accounts", "desc_en": "Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.", "desc_ja": "クラウド環境の有効なアカウントは、初期アクセス・永続化・権限昇格・ステルスを敵対者に許しうる。クラウドのIDアカウントが悪用される。" } ], "procedures": [ { "id": "C0002", "name": "Night Dragon", "desc_en": "During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems." }, { "id": "C0014", "name": "Operation Wocao", "desc_en": "During Operation Wocao, threat actors used valid VPN credentials to gain initial access." }, { "id": "C0024", "name": "SolarWinds Compromise", "desc_en": "During the SolarWinds Compromise, APT29 used different compromised credentials for remote access and to move laterally." }, { "id": "C0028", "name": "2015 Ukraine Electric Power Attack", "desc_en": "During the 2015 Ukraine Electric Power Attack, Sandworm Team used valid accounts on the corporate network to escalate privileges, move laterally, and establish persistence within the corporate network." }, { "id": "C0032", "name": "C0032", "desc_en": "During the C0032 campaign, TEMP.Veles used compromised VPN accounts." }, { "id": "C0038", "name": "HomeLand Justice", "desc_en": "During HomeLand Justice, threat actors used a compromised Exchange account to search mailboxes and create new Exchange accounts." }, { "id": "C0048", "name": "Operation MidnightEclipse", "desc_en": "During Operation MidnightEclipse, threat actors extracted sensitive credentials while moving laterally through compromised networks." }, { "id": "C0049", "name": "Leviathan Australian Intrusions", "desc_en": "Leviathan used captured, valid account information to log into victim web applications and appliances during Leviathan Australian Intrusions." }, { "id": "C0056", "name": "RedPenguin", "desc_en": "During RedPenguin, UNC3886 used legitimate credentials to gain priviliged access to Juniper routers." }, { "id": "C0057", "name": "3CX Supply Chain Attack", "desc_en": "During 3CX Supply Chain Attack, AppleJeus has gained access to the 3CX corporate environment through legitimate VPN credentials." }, { "id": "C0062", "name": "Anthropic AI-orchestrated Campaign", "desc_en": "During the Anthropic AI-orchestrated Campaign, the adversary used harvested credentials to authenticate against internal APIs, database systems, container registries, and logging infrastructure across targeted networks." }, { "id": "G0001", "name": "Axiom", "desc_en": "Axiom has used previously compromised administrative accounts to escalate privileges." }, { "id": "G0004", "name": "Ke3chang", "desc_en": "Ke3chang has used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts." }, { "id": "G0007", "name": "APT28", "desc_en": "APT28 has used legitimate credentials to gain initial access, maintain access, and exfiltrate data from a victim network. The group has specifically used credentials stolen through a spearphishing email to login to the DCCC network. The group has also leveraged default manufacturer's passwords to gain initial access to corporate networks via IoT devices such as a VOIP phone, printer, and video decoder." }, { "id": "G0008", "name": "Carbanak", "desc_en": "Carbanak actors used legitimate credentials of banking employees to perform operations that sent them millions of dollars." }, { "id": "G0011", "name": "PittyTiger", "desc_en": "PittyTiger attempts to obtain legitimate credentials during operations." }, { "id": "G0016", "name": "APT29", "desc_en": "APT29 has used a compromised account to access an organization's VPN infrastructure." }, { "id": "G0026", "name": "APT18", "desc_en": "APT18 actors leverage legitimate credentials to log into external remote services." }, { "id": "G0027", "name": "Threat Group-3390", "desc_en": "Threat Group-3390 actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks." }, { "id": "G0032", "name": "Lazarus Group", "desc_en": "Lazarus Group has used administrator credentials to gain access to restricted network segments." }, { "id": "G0034", "name": "Sandworm Team", "desc_en": "Sandworm Team have used previously acquired legitimate credentials prior to attacks." }, { "id": "G0035", "name": "Dragonfly", "desc_en": "Dragonfly has compromised user credentials and used valid accounts for operations." }, { "id": "G0037", "name": "FIN6", "desc_en": "To move laterally on a victim network, FIN6 has used credentials stolen from various systems on which it gathered usernames and password hashes." }, { "id": "G0039", "name": "Suckfly", "desc_en": "Suckfly used legitimate account credentials that they dumped to navigate the internal victim network as though they were the legitimate account owner." }, { "id": "G0045", "name": "menuPass", "desc_en": "menuPass has used valid accounts including shared between Managed Service Providers and clients to move between the two environments." }, { "id": "G0046", "name": "FIN7", "desc_en": "FIN7 has harvested valid administrative credentials for lateral movement." }, { "id": "G0049", "name": "OilRig", "desc_en": "OilRig has used compromised credentials to access other systems on a victim network." }, { "id": "G0051", "name": "FIN10", "desc_en": "FIN10 has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor." }, { "id": "G0053", "name": "FIN5", "desc_en": "FIN5 has used legitimate VPN, RDP, Citrix, or VNC credentials to maintain access to a victim environment." }, { "id": "G0061", "name": "FIN8", "desc_en": "FIN8 has used valid accounts for persistence and lateral movement." }, { "id": "G0064", "name": "APT33", "desc_en": "APT33 has used valid accounts for initial access and privilege escalation." }, { "id": "G0065", "name": "Leviathan", "desc_en": "Leviathan has obtained valid accounts to gain initial access." }, { "id": "G0085", "name": "FIN4", "desc_en": "FIN4 has used legitimate credentials to hijack email communications." }, { "id": "G0087", "name": "APT39", "desc_en": "APT39 has used stolen credentials to compromise Outlook Web Access (OWA)." }, { "id": "G0091", "name": "Silence", "desc_en": "Silence has used compromised credentials to log on to other systems and escalate privileges." }, { "id": "G0093", "name": "GALLIUM", "desc_en": "GALLIUM leveraged valid accounts to maintain access to a victim network." }, { "id": "G0096", "name": "APT41", "desc_en": "APT41 used compromised credentials to log on to other systems." }, { "id": "G0102", "name": "Wizard Spider", "desc_en": "Wizard Spider has used valid credentials for privileged accounts with the goal of accessing domain controllers." }, { "id": "G0114", "name": "Chimera", "desc_en": "Chimera has used a valid account to maintain persistence via scheduled task." }, { "id": "G0117", "name": "Fox Kitten", "desc_en": "Fox Kitten has used valid credentials with various services during lateral movement." }, { "id": "G0119", "name": "Indrik Spider", "desc_en": "Indrik Spider has used valid accounts for initial access and lateral movement. Indrik Spider has also maintained access to the victim environment through the VPN infrastructure." }, { "id": "G0122", "name": "Silent Librarian", "desc_en": "Silent Librarian has used compromised credentials to obtain unauthorized access to online accounts." }, { "id": "G1004", "name": "LAPSUS$", "desc_en": "LAPSUS$ has used compromised credentials and/or session tokens to gain access into a victim's VPN, VDI, RDP, and IAMs." }, { "id": "G1005", "name": "POLONIUM", "desc_en": "POLONIUM has used valid compromised credentials to gain access to victim environments." }, { "id": "G1015", "name": "Scattered Spider", "desc_en": "Scattered Spider has used compromised credentials for initial access." }, { "id": "G1017", "name": "Volt Typhoon", "desc_en": "Volt Typhoon relies primarily on valid credentials for persistence." }, { "id": "G1021", "name": "Cinnamon Tempest", "desc_en": "Cinnamon Tempest has used compromised user accounts to deploy payloads and create system services." }, { "id": "G1024", "name": "Akira", "desc_en": "Akira uses valid account information to remotely access victim networks, such as VPN credentials." }, { "id": "G1032", "name": "INC Ransom", "desc_en": "INC Ransom has used compromised valid accounts for access to victim environments." }, { "id": "G1033", "name": "Star Blizzard", "desc_en": "Star Blizzard has used stolen credentials to sign into victim email accounts." }, { "id": "G1040", "name": "Play", "desc_en": "Play has used valid VPN accounts to achieve initial access." }, { "id": "G1041", "name": "Sea Turtle", "desc_en": "Sea Turtle used compromised credentials to maintain long-term access to victim environments." }, { "id": "G1043", "name": "BlackByte", "desc_en": "BlackByte has gained access to victim environments through legitimate VPN credentials." }, { "id": "G1048", "name": "UNC3886", "desc_en": "UNC3886 has used tools to hijack valid SSH accounts." }, { "id": "G1051", "name": "Medusa Group", "desc_en": "Medusa Group has utilized compromised legitimate local and domain accounts within the victim environment to facilitate remote access and lateral movement sometimes in combination with PsExec." }, { "id": "G1055", "name": "VOID MANTICORE", "desc_en": "VOID MANTICORE has leveraged valid accounts to log into VPN infrastructure. VOID MANTICORE has used compromised valid credentials to gain access to management infrastructure and enterprise control systems. VOID MANTICORE has also validated and tested authentication using compromised credentials prior to malicious actions." }, { "id": "S0038", "name": "Duqu", "desc_en": "Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware." }, { "id": "S0053", "name": "SeaDuke", "desc_en": "Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials." }, { "id": "S0362", "name": "Linux Rabbit", "desc_en": "Linux Rabbit acquires valid SSH accounts through brute force." }, { "id": "S0567", "name": "Dtrack", "desc_en": "Dtrack used hard-coded credentials to gain access to a network share." }, { "id": "S0599", "name": "Kinsing", "desc_en": "Kinsing has used valid SSH credentials to access remote hosts." }, { "id": "S0604", "name": "Industroyer", "desc_en": "Industroyer can use supplied user credentials to execute processes and stop services." }, { "id": "S9036", "name": "LP-Notes", "desc_en": "LP-Notes has used stolen Windows credentials to log in as the users." } ], "mitigations": [ { "id": "M1013", "name": "Application Developer Guidance", "name_ja": "アプリケーション開発者向けガイダンス", "desc_en": "Ensure that applications do not store sensitive data or credentials insecurely. (e.g. plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).", "desc_ja": "開発者に対し、脆弱性を生まない安全な設計・実装の指針を提供する。" }, { "id": "M1015", "name": "Active Directory Configuration", "name_ja": "アクティブディレクトリ構成", "desc_en": "Disable legacy authentication, which does not support MFA, and require the use of modern authentication protocols instead.", "desc_ja": "Active Directoryを適切に構成し、攻撃対象領域を縮小する。" }, { "id": "M1017", "name": "User Training", "name_ja": "ユーザー教育", "desc_en": "Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.", "desc_ja": "ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。" }, { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "Regularly audit user accounts for activity and deactivate or remove any that are no longer needed.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. These audits should also include if default accounts have been enabled, or if new local accounts are created that have not been authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1027", "name": "Password Policies", "name_ja": "パスワードポリシー", "desc_en": "Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. When possible, applications that use SSH keys should be updated periodically and properly secured.\n\nPolicies should minimize (if not eliminate) reuse of passwords between different user accounts, especially employees using the same credentials for personal accounts that may not be defended by enterprise security resources.", "desc_ja": "強固なパスワードポリシーを適用し、推測・解読を困難にする。" }, { "id": "M1032", "name": "Multi-factor Authentication", "name_ja": "多要素認証", "desc_en": "Implement multi-factor authentication (MFA) across all account types, including default, local, domain, and cloud accounts, to prevent unauthorized access, even if credentials are compromised. MFA provides a critical layer of security by requiring multiple forms of verification beyond just a password. This measure significantly reduces the risk of adversaries abusing valid accounts to gain initial access, escalate privileges, maintain persistence, or evade defenses within your network.", "desc_ja": "多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。" }, { "id": "M1036", "name": "Account Use Policies", "name_ja": "アカウント使用ポリシー", "desc_en": "Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.", "desc_ja": "ログイン試行回数やロックアウト等のアカウント使用ポリシーを設定する。" } ], "detections": [ { "id": "DET0560", "name": "Detection of Valid Account Abuse Across Platforms", "name_ja": "有効なアカウントの検知", "desc_en": "", "desc_ja": "有効なアカウントに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1091", "ja": "リムーバブルメディア経由の複製", "en": "Replication Through Removable Media", "desc_en": "Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.", "desc_ja": "敵対者は、マルウェアをリムーバブルメディアにコピーし、メディア挿入時のAutorun機能を悪用することで、切断された/エアギャップされたネットワーク上のシステムへ移動することがある。", "platforms": "Windows", "version": "1.3", "created": "2017-05-31", "modified": "2025-10-24", "subs": [], "procedures": [ { "id": "G0007", "name": "APT28", "desc_en": "APT28 uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted." }, { "id": "G0012", "name": "Darkhotel", "desc_en": "Darkhotel's selective infector modifies executables stored on removable media as a method of spreading across computers." }, { "id": "G0046", "name": "FIN7", "desc_en": "FIN7 actors have mailed USB drives to potential victims containing malware that downloads and installs various backdoors, including in some cases for ransomware operations. Additionally, FIN7 has used malicious USBs that acted as virtual keyboards to install malware and txt files that decode to PowerShell commands." }, { "id": "G0047", "name": "Gamaredon Group", "desc_en": "Gamaredon Group has replicated to removable media by leveraging the User Assist Reg Key and creating LNKs on all network and removable drives available on the infected host." }, { "id": "G0081", "name": "Tropic Trooper", "desc_en": "Tropic Trooper has attempted to transfer USBferry from an infected USB device by copying an Autorun function to the target machine." }, { "id": "G0129", "name": "Mustang Panda", "desc_en": "Mustang Panda has used a customized PlugX variant which could spread through USB connections." }, { "id": "G1007", "name": "Aoqin Dragon", "desc_en": "Aoqin Dragon has used a dropper that employs a worm infection strategy using a removable device to breach a secure network environment." }, { "id": "G1014", "name": "LuminousMoth", "desc_en": "LuminousMoth has used malicious DLLs to spread malware to connected removable USB drives on infected machines." }, { "id": "S0013", "name": "PlugX", "desc_en": "PlugX has copied itself to infected removable drives for propagation to other victim devices." }, { "id": "S0023", "name": "CHOPSTICK", "desc_en": "Part of APT28's operation involved using CHOPSTICK modules to copy itself to air-gapped machines and using files written to USB sticks to transfer data and command traffic." }, { "id": "S0028", "name": "SHIPSHAPE", "desc_en": "APT30 may have used the SHIPSHAPE malware to move onto air-gapped networks. SHIPSHAPE targets removable drives to spread to other systems by modifying the drive to use Autorun to execute or by hiding legitimate document files and copying an executable to the folder with the same name as the legitimate document." }, { "id": "S0062", "name": "DustySky", "desc_en": "DustySky searches for removable media and duplicates itself onto it." }, { "id": "S0092", "name": "Agent.btz", "desc_en": "Agent.btz drops itself onto removable media devices and creates an autorun.inf file with an instruction to run that file. When the device is inserted into another system, it opens autorun.inf and loads the malware." }, { "id": "S0115", "name": "Crimson", "desc_en": "Crimson can spread across systems by infecting removable media." }, { "id": "S0130", "name": "Unknown Logger", "desc_en": "Unknown Logger is capable of spreading to USB devices." }, { "id": "S0132", "name": "H1N1", "desc_en": "H1N1 has functionality to copy itself to removable media." }, { "id": "S0136", "name": "USBStealer", "desc_en": "USBStealer drops itself onto removable media and relies on Autorun to execute the malicious file when a user opens the removable media on another system." }, { "id": "S0143", "name": "Flame", "desc_en": "Flame contains modules to infect USB sticks and spread laterally to other Windows systems the stick is plugged into using Autorun functionality." }, { "id": "S0385", "name": "njRAT", "desc_en": "njRAT can be configured to spread via removable drives." }, { "id": "S0386", "name": "Ursnif", "desc_en": "Ursnif has copied itself to and infected removable drives for propagation." }, { "id": "S0452", "name": "USBferry", "desc_en": "USBferry can copy its installer to attached USB storage devices." }, { "id": "S0458", "name": "Ramsay", "desc_en": "Ramsay can spread itself by infecting other portable executable files on removable drives." }, { "id": "S0603", "name": "Stuxnet", "desc_en": "Stuxnet can propagate via removable media using an autorun.inf file or the CVE-2010-2568 LNK vulnerability." }, { "id": "S0608", "name": "Conficker", "desc_en": "Conficker variants used the Windows AUTORUN feature to spread through USB propagation." }, { "id": "S0650", "name": "QakBot", "desc_en": "QakBot has the ability to use removable drives to spread through compromised networks." }, { "id": "S1074", "name": "ANDROMEDA", "desc_en": "ANDROMEDA has been spread via infected USB keys." }, { "id": "S1130", "name": "Raspberry Robin", "desc_en": "Raspberry Robin has historically used infected USB media to spread to new victims." }, { "id": "S1230", "name": "HIUPAN", "desc_en": "HIUPAN has periodically checked for removable and hot-plugged drives connected to the infected machine, should one be found HIUPAN will propagate to the removeable drives by copying itself and accompanying malware components to a directory to the new drive in a hidden subdirectory `:\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\` and hides any other existing files to ensure UsbConfig.exe is the only visible file on the device." } ], "mitigations": [ { "id": "M1034", "name": "Limit Hardware Installation", "name_ja": "ハードウェアインストールの制限", "desc_en": "Limit the use of USB devices and removable media within a network.", "desc_ja": "ハードウェアの接続を制限し、不正な機器の導入を防ぐ。" }, { "id": "M1040", "name": "Behavior Prevention on Endpoint", "name_ja": "エンドポイントでの挙動防止", "desc_en": "On Windows 10, enable Attack Surface Reduction (ASR) rules to block unsigned/untrusted executable files (such as .exe, .dll, or .scr) from running from USB removable drives.", "desc_ja": "エンドポイントで悪意ある挙動を検出・防止する。" }, { "id": "M1042", "name": "Disable or Remove Feature or Program", "name_ja": "機能・プログラムの無効化または削除", "desc_en": "Disable Autorun if it is unnecessary. Disallow or restrict removable media at an organizational policy level if it is not required for business operations.", "desc_ja": "不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。" } ], "detections": [ { "id": "DET0301", "name": "Removable Media Execution Chain Detection via File and Process Activity", "name_ja": "リムーバブルメディア経由の複製の検知", "desc_en": "", "desc_ja": "リムーバブルメディア経由の複製に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1133", "ja": "外部リモートサービス", "en": "External Remote Services", "desc_en": "Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.", "desc_ja": "敵対者は、外部公開されたリモートサービスを利用してネットワークへ初期アクセスし、または永続化することがある。VPN・Citrix等のアクセス機構は、外部からの内部ネットワーク接続を許す。", "platforms": "Containers, Linux, macOS, Windows", "version": "2.5", "created": "2017-05-31", "modified": "2026-05-12", "subs": [], "procedures": [ { "id": "C0002", "name": "Night Dragon", "desc_en": "During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems." }, { "id": "C0004", "name": "CostaRicto", "desc_en": "During CostaRicto, the threat actors set up remote tunneling using an SSH tool to maintain access to a compromised environment." }, { "id": "C0012", "name": "Operation CuckooBees", "desc_en": "During Operation CuckooBees, the threat actors enabled WinRM over HTTP/HTTPS as a backup persistence mechanism using the following command: `cscript //nologo \"C:\\Windows\\System32\\winrm.vbs\" set winrm/config/service@{EnableCompatibilityHttpsListener=\"true\"}`." }, { "id": "C0014", "name": "Operation Wocao", "desc_en": "During Operation Wocao, threat actors used stolen credentials to connect to the victim's network via VPN." }, { "id": "C0024", "name": "SolarWinds Compromise", "desc_en": "For the SolarWinds Compromise, APT29 used compromised identities to access networks via SSH, VPNs, and other remote access tools." }, { "id": "C0027", "name": "C0027", "desc_en": "During C0027, Scattered Spider used Citrix and VPNs to persist in compromised environments." }, { "id": "C0028", "name": "2015 Ukraine Electric Power Attack", "desc_en": "During the 2015 Ukraine Electric Power Attack, Sandworm Team installed a modified Dropbear SSH client as the backdoor to target systems." }, { "id": "C0032", "name": "C0032", "desc_en": "During the C0032 campaign, TEMP.Veles used VPN access to persist in the victim environment." }, { "id": "C0046", "name": "ArcaneDoor", "desc_en": "ArcaneDoor used WebVPN sessions commonly associated with Clientless SSLVPN services to communicate to compromised devices." }, { "id": "C0063", "name": "2025 Poland Wiper Attacks", "desc_en": "During the 2025 Poland Wiper Attacks, threat actors leveraged the FortiGate VPN interface that was exposed to the internet to gain access to the victim environment." }, { "id": "G0004", "name": "Ke3chang", "desc_en": "Ke3chang has gained access through VPNs including with compromised accounts and stolen VPN certificates." }, { "id": "G0007", "name": "APT28", "desc_en": "APT28 has used Tor and a variety of commercial VPN services to route brute force authentication attempts." }, { "id": "G0016", "name": "APT29", "desc_en": "APT29 has used compromised identities to access networks via VPNs and Citrix." }, { "id": "G0026", "name": "APT18", "desc_en": "APT18 actors leverage legitimate credentials to log into external remote services." }, { "id": "G0027", "name": "Threat Group-3390", "desc_en": "Threat Group-3390 actors look for and use VPN profiles during an operation to access the network using external VPN services. Threat Group-3390 has also obtained OWA account credentials during intrusions that it subsequently used to attempt to regain access when evicted from a victim network." }, { "id": "G0034", "name": "Sandworm Team", "desc_en": "Sandworm Team has used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the target network. Sandworm Team has also used VPN tunnels established in legitimate software company infrastructure to gain access to internal networks of that software company's users." }, { "id": "G0035", "name": "Dragonfly", "desc_en": "Dragonfly has used VPNs and Outlook Web Access (OWA) to maintain access to victim networks." }, { "id": "G0049", "name": "OilRig", "desc_en": "OilRig uses remote services such as VPN, Citrix, or OWA to persist in an environment." }, { "id": "G0053", "name": "FIN5", "desc_en": "FIN5 has used legitimate VPN, Citrix, or VNC credentials to maintain access to a victim environment." }, { "id": "G0065", "name": "Leviathan", "desc_en": "Leviathan has used external remote services such as virtual private networks (VPN) to gain initial access." }, { "id": "G0093", "name": "GALLIUM", "desc_en": "GALLIUM has used VPN services, including SoftEther VPN, to access and maintain persistence in victim environments." }, { "id": "G0094", "name": "Kimsuky", "desc_en": "Kimsuky has used RDP to establish persistence." }, { "id": "G0096", "name": "APT41", "desc_en": "APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service." }, { "id": "G0099", "name": "APT-C-36", "desc_en": "APT-C-36 has used VPNs in their operational infrastructure." }, { "id": "G0102", "name": "Wizard Spider", "desc_en": "Wizard Spider has accessed victim networks by using stolen credentials to access the corporate VPN infrastructure." }, { "id": "G0114", "name": "Chimera", "desc_en": "Chimera has used legitimate credentials to login to an external VPN, Citrix, SSH, and other remote services." }, { "id": "G0115", "name": "GOLD SOUTHFIELD", "desc_en": "GOLD SOUTHFIELD has used publicly-accessible RDP and remote management and monitoring (RMM) servers to gain access to victim machines." }, { "id": "G0139", "name": "TeamTNT", "desc_en": "TeamTNT has used open-source tools such as Weave Scope to target exposed Docker API ports and gain initial access to victim environments. TeamTNT has also targeted exposed kubelets for Kubernetes environments." }, { "id": "G1003", "name": "Ember Bear", "desc_en": "Ember Bear have used VPNs both for initial access to victim environments and for persistence within them following compromise." }, { "id": "G1004", "name": "LAPSUS$", "desc_en": "LAPSUS$ has gained access to internet-facing systems and applications, including virtual private network (VPN), remote desktop protocol (RDP), and virtual desktop infrastructure (VDI) including Citrix." }, { "id": "G1015", "name": "Scattered Spider", "desc_en": "Scattered Spider has leveraged legitimate remote management tools to maintain persistent access." }, { "id": "G1016", "name": "FIN13", "desc_en": "FIN13 has gained access to compromised environments via remote access services such as the corporate virtual private network (VPN)." }, { "id": "G1017", "name": "Volt Typhoon", "desc_en": "Volt Typhoon has used VPNs to connect to victim environments and enable post-exploitation actions." }, { "id": "G1024", "name": "Akira", "desc_en": "Akira uses compromised VPN accounts for initial access to victim networks." }, { "id": "G1040", "name": "Play", "desc_en": "Play has used Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN) for initial access." }, { "id": "G1041", "name": "Sea Turtle", "desc_en": "Sea Turtle has used external-facing SSH to achieve initial access to the IT environments of victim organizations." }, { "id": "G1047", "name": "Velvet Ant", "desc_en": "Velvet Ant has leveraged access to internet-facing remote services to compromise and retain access to victim environments." }, { "id": "G1055", "name": "VOID MANTICORE", "desc_en": "VOID MANTICORE has leveraged public facing VPN infrastructure to gain initial access to victim environments." }, { "id": "S0362", "name": "Linux Rabbit", "desc_en": "Linux Rabbit attempts to gain access to the server via SSH." }, { "id": "S0599", "name": "Kinsing", "desc_en": "Kinsing was executed in an Ubuntu container deployed via an open Docker daemon API." }, { "id": "S0600", "name": "Doki", "desc_en": "Doki was executed through an open Docker daemon API port." }, { "id": "S0601", "name": "Hildegard", "desc_en": "Hildegard was executed through an unsecure kubelet that allowed anonymous access to the victim environment." }, { "id": "S1060", "name": "Mafalda", "desc_en": "Mafalda can establish an SSH connection from a compromised host to a server." } ], "mitigations": [ { "id": "M1021", "name": "Restrict Web-Based Content", "name_ja": "Web ベースコンテンツの制限", "desc_en": "Restrict all traffic to and from public Tor nodes.", "desc_ja": "危険なWebコンテンツへのアクセスを制限する。" }, { "id": "M1030", "name": "Network Segmentation", "name_ja": "ネットワークセグメンテーション", "desc_en": "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls.", "desc_ja": "ネットワークを分割し、横展開や影響範囲を限定する。" }, { "id": "M1032", "name": "Multi-factor Authentication", "name_ja": "多要素認証", "desc_en": "Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of Multi-Factor Authentication Interception techniques for some two-factor authentication implementations.", "desc_ja": "多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。" }, { "id": "M1035", "name": "Limit Access to Resource Over Network", "name_ja": "リモートアクセス経由の権限を制限", "desc_en": "Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.", "desc_ja": "ネットワーク越しのリソースアクセスを制限する。" }, { "id": "M1042", "name": "Disable or Remove Feature or Program", "name_ja": "機能・プログラムの無効化または削除", "desc_en": "Disable or block remotely available services that may be unnecessary.", "desc_ja": "不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。" } ], "detections": [ { "id": "DET0354", "name": "Behavior-chain detection for T1133 External Remote Services across Windows, Linux, macOS, Containers", "name_ja": "外部リモートサービスの検知", "desc_en": "", "desc_ja": "外部リモートサービスに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1189", "ja": "ドライブバイ侵害", "en": "Drive-by Compromise", "desc_en": "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Multiple ways of delivering exploit code to a browser exist (i.e., Drive-by Target), including:", "desc_ja": "敵対者は、ユーザーが通常のブラウジングでWebサイトを訪問することを通じてシステムへアクセスすることがある。ブラウザへエクスプロイトコードを送り込む複数の方法があり、正規サイトの侵害や悪意ある広告などが使われる。", "platforms": "Identity Provider, Linux, macOS, Windows", "version": "1.7", "created": "2018-04-18", "modified": "2025-10-24", "subs": [], "procedures": [ { "id": "C0010", "name": "C0010", "desc_en": "During C0010, UNC3890 actors likely established a watering hole that was hosted on a login page of a legitimate Israeli shipping company that was active until at least November 2021." }, { "id": "C0016", "name": "Operation Dust Storm", "desc_en": "During Operation Dust Storm, the threat actors used a watering hole attack on a popular software reseller to exploit the then-zero-day Internet Explorer vulnerability CVE-2014-0322." }, { "id": "C0057", "name": "3CX Supply Chain Attack", "desc_en": "During the 3CX Supply Chain Attack, AppleJeus compromised the `www.tradingtechnologies[.]com` website hosting a hidden IFRAME to exploit visitors, two months before the site was known to deliver a compromised version of the X_TRADER software package." }, { "id": "G0001", "name": "Axiom", "desc_en": "Axiom has used watering hole attacks to gain access." }, { "id": "G0007", "name": "APT28", "desc_en": "APT28 has compromised targets via strategic web compromise utilizing custom exploit kits. APT28 used reflected cross-site scripting (XSS) against government websites to redirect users to phishing webpages." }, { "id": "G0010", "name": "Turla", "desc_en": "Turla has infected victims using watering holes." }, { "id": "G0012", "name": "Darkhotel", "desc_en": "Darkhotel used embedded iframes on hotel login portals to redirect selected victims to download malware." }, { "id": "G0027", "name": "Threat Group-3390", "desc_en": "Threat Group-3390 has extensively used strategic web compromises to target victims." }, { "id": "G0032", "name": "Lazarus Group", "desc_en": "Lazarus Group delivered RATANKBA and other malicious code to victims via a compromised legitimate website." }, { "id": "G0035", "name": "Dragonfly", "desc_en": "Dragonfly has compromised targets via strategic web compromise (SWC) utilizing a custom exploit kit." }, { "id": "G0040", "name": "Patchwork", "desc_en": "Patchwork has used watering holes to deliver files with exploits to initial victims." }, { "id": "G0048", "name": "RTM", "desc_en": "RTM has distributed its malware via the RIG and SUNDOWN exploit kits, as well as online advertising network Yandex.Direct." }, { "id": "G0050", "name": "APT32", "desc_en": "APT32 has infected victims by tricking them into visiting compromised watering hole websites." }, { "id": "G0056", "name": "PROMETHIUM", "desc_en": "PROMETHIUM has used watering hole attacks to deliver malicious versions of legitimate installers." }, { "id": "G0059", "name": "Magic Hound", "desc_en": "Magic Hound has conducted watering-hole attacks through media and magazine websites." }, { "id": "G0060", "name": "BRONZE BUTLER", "desc_en": "BRONZE BUTLER compromised three Japanese websites using a Flash exploit to perform watering hole attacks." }, { "id": "G0065", "name": "Leviathan", "desc_en": "Leviathan has infected victims using watering holes." }, { "id": "G0066", "name": "Elderwood", "desc_en": "Elderwood has delivered zero-day exploits and malware to victims by injecting malicious code into specific public Web pages visited by targets within a particular sector." }, { "id": "G0067", "name": "APT37", "desc_en": "APT37 has used strategic web compromises, particularly of South Korean websites, to distribute malware. The group has also used torrent file-sharing sites to more indiscriminately disseminate malware to victims. As part of their compromises, the group has used a Javascript based profiler called RICECURRY to profile a victim's web browser and deliver malicious code accordingly." }, { "id": "G0068", "name": "PLATINUM", "desc_en": "PLATINUM has sometimes used drive-by attacks against vulnerable browser plugins." }, { "id": "G0070", "name": "Dark Caracal", "desc_en": "Dark Caracal leveraged a watering hole to serve up malicious code." }, { "id": "G0073", "name": "APT19", "desc_en": "APT19 performed a watering hole attack on forbes.com in 2014 to compromise targets." }, { "id": "G0077", "name": "Leafminer", "desc_en": "Leafminer has infected victims using watering holes." }, { "id": "G0082", "name": "APT38", "desc_en": "APT38 has conducted watering holes schemes to gain initial access to victims." }, { "id": "G0095", "name": "Machete", "desc_en": "Machete has distributed Machete through a fake blog website." }, { "id": "G0112", "name": "Windshift", "desc_en": "Windshift has used compromised websites to register custom URL schemes on a remote system." }, { "id": "G0124", "name": "Windigo", "desc_en": "Windigo has distributed Windows malware via drive-by downloads." }, { "id": "G0134", "name": "Transparent Tribe", "desc_en": "Transparent Tribe has used websites with malicious hyperlinks and iframes to infect targeted victims with Crimson, njRAT, and other malicious tools." }, { "id": "G0138", "name": "Andariel", "desc_en": "Andariel has used watering hole attacks, often with zero-day exploits, to gain initial access to victims within a specific IP range." }, { "id": "G1006", "name": "Earth Lusca", "desc_en": "Earth Lusca has performed watering hole attacks." }, { "id": "G1012", "name": "CURIUM", "desc_en": "CURIUM has used strategic website compromise to infect victims with malware such as IMAPLoader." }, { "id": "G1020", "name": "Mustard Tempest", "desc_en": "Mustard Tempest has used drive-by downloads for initial infection, often using fake browser updates as a lure." }, { "id": "G1034", "name": "Daggerfly", "desc_en": "Daggerfly has used strategic website compromise for initial access against victims." }, { "id": "G1035", "name": "Winter Vivern", "desc_en": "Winter Vivern created dedicated web pages mimicking legitimate government websites to deliver malicious fake anti-virus software." }, { "id": "S0215", "name": "KARAE", "desc_en": "KARAE was distributed through torrent file-sharing websites to South Korean victims, using a YouTube video downloader application as a lure." }, { "id": "S0216", "name": "POORAIM", "desc_en": "POORAIM has been delivered through compromised sites acting as watering holes." }, { "id": "S0451", "name": "LoudMiner", "desc_en": "LoudMiner is typically bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS." }, { "id": "S0482", "name": "Bundlore", "desc_en": "Bundlore has been spread through malicious advertisements on websites." }, { "id": "S0483", "name": "IcedID", "desc_en": "IcedID has cloned legitimate websites/applications to distribute the malware." }, { "id": "S0496", "name": "REvil", "desc_en": "REvil has infected victim machines through compromised websites and exploit kits." }, { "id": "S0531", "name": "Grandoreiro", "desc_en": "Grandoreiro has used compromised websites and Google Ads to bait victims into downloading its installer." }, { "id": "S0606", "name": "Bad Rabbit", "desc_en": "Bad Rabbit spread through watering holes on popular sites by injecting JavaScript into the HTML body or a .js file." }, { "id": "S1086", "name": "Snip3", "desc_en": "Snip3 has been delivered to targets via downloads from malicious domains." }, { "id": "S1124", "name": "SocGholish", "desc_en": "SocGholish has been distributed through compromised websites with malicious content often masquerading as browser updates." } ], "mitigations": [ { "id": "M1017", "name": "User Training", "name_ja": "ユーザー教育", "desc_en": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "desc_ja": "ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。" }, { "id": "M1021", "name": "Restrict Web-Based Content", "name_ja": "Web ベースコンテンツの制限", "desc_en": "Adblockers can help prevent malicious code served through ads from executing in the first place. Script blocking extensions can also help to prevent the execution of JavaScript. \n\nConsider disabling browser push notifications from certain applications and browsers.", "desc_ja": "危険なWebコンテンツへのアクセスを制限する。" }, { "id": "M1048", "name": "Application Isolation and Sandboxing", "name_ja": "アプリケーション分離・サンドボックス化", "desc_en": "Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist.\n\nOther types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist for these types of systems.", "desc_ja": "アプリを分離・サンドボックス化し、影響範囲を限定する。" }, { "id": "M1050", "name": "Exploit Protection", "name_ja": "エクスプロイト保護", "desc_en": "Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. Many of these protections depend on the architecture and target application binary for compatibility.", "desc_ja": "エクスプロイト保護機能で脆弱性悪用を防ぐ。" }, { "id": "M1051", "name": "Update Software", "name_ja": "ソフトウェア更新", "desc_en": "Ensuring that all browsers and plugins are kept updated can help prevent the exploit phase of this technique. Use modern browsers with security features turned on.", "desc_ja": "ソフトウェアを最新に保ち、既知の脆弱性を修正する。" } ], "detections": [ { "id": "DET0176", "name": "Drive-by Compromise — Behavior-based, Multi-platform Detection Strategy (T1189)", "name_ja": "ドライブバイ侵害の検知", "desc_en": "", "desc_ja": "ドライブバイ侵害に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1190", "ja": "公開アプリケーションの悪用", "en": "Exploit Public-Facing Application", "desc_en": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.", "desc_ja": "敵対者は、インターネットに面したホストやシステムの弱点を悪用してネットワークへ初期アクセスを試みることがある。弱点はソフトウェアのバグ・一時的な不具合・設定ミスなどでありうる。", "platforms": "Containers, ESXi, IaaS, Linux, macOS, Network Devices, Windows", "version": "2.8", "created": "2018-04-18", "modified": "2026-05-12", "subs": [], "procedures": [ { "id": "C0002", "name": "Night Dragon", "desc_en": "During Night Dragon, threat actors used SQL injection exploits against extranet web servers to gain access." }, { "id": "C0012", "name": "Operation CuckooBees", "desc_en": "During Operation CuckooBees, the threat actors exploited multiple vulnerabilities in externally facing servers." }, { "id": "C0014", "name": "Operation Wocao", "desc_en": "During Operation Wocao, threat actors gained initial access by exploiting vulnerabilities in JBoss webservers." }, { "id": "C0017", "name": "C0017", "desc_en": "During C0017, APT41 exploited CVE-2021-44207 in the USAHerds application and CVE-2021-44228 in Log4j, as well as other .NET deserialization, SQL injection, and directory traversal vulnerabilities to gain initial access." }, { "id": "C0018", "name": "C0018", "desc_en": "During C0018, the threat actors exploited VMWare Horizon Unified Access Gateways that were vulnerable to several Log4Shell vulnerabilities, including CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832." }, { "id": "C0024", "name": "SolarWinds Compromise", "desc_en": "During the SolarWinds Compromise, APT29 exploited CVE-2020-0688 against the Microsoft Exchange Control Panel to regain access to a network." }, { "id": "C0027", "name": "C0027", "desc_en": "During C0027, Scattered Spider exploited CVE-2021-35464 in the ForgeRock Open Access Management (OpenAM) application server to gain initial access." }, { "id": "C0029", "name": "Cutting Edge", "desc_en": "During Cutting Edge, threat actors exploited CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure VPN appliances to enable authentication bypass and command injection. A server-side request forgery (SSRF) vulnerability, CVE-2024-21893, was identified later and used to bypass mitigations for the initial two vulnerabilities by chaining with CVE-2024-21887." }, { "id": "C0038", "name": "HomeLand Justice", "desc_en": "For HomeLand Justice, threat actors exploited CVE-2019-0604 in Microsoft SharePoint for initial access." }, { "id": "C0039", "name": "Versa Director Zero Day Exploitation", "desc_en": "Versa Director Zero Day Exploitation involved exploitation of a vulnerability in Versa Director servers, since identified as CVE-2024-39717, for initial access and code execution." }, { "id": "C0041", "name": "FrostyGoop Incident", "desc_en": "FrostyGoop Incident was likely enabled by the adversary exploiting an unknown vulnerability in an external-facing router." }, { "id": "C0045", "name": "ShadowRay", "desc_en": "During ShadowRay, threat actors exploited CVE-2023-48022 on publicly exposed Ray servers to steal computing power and to expose sensitive data." }, { "id": "C0046", "name": "ArcaneDoor", "desc_en": "ArcaneDoor abused WebVPN traffic to targeted devices to achieve unauthorized remote code execution." }, { "id": "C0048", "name": "Operation MidnightEclipse", "desc_en": "During Operation MidnightEclipse, threat actors exploited CVE-2024-3400 in Palo Alto Networks GlobalProtect." }, { "id": "C0049", "name": "Leviathan Australian Intrusions", "desc_en": "Leviathan exploited public-facing web applications and appliances for initial access during Leviathan Australian Intrusions." }, { "id": "C0052", "name": "SPACEHOP Activity", "desc_en": "SPACEHOP Activity has enabled the exploitation of CVE-2022-27518 and CVE-2022-27518 for illegitimate access." }, { "id": "C0053", "name": "FLORAHOX Activity", "desc_en": "FLORAHOX Activity has exploited and infected vulnerable routers to recruit additional network devices into the ORB." }, { "id": "C0055", "name": "Quad7 Activity", "desc_en": "Quad7 Activity has enabled the exploitation of vulnerabilities for remote code execution capabilities in SOHO routers including CVE-2023-50224 and CVE-2025-9377 in TP-Link devices." }, { "id": "C0058", "name": "SharePoint ToolShell Exploitation", "desc_en": "During SharePoint ToolShell Exploitation, threat actors exploited authentication bypass and remote code execution vulnerabilities (CVE-2025-49706 and CVE-2025-49704) against on-premises SharePoint servers. This activity was characterized by crafted `POST` requests to the ToolPane endpoint `/_layouts/15/ToolPane.aspx`." }, { "id": "C0061", "name": "Operation Digital Eye", "desc_en": "During Operation Digital Eye, threat actors used SQL injection to compromise publicly exposed web and database servers." }, { "id": "C0062", "name": "Anthropic AI-orchestrated Campaign", "desc_en": "During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to deploy a custom exploit payload targeting an identified SSRF vulnerability to gain initial access to a targeted environment." }, { "id": "G0001", "name": "Axiom", "desc_en": "Axiom has been observed using SQL injection to gain access to systems." }, { "id": "G0004", "name": "Ke3chang", "desc_en": "Ke3chang has compromised networks by exploiting Internet-facing applications, including vulnerable Microsoft Exchange and SharePoint servers." }, { "id": "G0007", "name": "APT28", "desc_en": "APT28 has used a variety of public exploits, including CVE 2020-0688 and CVE 2020-17144, to gain execution on vulnerable Microsoft Exchange; they have also conducted SQL injection attacks against external websites." }, { "id": "G0016", "name": "APT29", "desc_en": "APT29 has exploited CVE-2019-19781 for Citrix, CVE-2019-11510 for Pulse Secure VPNs, CVE-2018-13379 for FortiGate VPNs, and CVE-2019-9670 in Zimbra software to gain access." }, { "id": "G0027", "name": "Threat Group-3390", "desc_en": "Threat Group-3390 has exploited the Microsoft SharePoint vulnerability CVE-2019-0604 and CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in Exchange Server." }, { "id": "G0034", "name": "Sandworm Team", "desc_en": "Sandworm Team exploits public-facing applications for initial access and to acquire infrastructure, such as exploitation of the EXIM mail transfer agent in Linux systems." }, { "id": "G0035", "name": "Dragonfly", "desc_en": "Dragonfly has conducted SQL injection attacks, exploited vulnerabilities CVE-2019-19781 and CVE-2020-0688 for Citrix and MS Exchange, and CVE-2018-13379 for Fortinet VPNs." }, { "id": "G0045", "name": "menuPass", "desc_en": "menuPass has leveraged vulnerabilities in Pulse Secure VPNs to hijack sessions." }, { "id": "G0046", "name": "FIN7", "desc_en": "FIN7 has compromised targeted organizations through exploitation of CVE-2021-31207 in Exchange." }, { "id": "G0059", "name": "Magic Hound", "desc_en": "Magic Hound has exploited the Log4j utility (CVE-2021-44228), on-premises MS Exchange servers via \"ProxyShell\" (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), and Fortios SSL VPNs (CVE-2018-13379)." }, { "id": "G0065", "name": "Leviathan", "desc_en": "Leviathan has used exploits against publicly-disclosed vulnerabilities for initial access into victim networks." }, { "id": "G0069", "name": "MuddyWater", "desc_en": "MuddyWater has exploited the Microsoft Exchange memory corruption vulnerability (CVE-2020-0688)." }, { "id": "G0087", "name": "APT39", "desc_en": "APT39 has used SQL injection for initial compromise." }, { "id": "G0093", "name": "GALLIUM", "desc_en": "GALLIUM exploited a publicly-facing servers including Wildfly/JBoss servers to gain access to the network." }, { "id": "G0094", "name": "Kimsuky", "desc_en": "Kimsuky has exploited various vulnerabilities for initial access, including Microsoft Exchange vulnerability CVE-2020-0688." }, { "id": "G0096", "name": "APT41", "desc_en": "APT41 exploited CVE-2020-10189 against Zoho ManageEngine Desktop Central through unsafe deserialization, and CVE-2019-19781 to compromise Citrix Application Delivery Controllers (ADC) and gateway devices. APT41 leveraged vulnerabilities such as ProxyLogon exploitation or SQL injection for initial access. APT41 exploited CVE-2021-26855 against a vulnerable Microsoft Exchange Server to gain initial access to the victim network." }, { "id": "G0098", "name": "BlackTech", "desc_en": "BlackTech has exploited a buffer overflow vulnerability in Microsoft Internet Information Services (IIS) 6.0, CVE-2017-7269, in order to establish a new HTTP or command and control (C2) server." }, { "id": "G0106", "name": "Rocke", "desc_en": "Rocke exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware." }, { "id": "G0108", "name": "Blue Mockingbird", "desc_en": "Blue Mockingbird has gained initial access by exploiting CVE-2019-18935, a vulnerability within Telerik UI for ASP.NET AJAX." }, { "id": "G0115", "name": "GOLD SOUTHFIELD", "desc_en": "GOLD SOUTHFIELD has exploited Oracle WebLogic vulnerabilities for initial compromise." }, { "id": "G0117", "name": "Fox Kitten", "desc_en": "Fox Kitten has exploited known vulnerabilities in Fortinet, PulseSecure, and Palo Alto VPN appliances." }, { "id": "G0123", "name": "Volatile Cedar", "desc_en": "Volatile Cedar has targeted publicly facing web servers, with both automatic and manual vulnerability discovery." }, { "id": "G0125", "name": "HAFNIUM", "desc_en": "HAFNIUM has exploited multiple vulnerabilities to compromise edge devices and on-premises versions of Microsoft Exchange Server." }, { "id": "G0135", "name": "BackdoorDiplomacy", "desc_en": "BackdoorDiplomacy has exploited CVE-2020-5902, an F5 BIP-IP vulnerability, to drop a Linux backdoor. BackdoorDiplomacy has also exploited mis-configured Plesk servers." }, { "id": "G1003", "name": "Ember Bear", "desc_en": "Ember Bear gains initial access to victim environments by exploiting external-facing services. Examples include exploitation of CVE-2021-26084 in Confluence servers; CVE-2022-41040, ProxyShell, and other vulnerabilities in Microsoft Exchange; and multiple vulnerabilities in open-source platforms such as content management systems." }, { "id": "G1006", "name": "Earth Lusca", "desc_en": "Earth Lusca has compromised victims by directly exploiting vulnerabilities of public-facing servers, including those associated with Microsoft Exchange and Oracle GlassFish." }, { "id": "G1009", "name": "Moses Staff", "desc_en": "Moses Staff has exploited known vulnerabilities in public-facing infrastructure such as Microsoft Exchange Servers." }, { "id": "G1016", "name": "FIN13", "desc_en": "FIN13 has exploited known vulnerabilities such as CVE-2017-1000486 (Primefaces Application Expression Language Injection), CVE-2015-7450 (WebSphere Application Server SOAP Deserialization Exploit), CVE-2010-5326 (SAP NewWeaver Invoker Servlet Exploit), and EDB-ID-24963 (SAP NetWeaver ConfigServlet Remote Code Execution) to gain initial access." }, { "id": "G1017", "name": "Volt Typhoon", "desc_en": "Volt Typhoon has gained initial access through exploitation of multiple vulnerabilities in internet-facing software and appliances such as Fortinet, Ivanti (formerly Pulse Secure), NETGEAR, Citrix, and Cisco." }, { "id": "G1021", "name": "Cinnamon Tempest", "desc_en": "Cinnamon Tempest has exploited multiple unpatched vulnerabilities for initial access including vulnerabilities in Microsoft Exchange, Manage Engine AdSelfService Plus, Confluence, and Log4j." }, { "id": "G1022", "name": "ToddyCat", "desc_en": "ToddyCat has exploited the ProxyLogon vulnerability (CVE-2021-26855) to compromise Exchange Servers at multiple organizations." }, { "id": "G1023", "name": "APT5", "desc_en": "APT5 has exploited vulnerabilities in externally facing software and devices including Pulse Secure VPNs and Citrix Application Delivery Controllers." }, { "id": "G1030", "name": "Agrius", "desc_en": "Agrius exploits public-facing applications for initial access to victim environments. Examples include widespread attempts to exploit CVE-2018-13379 in FortiOS devices and SQL injection activity." }, { "id": "G1032", "name": "INC Ransom", "desc_en": "INC Ransom has exploited known vulnerabilities including CVE-2023-3519 in Citrix NetScaler for initial access." }, { "id": "G1035", "name": "Winter Vivern", "desc_en": "Winter Vivern has exploited known and zero-day vulnerabilities in software usch as Roundcube Webmail servers and the \"Follina\" vulnerability." }, { "id": "G1040", "name": "Play", "desc_en": "Play has exploited known vulnerabilities for initial access including CVE-2018-13379 and CVE-2020-12812 in FortiOS and CVE-2022-41082 and CVE-2022-41040 (\"ProxyNotShell\") in Microsoft Exchange." }, { "id": "G1041", "name": "Sea Turtle", "desc_en": "Sea Turtle gained access to victim environments by exploiting multiple known vulnerabilities over several campaigns." }, { "id": "G1043", "name": "BlackByte", "desc_en": "BlackByte exploited vulnerabilities such as ProxyLogon and ProxyShell for initial access to victim environments." }, { "id": "G1045", "name": "Salt Typhoon", "desc_en": "Salt Typhoon has exploited CVE-2018-0171 in the Smart Install feature of Cisco IOS and Cisco IOS XE software for initial access." }, { "id": "G1048", "name": "UNC3886", "desc_en": "UNC3886 has exploited CVE-2022-42475 in FortiOS SSL VPNs to obtain access." }, { "id": "G1051", "name": "Medusa Group", "desc_en": "Medusa Group has leveraged public facing vulnerabilities in their campaigns against victim organizations to gain initial access. Medusa Group has also utilized CVE-2024-1709 in ScreenConnect, and CVE-2023-48788 in Fortinet EMS for initial access to victim environments." }, { "id": "G1053", "name": "Storm-0501", "desc_en": "Storm-0501 has exploited N-day vulnerabilities associated with public facing services to gain initial access to victim environments to include Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler “Citrix Bleed” (CVE-2023-4966), and Adobe ColdFusion 2016 (CVE-2023-29300 or CVE-2023-38203)." }, { "id": "G1054", "name": "MirrorFace", "desc_en": "MirrorFace has exploited vulnerabilities in Fortigate and Array AG devices for initial access." }, { "id": "G1055", "name": "VOID MANTICORE", "desc_en": "VOID MANTICORE has exploited public facing vulnerabilities within victim environments to include SharePoint CVE-2019-0604." }, { "id": "S0224", "name": "Havij", "desc_en": "Havij is used to automate SQL injection." }, { "id": "S0225", "name": "sqlmap", "desc_en": "sqlmap can be used to automate exploitation of SQL injection vulnerabilities." }, { "id": "S0412", "name": "ZxShell", "desc_en": "ZxShell has been dropped through exploitation of CVE-2011-2462, CVE-2013-3163, and CVE-2014-0322." }, { "id": "S0516", "name": "SoreFang", "desc_en": "SoreFang can gain access by exploiting a Sangfor SSL VPN vulnerability that allows for the placement and delivery of malicious update binaries." }, { "id": "S0623", "name": "Siloscape", "desc_en": "Siloscape is executed after the attacker gains initial access to a Windows container using a known vulnerability." }, { "id": "S1105", "name": "COATHANGER", "desc_en": "COATHANGER is installed following exploitation of a vulnerable FortiGate device." }, { "id": "S1184", "name": "BOLDMOVE", "desc_en": "BOLDMOVE is associated with exploitation of CVE-2022-49475 in FortiOS." }, { "id": "S1242", "name": "Qilin", "desc_en": "Qilin has been delivered through exploitation of exposed applications and interfaces including Citrix and RDP." } ], "mitigations": [ { "id": "M1016", "name": "Vulnerability Scanning", "name_ja": "脆弱性スキャン", "desc_en": "Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.", "desc_ja": "脆弱性スキャンを実施し、悪用され得る弱点を事前に特定・修正する。" }, { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Use least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1030", "name": "Network Segmentation", "name_ja": "ネットワークセグメンテーション", "desc_en": "Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.", "desc_ja": "ネットワークを分割し、横展開や影響範囲を限定する。" }, { "id": "M1035", "name": "Limit Access to Resource Over Network", "name_ja": "リモートアクセス経由の権限を制限", "desc_en": "Ensure that all publicly exposed services are actually intended to be so, and restrict access to any that should only be available internally.", "desc_ja": "ネットワーク越しのリソースアクセスを制限する。" }, { "id": "M1037", "name": "Filter Network Traffic", "name_ja": "トラフィックのフィルタリング", "desc_en": "Restrict outbound network traffic from public-facing servers to prevent unauthorized connections from initiating communications with attacker-controlled infrastructure. While this may not prevent the initial exploitation, it limits the attacker's ability to verify and control the compromised server post-exploit, reducing the overall impact of the attack.", "desc_ja": "ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。" }, { "id": "M1048", "name": "Application Isolation and Sandboxing", "name_ja": "アプリケーション分離・サンドボックス化", "desc_en": "Application isolation will limit what other processes and system features the exploited target can access.", "desc_ja": "アプリを分離・サンドボックス化し、影響範囲を限定する。" }, { "id": "M1050", "name": "Exploit Protection", "name_ja": "エクスプロイト保護", "desc_en": "Web Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application.", "desc_ja": "エクスプロイト保護機能で脆弱性悪用を防ぐ。" }, { "id": "M1051", "name": "Update Software", "name_ja": "ソフトウェア更新", "desc_en": "Update software regularly by employing patch management for externally exposed applications.", "desc_ja": "ソフトウェアを最新に保ち、既知の脆弱性を修正する。" } ], "detections": [ { "id": "DET0080", "name": "Exploit Public-Facing Application – multi-signal correlation (request → error → post-exploit process/egress)", "name_ja": "公開アプリケーションの悪用の検知", "desc_en": "", "desc_ja": "公開アプリケーションの悪用に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1195", "ja": "サプライチェーン侵害", "en": "Supply Chain Compromise", "desc_en": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.", "desc_ja": "敵対者は、最終消費者が受け取る前に製品や製品配送機構を操作し、データやシステムの侵害を図ることがある。", "platforms": "Linux, Windows, macOS, SaaS", "version": "1.7", "created": "2018-04-18", "modified": "2025-10-24", "subs": [ { "sid": ".001", "tid": "T1195.001", "ja": "ソフトウェア依存関係・開発ツールの侵害", "en": "Compromise Software Dependencies and Development Tools", "desc_en": "Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications, such as pip and NPM packages, may be targeted as a means to add malicious code to users of the dependency. This may also include abandoned packages, which in some cases could be re-registered by threat actors after being removed by adversaries. Adversaries may also employ \"typosquatting\" or name-confusion by choosing names similar to existing popular libraries or packages in order to deceive a user.", "desc_ja": "敵対者は、最終消費者が受け取る前に、ソフトウェアの依存関係や開発ツールを操作することがある。" }, { "sid": ".002", "tid": "T1195.002", "ja": "ソフトウェアサプライチェーンの侵害", "en": "Compromise Software Supply Chain", "desc_en": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.", "desc_ja": "敵対者は、最終消費者が受け取る前にアプリケーションソフトウェアを操作することがある。" }, { "sid": ".003", "tid": "T1195.003", "ja": "ハードウェアサプライチェーンの侵害", "en": "Compromise Hardware Supply Chain", "desc_en": "Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices, such as servers, workstations, network infrastructure, or peripherals.", "desc_ja": "敵対者は、最終消費者が受け取る前に製品中のハードウェア部品を操作することがある。" } ], "procedures": [ { "id": "G0034", "name": "Sandworm Team", "desc_en": "Sandworm Team staged compromised versions of legitimate software installers on forums to achieve initial, untargetetd access in victim environments." }, { "id": "G0049", "name": "OilRig", "desc_en": "OilRig has leveraged compromised organizations to conduct supply chain attacks on government entities." }, { "id": "G1003", "name": "Ember Bear", "desc_en": "Ember Bear has compromised information technology providers and software developers providing services to targets of interest, building initial access to ultimate victims at least in part through compromise of service providers that work with the victim organizations." }, { "id": "S1148", "name": "Raccoon Stealer", "desc_en": "Raccoon Stealer has been distributed through cracked software downloads." }, { "id": "S1213", "name": "Lumma Stealer", "desc_en": "Lumma Stealer has been delivered through cracked software downloads." } ], "mitigations": [ { "id": "M1013", "name": "Application Developer Guidance", "name_ja": "アプリケーション開発者向けガイダンス", "desc_en": "Application developers should be cautious when selecting third-party libraries to integrate into their application. Additionally, where possible, developers should lock software dependencies to specific versions rather than pulling the latest version on build.", "desc_ja": "開発者に対し、脆弱性を生まない安全な設計・実装の指針を提供する。" }, { "id": "M1016", "name": "Vulnerability Scanning", "name_ja": "脆弱性スキャン", "desc_en": "Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well.", "desc_ja": "脆弱性スキャンを実施し、悪用され得る弱点を事前に特定・修正する。" }, { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "Implement robust user account management practices to limit permissions associated with software execution. Ensure that software runs with the lowest necessary privileges, avoiding the use of root or administrator accounts when possible. By restricting permissions, you can minimize the risk of propagation and unauthorized actions in the event of a supply chain compromise, reducing the attack surface for adversaries to exploit within compromised systems.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1033", "name": "Limit Software Installation", "name_ja": "ソフトウェアインストールの制限", "desc_en": "Where possible, consider requiring developers to pull from internal repositories containing verified and approved packages rather than from external ones.", "desc_ja": "ソフトウェアのインストールを制限し、不正なプログラム導入を防ぐ。" }, { "id": "M1046", "name": "Boot Integrity", "name_ja": "ブートインテグリティ", "desc_en": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", "desc_ja": "ブートの完全性を検証し、起動段階での改ざんを防ぐ。" }, { "id": "M1051", "name": "Update Software", "name_ja": "ソフトウェア更新", "desc_en": "A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.", "desc_ja": "ソフトウェアを最新に保ち、既知の脆弱性を修正する。" } ], "detections": [ { "id": "DET0537", "name": "Behavioral detection for Supply Chain Compromise (package/update tamper → install → first-run)", "name_ja": "サプライチェーン侵害の検知", "desc_en": "", "desc_ja": "サプライチェーン侵害に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1199", "ja": "信頼関係の悪用", "en": "Trusted Relationship", "desc_en": "Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.", "desc_ja": "敵対者は、本来の標的にアクセスできる組織を侵害・利用することがある。信頼された第三者関係を通じたアクセスは、既存の信頼を悪用する。", "platforms": "IaaS, Identity Provider, Linux, macOS, Office Suite, SaaS, Windows", "version": "2.4", "created": "2018-04-18", "modified": "2026-05-12", "subs": [], "procedures": [ { "id": "C0024", "name": "SolarWinds Compromise", "desc_en": "During the SolarWinds Compromise, APT29 gained access through compromised accounts at cloud solution partners, and used compromised certificates issued by Mimecast to authenticate to Mimecast customer systems." }, { "id": "G0007", "name": "APT28", "desc_en": "Once APT28 gained access to the DCCC network, the group then proceeded to use that access to compromise the DNC network." }, { "id": "G0016", "name": "APT29", "desc_en": "APT29 has compromised IT, cloud services, and managed services providers to gain broad access to multiple customers for subsequent operations." }, { "id": "G0027", "name": "Threat Group-3390", "desc_en": "Threat Group-3390 has compromised third party service providers to gain access to victim's environments." }, { "id": "G0034", "name": "Sandworm Team", "desc_en": "Sandworm Team has used dedicated network connections from one victim organization to gain unauthorized access to a separate organization. Additionally, Sandworm Team has accessed Internet service providers and telecommunication entities that provide mobile connectivity." }, { "id": "G0045", "name": "menuPass", "desc_en": "menuPass has used legitimate access granted to Managed Service Providers in order to access victims of interest." }, { "id": "G0115", "name": "GOLD SOUTHFIELD", "desc_en": "GOLD SOUTHFIELD has breached Managed Service Providers (MSP's) to deliver malware to MSP customers." }, { "id": "G0125", "name": "HAFNIUM", "desc_en": "HAFNIUM has used stolen API keys and credentials associated with privilege access management (PAM), cloud app providers, and cloud data management companies to access downstream customer environments." }, { "id": "G1004", "name": "LAPSUS$", "desc_en": "LAPSUS$ has accessed internet-facing identity providers such as Azure Active Directory and Okta to target specific organizations." }, { "id": "G1005", "name": "POLONIUM", "desc_en": "POLONIUM has used compromised credentials from an IT company to target downstream customers including a law firm and aviation company." }, { "id": "G1039", "name": "RedCurl", "desc_en": "RedCurl has gained access to a contractor to pivot to the victim’s infrastructure." }, { "id": "G1041", "name": "Sea Turtle", "desc_en": "Sea Turtle targeted third-party entities in trusted relationships with primary targets to ultimately achieve access at primary targets. Entities targeted included DNS registrars, telecommunication companies, and internet service providers." }, { "id": "G1055", "name": "VOID MANTICORE", "desc_en": "VOID MANTICORE has targeted IT and service providers in an effort to obtain credentials, relying largely on compromised VPN accounts for initial access." } ], "mitigations": [ { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "Properly manage accounts and permissions used by parties in trusted relationships to minimize potential abuse by the party and if the party is compromised by an adversary. In Office 365 environments, partner relationships and roles can be viewed under the “Partner Relationships” page.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1030", "name": "Network Segmentation", "name_ja": "ネットワークセグメンテーション", "desc_en": "Network segmentation can be used to isolate infrastructure components that do not require broad network access.", "desc_ja": "ネットワークを分割し、横展開や影響範囲を限定する。" }, { "id": "M1032", "name": "Multi-factor Authentication", "name_ja": "多要素認証", "desc_en": "Require MFA for all delegated administrator accounts.", "desc_ja": "多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。" } ], "detections": [ { "id": "DET0488", "name": "Detect abuse of Trusted Relationships (third-party and delegated admin access)", "name_ja": "信頼関係の悪用の検知", "desc_en": "", "desc_ja": "信頼関係の悪用に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1200", "ja": "ハードウェアの追加", "en": "Hardware Additions", "desc_en": "Adversaries may physically introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. Replication Through Removable Media), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.", "desc_ja": "敵対者は、コンピュータ周辺機器・ネットワーク機器・その他のコンピューティングデバイスを物理的にシステムやネットワークへ持ち込み、侵入ベクトルとして利用することがある。", "platforms": "Windows, Linux, macOS", "version": "1.7", "created": "2018-04-18", "modified": "2025-10-24", "subs": [], "procedures": [ { "id": "G0105", "name": "DarkVishnya", "desc_en": "DarkVishnya physically connected Bash Bunny, Raspberry Pi, netbooks, and inexpensive laptops to the target organization's environment to access the company’s local network." } ], "mitigations": [ { "id": "M1034", "name": "Limit Hardware Installation", "name_ja": "ハードウェアインストールの制限", "desc_en": "Block unknown devices and accessories by endpoint security configuration and monitoring agent.", "desc_ja": "ハードウェアの接続を制限し、不正な機器の導入を防ぐ。" }, { "id": "M1035", "name": "Limit Access to Resource Over Network", "name_ja": "リモートアクセス経由の権限を制限", "desc_en": "Establish network access control policies, such as using device certificates and the 802.1x standard. Restrict use of DHCP to registered devices to prevent unregistered devices from communicating with trusted systems.", "desc_ja": "ネットワーク越しのリソースアクセスを制限する。" } ], "detections": [ { "id": "DET0069", "name": "Detect unauthorized or suspicious Hardware Additions (USB/Thunderbolt/Network)", "name_ja": "ハードウェアの追加の検知", "desc_en": "", "desc_ja": "ハードウェアの追加に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1566", "ja": "フィッシング", "en": "Phishing", "desc_en": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.", "desc_ja": "敵対者は、被害者システムへのアクセスを得るためフィッシングメッセージを送ることがある。あらゆる形態のフィッシングは電子的に配信されるソーシャルエンジニアリングである。標的を絞ったスピアフィッシングや、不特定多数向けの大量配信がある。", "platforms": "Identity Provider, Linux, macOS, Office Suite, SaaS, Windows", "version": "2.7", "created": "2020-03-02", "modified": "2026-05-12", "subs": [ { "sid": ".001", "tid": "T1566.001", "ja": "スピアフィッシング添付ファイル", "en": "Spearphishing Attachment", "desc_en": "Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.", "desc_ja": "敵対者は、被害者システムへのアクセスを得るため、悪意ある添付ファイル付きのスピアフィッシングメールを送ることがある。" }, { "sid": ".002", "tid": "T1566.002", "ja": "スピアフィッシングリンク", "en": "Spearphishing Link", "desc_en": "Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.", "desc_ja": "敵対者は、被害者システムへのアクセスを得るため、悪意あるリンク付きのスピアフィッシングメールを送ることがある。" }, { "sid": ".003", "tid": "T1566.003", "ja": "サービス経由のスピアフィッシング", "en": "Spearphishing via Service", "desc_en": "Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.", "desc_ja": "敵対者は、第三者サービス経由でスピアフィッシングメッセージを送り、被害者システムへのアクセスを試みることがある。" }, { "sid": ".004", "tid": "T1566.004", "ja": "スピアフィッシング音声", "en": "Spearphishing Voice", "desc_en": "Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient.", "desc_ja": "敵対者は、音声通信を用いて最終的に被害者システムへのアクセスを得ることがある。" } ], "procedures": [ { "id": "G0001", "name": "Axiom", "desc_en": "Axiom has used spear phishing to initially compromise victims." }, { "id": "G0069", "name": "MuddyWater", "desc_en": "MuddyWater has sent phishing emails to targets from the email address support@microsoftonlines[.]com." }, { "id": "G0094", "name": "Kimsuky", "desc_en": "Kimsuky has used spearphishing to gain initial access and intelligence." }, { "id": "G0115", "name": "GOLD SOUTHFIELD", "desc_en": "GOLD SOUTHFIELD has conducted malicious spam (malspam) campaigns to gain access to victim's machines." }, { "id": "G1032", "name": "INC Ransom", "desc_en": "INC Ransom has used phishing to gain initial access." }, { "id": "G1041", "name": "Sea Turtle", "desc_en": "Sea Turtle used spear phishing to gain initial access to victims." }, { "id": "G1049", "name": "AppleJeus", "desc_en": "AppleJeus has used spearphishing emails to distribute malicious payloads." }, { "id": "G1055", "name": "VOID MANTICORE", "desc_en": "VOID MANTICORE has emailed victims threatening messages. VOID MANTICORE has used phishing as an initial access vector." }, { "id": "S0009", "name": "Hikit", "desc_en": "Hikit has been spread through spear phishing." }, { "id": "S1073", "name": "Royal", "desc_en": "Royal has been spread through the use of phishing campaigns including \"call back phishing\" where victims are lured into calling a number provided through email." }, { "id": "S1139", "name": "INC Ransomware", "desc_en": "INC Ransomware campaigns have used spearphishing emails for initial access." } ], "mitigations": [ { "id": "M1017", "name": "User Training", "name_ja": "ユーザー教育", "desc_en": "Users can be trained to identify social engineering techniques and phishing emails.", "desc_ja": "ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。" }, { "id": "M1021", "name": "Restrict Web-Based Content", "name_ja": "Web ベースコンテンツの制限", "desc_en": "Determine if certain websites or attachment types (ex: .scr, .exe, .pif, .cpl, etc.) that can be used for phishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.", "desc_ja": "危険なWebコンテンツへのアクセスを制限する。" }, { "id": "M1031", "name": "Network Intrusion Prevention", "name_ja": "ネットワーク侵入防止", "desc_en": "Network intrusion prevention systems and systems designed to scan and remove malicious email attachments or links can be used to block activity.", "desc_ja": "ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。" }, { "id": "M1047", "name": "Audit", "name_ja": "監査", "desc_en": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "desc_ja": "システムやアカウントを監査し、不正な活動を検出する。" }, { "id": "M1049", "name": "Antivirus/Antimalware", "name_ja": "アンチウイルス・アンチマルウェア", "desc_en": "Anti-virus can automatically quarantine suspicious files.", "desc_ja": "アンチウイルス/アンチマルウェアで悪意あるコードを検出・防止する。" }, { "id": "M1054", "name": "Software Configuration", "name_ja": "ソフトウェア構成", "desc_en": "Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.", "desc_ja": "ソフトウェアを安全に構成し、悪用を防ぐ。" } ], "detections": [ { "id": "DET0070", "name": "Detection Strategy for Phishing across platforms.", "name_ja": "フィッシングの検知", "desc_en": "", "desc_ja": "フィッシングに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1659", "ja": "コンテンツインジェクション", "en": "Content Injection", "desc_en": "Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., Drive-by Target followed by Drive-by Compromise), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., Ingress Tool Transfer) and other data to already compromised systems.", "desc_ja": "敵対者は、オンラインのネットワークトラフィックに悪意あるコンテンツを注入することで、被害者へのアクセスを得て継続的に通信することがある。標的を特定の場所へ誘い込む代わりに、通信経路上で注入する。", "platforms": "Linux, macOS, Windows", "version": "1.0", "created": "2023-09-01", "modified": "2025-04-15", "subs": [], "procedures": [ { "id": "G1019", "name": "MoustachedBouncer", "desc_en": "MoustachedBouncer has injected content into DNS, HTTP, and SMB replies to redirect specifically-targeted victims to a fake Windows Update page to download malware." }, { "id": "S1088", "name": "Disco", "desc_en": "Disco has achieved initial access and execution through content injection into DNS, HTTP, and SMB replies to targeted hosts that redirect them to download malicious files." } ], "mitigations": [ { "id": "M1021", "name": "Restrict Web-Based Content", "name_ja": "Web ベースコンテンツの制限", "desc_en": "Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns.", "desc_ja": "危険なWebコンテンツへのアクセスを制限する。" }, { "id": "M1041", "name": "Encrypt Sensitive Information", "name_ja": "機微情報の暗号化", "desc_en": "Where possible, ensure that online traffic is appropriately encrypted through services such as trusted VPNs.", "desc_ja": "機微情報を暗号化し、窃取時の影響を軽減する。" } ], "detections": [ { "id": "DET0349", "name": "Detection Strategy for Content Injection", "name_ja": "コンテンツインジェクションの検知", "desc_en": "", "desc_ja": "コンテンツインジェクションに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1669", "ja": "Wi-Fiネットワーク", "en": "Wi-Fi Networks", "desc_en": "Adversaries may gain initial access to target systems by connecting to wireless networks. They may accomplish this by exploiting open Wi-Fi networks used by target devices or by accessing secured Wi-Fi networks — requiring Valid Accounts — belonging to a target organization. Establishing a connection to a Wi-Fi access point requires a certain level of proximity to both discover and maintain a stable network connection.", "desc_ja": "敵対者は、無線ネットワークへ接続することで標的システムへ初期アクセスを得ることがある。標的が利用する開放Wi-Fiの悪用や、認証情報の取得による接続などで達成しうる。", "platforms": "Linux, Network Devices, Windows, macOS", "version": "1.0", "created": "2025-02-25", "modified": "2025-04-15", "subs": [], "procedures": [ { "id": "C0051", "name": "APT28 Nearest Neighbor Campaign", "desc_en": "During APT28 Nearest Neighbor Campaign, APT28 established wireless connections to secure, enterprise Wi-Fi networks belonging to a target organization for initial access into the environment." }, { "id": "G0007", "name": "APT28", "desc_en": "APT28 has exploited open Wi-Fi access points for initial access to target devices using the network." } ], "mitigations": [ { "id": "M1030", "name": "Network Segmentation", "name_ja": "ネットワークセグメンテーション", "desc_en": "Network segmentation can be used to isolate infrastructure components that do not require broad network access. Separate networking environments for Wi-Fi and Ethernet-wired networks, particularly where Ethernet-based networks allow for access to sensitive resources.", "desc_ja": "ネットワークを分割し、横展開や影響範囲を限定する。" }, { "id": "M1032", "name": "Multi-factor Authentication", "name_ja": "多要素認証", "desc_en": "Harden access requirements for Wi-Fi networks through using two or more pieces of evidence to authenticate, such as a username and password in addition to a token from a physical smart card or token generator.", "desc_ja": "多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。" }, { "id": "M1041", "name": "Encrypt Sensitive Information", "name_ja": "機微情報の暗号化", "desc_en": "Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure that web traffic that may contain credentials is protected by SSL/TLS.", "desc_ja": "機微情報を暗号化し、窃取時の影響を軽減する。" } ], "detections": [ { "id": "DET0536", "name": "Detection Strategy for Wi-Fi Networks", "name_ja": "Wi-Fiネットワークの検知", "desc_en": "", "desc_ja": "Wi-Fiネットワークに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] } ] }, { "tactic": "TA0002", "tactic_en": "Execution", "tactic_ja": "実行", "techniques": [ { "tid": "T1047", "ja": "Windows Management Instrumentation", "en": "Windows Management Instrumentation", "desc_en": "Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems. WMI is an administration feature that provides a uniform environment to access Windows system components.", "desc_ja": "敵対者は、WMIを悪用してローカル/リモートでコマンドやスクリプトを実行することがある。", "platforms": "Windows", "version": "1.6", "created": "2017-05-31", "modified": "2026-05-12", "subs": [], "procedures": [ { "id": "C0001", "name": "Frankenstein", "desc_en": "During Frankenstein, the threat actors used WMI queries to check if various security applications were running as well as to determine the operating system version." }, { "id": "C0007", "name": "FunnyDream", "desc_en": "During FunnyDream, the threat actors used `wmiexec.vbs` to run remote commands." }, { "id": "C0014", "name": "Operation Wocao", "desc_en": "During Operation Wocao, threat actors has used WMI to execute commands." }, { "id": "C0015", "name": "C0015", "desc_en": "During C0015, the threat actors used `wmic` and `rundll32` to load Cobalt Strike onto a target host." }, { "id": "C0018", "name": "C0018", "desc_en": "During C0018, the threat actors used WMIC to modify administrative settings on both a local and a remote host, likely as part of the first stages for their lateral movement; they also used WMI Provider Host (`wmiprvse.exe`) to execute a variety of encoded PowerShell scripts using the `DownloadString` method." }, { "id": "C0022", "name": "Operation Dream Job", "desc_en": "During Operation Dream Job, Lazarus Group used WMIC to executed a remote XSL script." }, { "id": "C0024", "name": "SolarWinds Compromise", "desc_en": "During the SolarWinds Compromise, APT29 used WMI for the remote execution of files for lateral movement." }, { "id": "C0025", "name": "2016 Ukraine Electric Power Attack", "desc_en": "During the 2016 Ukraine Electric Power Attack, WMI in scripts were used for remote execution and system surveys." }, { "id": "C0027", "name": "C0027", "desc_en": "During C0027, Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket." }, { "id": "C0038", "name": "HomeLand Justice", "desc_en": "During HomeLand Justice, threat actors used WMI to modify Windows Defender settings." }, { "id": "C0058", "name": "SharePoint ToolShell Exploitation", "desc_en": "During SharePoint ToolShell Exploitation, threat actors used WMI for execution." }, { "id": "C0060", "name": "Operation AkaiRyū", "desc_en": "During Operation AkaiRyū, MirrorFace used WMI to proxy execution of UPPERCUT." }, { "id": "G0009", "name": "Deep Panda", "desc_en": "The Deep Panda group is known to utilize WMI for lateral movement." }, { "id": "G0016", "name": "APT29", "desc_en": "APT29 used WMI to steal credentials and execute backdoors at a future time." }, { "id": "G0019", "name": "Naikon", "desc_en": "Naikon has used WMIC.exe for lateral movement." }, { "id": "G0027", "name": "Threat Group-3390", "desc_en": "A Threat Group-3390 tool can use WMI to execute a binary." }, { "id": "G0030", "name": "Lotus Blossom", "desc_en": "Lotus Blossom has used WMI to enable lateral movement." }, { "id": "G0032", "name": "Lazarus Group", "desc_en": "Lazarus Group has used WMIC for discovery as well as to execute payloads for persistence and lateral movement." }, { "id": "G0034", "name": "Sandworm Team", "desc_en": "Sandworm Team has used Impacket’s WMIexec module for remote code execution and VBScript to run WMI queries." }, { "id": "G0037", "name": "FIN6", "desc_en": "FIN6 has used WMI to automate the remote execution of PowerShell scripts." }, { "id": "G0038", "name": "Stealth Falcon", "desc_en": "Stealth Falcon malware gathers system information via Windows Management Instrumentation (WMI)." }, { "id": "G0045", "name": "menuPass", "desc_en": "menuPass has used a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using WMI." }, { "id": "G0046", "name": "FIN7", "desc_en": "FIN7 has used WMI to install malware on targeted systems." }, { "id": "G0047", "name": "Gamaredon Group", "desc_en": "Gamaredon Group has used WMI to execute scripts used for discovery and for determining the C2 IP address. Gamaredon Group has used the following WMI query to search for a ping record: `Select * From Win32_PingStatus where Address = 'mil.gov.ua'`." }, { "id": "G0049", "name": "OilRig", "desc_en": "OilRig has used WMI for execution." }, { "id": "G0050", "name": "APT32", "desc_en": "APT32 used WMI to deploy their tools on remote machines and to gather information about the Outlook process." }, { "id": "G0059", "name": "Magic Hound", "desc_en": "Magic Hound has used a tool to run `cmd /c wmic computersystem get domain` for discovery." }, { "id": "G0061", "name": "FIN8", "desc_en": "FIN8's malicious spearphishing payloads use WMI to launch malware and spawn `cmd.exe` execution. FIN8 has also used WMIC and the Impacket suite for lateral movement, as well as during and post compromise cleanup activities." }, { "id": "G0065", "name": "Leviathan", "desc_en": "Leviathan has used WMI for execution." }, { "id": "G0069", "name": "MuddyWater", "desc_en": "MuddyWater has used malware that leveraged WMI for execution and querying host information." }, { "id": "G0093", "name": "GALLIUM", "desc_en": "GALLIUM used WMI for execution to assist in lateral movement as well as for installing tools across multiple assets." }, { "id": "G0096", "name": "APT41", "desc_en": "APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit. APT41 has executed files through Windows Management Instrumentation (WMI)." }, { "id": "G0099", "name": "APT-C-36", "desc_en": "APT-C-36 has used WMI to execute PowerShell." }, { "id": "G0102", "name": "Wizard Spider", "desc_en": "Wizard Spider has used WMI and LDAP queries for network discovery and to move laterally. Wizard Spider has also used batch scripts to leverage WMIC to deploy ransomware." }, { "id": "G0108", "name": "Blue Mockingbird", "desc_en": "Blue Mockingbird has used wmic.exe to set environment variables." }, { "id": "G0112", "name": "Windshift", "desc_en": "Windshift has used WMI to collect information about target machines." }, { "id": "G0114", "name": "Chimera", "desc_en": "Chimera has used WMIC to execute remote commands." }, { "id": "G0119", "name": "Indrik Spider", "desc_en": "Indrik Spider has used WMIC to execute commands on remote computers." }, { "id": "G0129", "name": "Mustang Panda", "desc_en": "Mustang Panda has executed PowerShell scripts via WMI." }, { "id": "G0143", "name": "Aquatic Panda", "desc_en": "Aquatic Panda used WMI for lateral movement in victim environments." }, { "id": "G1003", "name": "Ember Bear", "desc_en": "Ember Bear has used WMI execution with password hashes for command execution and lateral movement." }, { "id": "G1006", "name": "Earth Lusca", "desc_en": "Earth Lusca used a VBA script to execute WMI." }, { "id": "G1016", "name": "FIN13", "desc_en": "FIN13 has utilized `WMI` to execute commands and move laterally on compromised Windows machines." }, { "id": "G1017", "name": "Volt Typhoon", "desc_en": "Volt Typhoon has leveraged WMIC for execution, remote system discovery, and to create and use temporary directories." }, { "id": "G1018", "name": "TA2541", "desc_en": "TA2541 has used WMI to query targeted systems for security products." }, { "id": "G1021", "name": "Cinnamon Tempest", "desc_en": "Cinnamon Tempest has used Impacket for lateral movement via WMI." }, { "id": "G1022", "name": "ToddyCat", "desc_en": "ToddyCat has used WMI to execute scripts for post exploit document collection." }, { "id": "G1032", "name": "INC Ransom", "desc_en": "INC Ransom has used WMIC to deploy ransomware." }, { "id": "G1043", "name": "BlackByte", "desc_en": "BlackByte used WMI to delete Volume Shadow Copies on victim machines." }, { "id": "G1044", "name": "APT42", "desc_en": "APT42 has used Windows Management Instrumentation (WMI) to query anti-virus products." }, { "id": "G1047", "name": "Velvet Ant", "desc_en": "Velvet Ant used the `wmiexec.py` tool within Impacket for remote process execution via WMI." }, { "id": "G1051", "name": "Medusa Group", "desc_en": "Medusa Group has utilized Windows Management Instrumentation to query system information." }, { "id": "G1054", "name": "MirrorFace", "desc_en": "MirrorFace has leveraged WMIC on targeted systems post compromise." }, { "id": "G1055", "name": "VOID MANTICORE", "desc_en": "VOID MANTICORE has utilized WMIC to log into the victim host and create a process `process call create “cmd.exe /c copy \\\\?\\\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\windows\\system32\\config\\system c:\\users\\public”`." }, { "id": "S0062", "name": "DustySky", "desc_en": "The DustySky dropper uses Windows Management Instrumentation to extract information about the operating system and whether an anti-virus is active." }, { "id": "S0089", "name": "BlackEnergy", "desc_en": "A BlackEnergy 2 plug-in uses WMI to gather victim host details." }, { "id": "S0151", "name": "HALFBAKED", "desc_en": "HALFBAKED can use WMI queries to gather system information." }, { "id": "S0154", "name": "Cobalt Strike", "desc_en": "Cobalt Strike can use WMI to deliver a payload to a remote host." }, { "id": "S0156", "name": "KOMPROGO", "desc_en": "KOMPROGO is capable of running WMI queries." }, { "id": "S0184", "name": "POWRUNER", "desc_en": "POWRUNER may use WMI when collecting information about a victim." }, { "id": "S0194", "name": "PowerSploit", "desc_en": "PowerSploit's Invoke-WmiCommand CodeExecution module uses WMI to execute and retrieve the output from a PowerShell payload." }, { "id": "S0223", "name": "POWERSTATS", "desc_en": "POWERSTATS can use WMI queries to retrieve data from compromised hosts." }, { "id": "S0237", "name": "GravityRAT", "desc_en": "GravityRAT collects various information via WMI requests, including CPU information in the Win32_Processor entry (Processor ID, Name, Manufacturer and the clock speed)." }, { "id": "S0241", "name": "RATANKBA", "desc_en": "RATANKBA uses WMI to perform process monitoring." }, { "id": "S0250", "name": "Koadic", "desc_en": "Koadic can use WMI to execute commands." }, { "id": "S0251", "name": "Zebrocy", "desc_en": "One variant of Zebrocy uses WMI queries to gather information." }, { "id": "S0256", "name": "Mosquito", "desc_en": "Mosquito's installer uses WMI to search for antivirus display names." }, { "id": "S0264", "name": "OopsIE", "desc_en": "OopsIE uses WMI to perform discovery techniques." }, { "id": "S0265", "name": "Kazuar", "desc_en": "Kazuar obtains a list of running processes through WMI querying." }, { "id": "S0267", "name": "FELIXROOT", "desc_en": "FELIXROOT uses WMI to query the Windows Registry." }, { "id": "S0270", "name": "RogueRobin", "desc_en": "RogueRobin uses various WMI queries to check if the sample is running in a sandbox." }, { "id": "S0283", "name": "jRAT", "desc_en": "jRAT uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details." }, { "id": "S0331", "name": "Agent Tesla", "desc_en": "Agent Tesla has used wmi queries to gather information from the system." }, { "id": "S0339", "name": "Micropsia", "desc_en": "Micropsia searches for anti-virus software and firewall products installed on the victim’s machine using WMI." }, { "id": "S0340", "name": "Octopus", "desc_en": "Octopus has used wmic.exe for local discovery information." }, { "id": "S0357", "name": "Impacket", "desc_en": "Impacket's `wmiexec` module can be used to execute commands through WMI." }, { "id": "S0363", "name": "Empire", "desc_en": "Empire can use WMI to deliver a payload to a remote host." }, { "id": "S0365", "name": "Olympic Destroyer", "desc_en": "Olympic Destroyer uses WMI to help propagate itself across a network." }, { "id": "S0366", "name": "WannaCry", "desc_en": "WannaCry utilizes wmic to delete shadow copies." }, { "id": "S0367", "name": "Emotet", "desc_en": "Emotet has used WMI to execute powershell.exe." }, { "id": "S0368", "name": "NotPetya", "desc_en": "NotPetya can use wmic to help propagate itself across a network." }, { "id": "S0373", "name": "Astaroth", "desc_en": "Astaroth uses WMIC to execute payloads." }, { "id": "S0375", "name": "Remexi", "desc_en": "Remexi executes received commands with wmic.exe (for WMI commands)." }, { "id": "S0376", "name": "HOPLIGHT", "desc_en": "HOPLIGHT has used WMI to recompile the Managed Object Format (MOF) files in the WMI repository." }, { "id": "S0378", "name": "PoshC2", "desc_en": "PoshC2 has a number of modules that use WMI to execute tasks." }, { "id": "S0380", "name": "StoneDrill", "desc_en": "StoneDrill has used the WMI command-line (WMIC) utility to run tasks." }, { "id": "S0381", "name": "FlawedAmmyy", "desc_en": "FlawedAmmyy leverages WMI to enumerate anti-virus on the victim." }, { "id": "S0386", "name": "Ursnif", "desc_en": "Ursnif droppers have used WMI classes to execute PowerShell commands." }, { "id": "S0396", "name": "EvilBunny", "desc_en": "EvilBunny has used WMI to gather information about the system." }, { "id": "S0449", "name": "Maze", "desc_en": "Maze has used WMI to attempt to delete the shadow volumes on a machine, and to connect a virtual machine to the network domain of the victim organization's network." }, { "id": "S0457", "name": "Netwalker", "desc_en": "Netwalker can use WMI to delete Shadow Volumes." }, { "id": "S0476", "name": "Valak", "desc_en": "Valak can use wmic process call create in a scheduled task to launch plugins and for execution." }, { "id": "S0483", "name": "IcedID", "desc_en": "IcedID has used WMI to execute binaries." }, { "id": "S0488", "name": "CrackMapExec", "desc_en": "CrackMapExec can execute remote commands using Windows Management Instrumentation." }, { "id": "S0496", "name": "REvil", "desc_en": "REvil can use WMI to monitor for and kill specific processes listed in its configuration file." }, { "id": "S0532", "name": "Lucifer", "desc_en": "Lucifer can use WMI to log into remote machines for propagation." }, { "id": "S0534", "name": "Bazar", "desc_en": "Bazar can execute a WMI query to gather information about the installed antivirus engine." }, { "id": "S0546", "name": "SharpStage", "desc_en": "SharpStage can use WMI for execution." }, { "id": "S0553", "name": "MoleNet", "desc_en": "MoleNet can perform WMI commands on the system." }, { "id": "S0559", "name": "SUNBURST", "desc_en": "SUNBURST used the WMI query Select * From Win32_SystemDriver to retrieve a driver listing." }, { "id": "S0568", "name": "EVILNUM", "desc_en": "EVILNUM has used the Windows Management Instrumentation (WMI) tool to enumerate infected machines." }, { "id": "S0589", "name": "Sibot", "desc_en": "Sibot has used WMI to discover network connections and configurations. Sibot has also used the Win32_Process class to execute a malicious DLL." }, { "id": "S0603", "name": "Stuxnet", "desc_en": "Stuxnet used WMI with an explorer.exe token to execute on a remote share." }, { "id": "S0605", "name": "EKANS", "desc_en": "EKANS can use Windows Mangement Instrumentation (WMI) calls to execute operations." }, { "id": "S0616", "name": "DEATHRANSOM", "desc_en": "DEATHRANSOM has the ability to use WMI to delete volume shadow copies." }, { "id": "S0617", "name": "HELLOKITTY", "desc_en": "HELLOKITTY can use WMI to delete volume shadow copies." }, { "id": "S0618", "name": "FIVEHANDS", "desc_en": "FIVEHANDS can use WMI to delete files on a target machine." }, { "id": "S0640", "name": "Avaddon", "desc_en": "Avaddon uses wmic.exe to delete shadow copies." }, { "id": "S0650", "name": "QakBot", "desc_en": "QakBot can execute WMI queries to gather information." }, { "id": "S0654", "name": "ProLock", "desc_en": "ProLock can use WMIC to execute scripts on targeted hosts." }, { "id": "S0663", "name": "SysUpdate", "desc_en": "SysUpdate can use WMI for execution on a compromised host." }, { "id": "S0673", "name": "DarkWatchman", "desc_en": "DarkWatchman can use WMI to execute commands." }, { "id": "S0674", "name": "CharmPower", "desc_en": "CharmPower can use `wmic` to gather information from a system." }, { "id": "S0688", "name": "Meteor", "desc_en": "Meteor can use `wmic.exe` as part of its effort to delete shadow copies." }, { "id": "S0692", "name": "SILENTTRINITY", "desc_en": "SILENTTRINITY can use WMI for lateral movement." }, { "id": "S0698", "name": "HermeticWizard", "desc_en": "HermeticWizard can use WMI to create a new process on a remote machine via `C:\\windows\\system32\\cmd.exe /c start C:\\windows\\system32\\\\regsvr32.exe /s /iC:\\windows\\.dll`." }, { "id": "S1028", "name": "Action RAT", "desc_en": "Action RAT can use WMI to gather AV products installed on an infected host." }, { "id": "S1032", "name": "PyDCrypt", "desc_en": "PyDCrypt has attempted to execute with WMIC." }, { "id": "S1039", "name": "Bumblebee", "desc_en": "Bumblebee can use WMI to gather system information and to spawn processes for code injection." }, { "id": "S1044", "name": "FunnyDream", "desc_en": "FunnyDream can use WMI to open a Windows command shell on a remote machine." }, { "id": "S1063", "name": "Brute Ratel C4", "desc_en": "Brute Ratel C4 can use WMI to move laterally." }, { "id": "S1064", "name": "SVCReady", "desc_en": "SVCReady can use `WMI` queries to detect the presence of a virtual machine environment." }, { "id": "S1066", "name": "DarkTortilla", "desc_en": "DarkTortilla can use WMI queries to obtain system information." }, { "id": "S1068", "name": "BlackCat", "desc_en": "BlackCat can use `wmic.exe` to delete shadow copies on compromised networks." }, { "id": "S1070", "name": "Black Basta", "desc_en": "Black Basta has used WMI to execute files over the network." }, { "id": "S1081", "name": "BADHATCH", "desc_en": "BADHATCH can utilize WMI to collect system information, create new processes, and run malicious PowerShell scripts on a compromised machine." }, { "id": "S1085", "name": "Sardonic", "desc_en": "Sardonic can use WMI to execute PowerShell commands on a compromised machine." }, { "id": "S1086", "name": "Snip3", "desc_en": "Snip3 can query the WMI class `Win32_ComputerSystem` to gather information." }, { "id": "S1111", "name": "DarkGate", "desc_en": "DarkGate has used WMI to execute files over the network and to obtain information about the domain." }, { "id": "S1124", "name": "SocGholish", "desc_en": "SocGholish has used WMI calls for script execution and system profiling." }, { "id": "S1129", "name": "Akira", "desc_en": "Akira will leverage COM objects accessed through WMI during execution to evade detection." }, { "id": "S1130", "name": "Raspberry Robin", "desc_en": "Raspberry Robin can execute via LNK containing a command to run a legitimate executable, such as wmic.exe, to download a malicious Windows Installer (MSI) package." }, { "id": "S1139", "name": "INC Ransomware", "desc_en": "INC Ransomware has the ability to use wmic.exe to spread to multiple endpoints within a compromised environment." }, { "id": "S1141", "name": "LunarWeb", "desc_en": "LunarWeb can use WMI queries for discovery on the victim host." }, { "id": "S1152", "name": "IMAPLoader", "desc_en": "IMAPLoader uses WMI queries to query system information on victim hosts." }, { "id": "S1155", "name": "Covenant", "desc_en": "Covenant can utilize WMI to install new Grunt listeners through XSL files or command one-liners." }, { "id": "S1160", "name": "Latrodectus", "desc_en": "Latrodectus has used WMI in malicious email infection chains to facilitate the installation of remotely-hosted files." }, { "id": "S1178", "name": "ShrinkLocker", "desc_en": "ShrinkLocker uses WMI to query information about the victim operating system." }, { "id": "S1193", "name": "TAMECAT", "desc_en": "TAMECAT has used Windows Management Instrumentation (WMI) to query anti-virus products." }, { "id": "S1199", "name": "LockBit 2.0", "desc_en": "LockBit 2.0 can use wmic.exe to delete volume shadow copies." }, { "id": "S1228", "name": "PUBLOAD", "desc_en": "PUBLOAD has used `wmic` to gather information from the victim device." }, { "id": "S1239", "name": "TONESHELL", "desc_en": "TONESHELL has used WMI queries to gather information from the system." }, { "id": "S1242", "name": "Qilin", "desc_en": "Qilin can use WMIC to change the Volume Shadow Copy Service (VSS) startup type to manual." }, { "id": "S9020", "name": "LODEINFO", "desc_en": "LODEINFO can execute commands with WMI." }, { "id": "S9026", "name": "ROAMINGHOUSE", "desc_en": "ROAMINGHOUSE can use WMI to launch a legitimate executable later used to enable DLL sideloading." }, { "id": "S9031", "name": "AshTag", "desc_en": "AshTag can use a .NET program to execute WMI queries and send unique victim IDs to C2." }, { "id": "S9035", "name": "LAMEHUG", "desc_en": "LAMEHUG can use wmic to collect system information." } ], "mitigations": [ { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "By default, only administrators are allowed to connect remotely using WMI. Restrict other users who are allowed to connect, or disallow all users to connect remotely to WMI.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Prevent credential overlap across systems of administrator and privileged accounts.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1038", "name": "Execution Prevention", "name_ja": "実行防止", "desc_en": "Use application control configured to block execution of wmic.exe if it is not required for a given system or network to prevent potential misuse by adversaries. For example, in Windows 10 and Windows Server 2016 and above, Windows Defender Application Control (WDAC) policy rules may be applied to block the wmic.exe application and to prevent abuse.", "desc_ja": "許可されていないコードの実行を防止する。" }, { "id": "M1040", "name": "Behavior Prevention on Endpoint", "name_ja": "エンドポイントでの挙動防止", "desc_en": "On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by WMI commands from running. Note: many legitimate tools and applications utilize WMI for command execution.", "desc_ja": "エンドポイントで悪意ある挙動を検出・防止する。" } ], "detections": [ { "id": "DET0364", "name": "Behavioral Detection Strategy for WMI Execution Abuse on Windows", "name_ja": "Windows Management Instrumentationの検知", "desc_en": "", "desc_ja": "Windows Management Instrumentationに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1053", "ja": "スケジュールされたタスク/ジョブ", "en": "Scheduled Task/Job", "desc_en": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.", "desc_ja": "敵対者は、タスクスケジューラ機能を悪用して、悪意あるコードを定期的または特定時刻に実行することがある。", "platforms": "Containers, ESXi, Linux, macOS, Network Devices, Windows", "version": "2.5", "created": "2017-05-31", "modified": "2026-05-12", "subs": [ { "sid": ".002", "tid": "T1053.002", "ja": "At", "en": "At", "desc_en": "Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of Scheduled Task's schtasks in Windows environments, using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with at by directly leveraging the Windows Management Instrumentation `Win32_ScheduledJob` WMI class.", "desc_ja": "敵対者は、atコマンドを悪用してタスクをスケジュール実行することがある。" }, { "sid": ".003", "tid": "T1053.003", "ja": "Cron", "en": "Cron", "desc_en": "Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.", "desc_ja": "敵対者は、cronを悪用してタスクを定期実行し永続化することがある。" }, { "sid": ".005", "tid": "T1053.005", "ja": "スケジュールされたタスク", "en": "Scheduled Task", "desc_en": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.", "desc_ja": "敵対者は、Windowsのスケジュールされたタスクを悪用して実行・永続化することがある。" }, { "sid": ".006", "tid": "T1053.006", "ja": "systemdタイマー", "en": "Systemd Timers", "desc_en": "Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to Cron in Linux environments. Systemd timers may be activated remotely via the systemctl command line utility, which operates over SSH.", "desc_ja": "敵対者は、systemdタイマーを悪用してタスクを定期実行し永続化することがある。" }, { "sid": ".007", "tid": "T1053.007", "ja": "コンテナオーケストレーションジョブ", "en": "Container Orchestration Job", "desc_en": "Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.", "desc_ja": "敵対者は、コンテナオーケストレーションのジョブ機能を悪用してタスクを実行・永続化することがある。" } ], "procedures": [ { "id": "C0063", "name": "2025 Poland Wiper Attacks", "desc_en": "During the 2025 Poland Wiper Attacks, the adversaries set FortiGate scheduled tasks to run the adversary generated CLI scripts weekly." }, { "id": "S0447", "name": "Lokibot", "desc_en": "Lokibot's second stage DLL has set a timer using “timeSetEvent” to schedule its next execution." } ], "mitigations": [ { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1022", "name": "Restrict File and Directory Permissions", "name_ja": "ファイル/ディレクトリ権限の制限", "desc_en": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "desc_ja": "ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。" }, { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1028", "name": "Operating System Configuration", "name_ja": "オペレーティングシステム構成", "desc_en": "Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled.", "desc_ja": "OSを安全に構成し、攻撃対象領域を縮小する。" }, { "id": "M1047", "name": "Audit", "name_ja": "監査", "desc_en": "Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges.", "desc_ja": "システムやアカウントを監査し、不正な活動を検出する。" } ], "detections": [ { "id": "DET0094", "name": "Cross-Platform Behavioral Detection of Scheduled Task/Job Abuse", "name_ja": "スケジュールされたタスク/ジョブの検知", "desc_en": "", "desc_ja": "スケジュールされたタスク/ジョブに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1059", "ja": "コマンド&スクリプトインタプリタ", "en": "Command and Scripting Interpreter", "desc_en": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.", "desc_ja": "敵対者は、コマンドやスクリプトのインタプリタ(PowerShell・Bash等)を悪用してコードを実行することがある。", "platforms": "Containers, ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows", "version": "2.7", "created": "2017-05-31", "modified": "2026-05-12", "subs": [ { "sid": ".001", "tid": "T1059.001", "ja": "PowerShell", "en": "PowerShell", "desc_en": "Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).", "desc_ja": "敵対者は、PowerShellを悪用してコマンドやスクリプトを実行することがある。" }, { "sid": ".002", "tid": "T1059.002", "ja": "AppleScript", "en": "AppleScript", "desc_en": "Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.", "desc_ja": "敵対者は、AppleScriptを悪用してmacOS上でコマンドを実行することがある。" }, { "sid": ".003", "tid": "T1059.003", "ja": "Windowsコマンドシェル", "en": "Windows Command Shell", "desc_en": "Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH.", "desc_ja": "敵対者は、Windowsコマンドシェル(cmd)を悪用してコマンドを実行することがある。" }, { "sid": ".004", "tid": "T1059.004", "ja": "Unixシェル", "en": "Unix Shell", "desc_en": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations of the Unix shell exist (e.g. sh, ash, bash, zsh, etc.) depending on the specific OS or distribution. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.", "desc_ja": "敵対者は、Unixシェル(bash等)を悪用してコマンドを実行することがある。" }, { "sid": ".005", "tid": "T1059.005", "ja": "Visual Basic", "en": "Visual Basic", "desc_en": "Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.", "desc_ja": "敵対者は、Visual Basic(VBA/VBScript)を悪用してコードを実行することがある。" }, { "sid": ".006", "tid": "T1059.006", "ja": "Python", "en": "Python", "desc_en": "Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.", "desc_ja": "敵対者は、Pythonを悪用してコードを実行することがある。" }, { "sid": ".007", "tid": "T1059.007", "ja": "JavaScript", "en": "JavaScript", "desc_en": "Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.", "desc_ja": "敵対者は、JavaScriptを悪用してコードを実行することがある。" }, { "sid": ".008", "tid": "T1059.008", "ja": "ネットワークデバイスCLI", "en": "Network Device CLI", "desc_en": "Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands.", "desc_ja": "敵対者は、ネットワーク機器のCLIを悪用してコマンドを実行することがある。" }, { "sid": ".009", "tid": "T1059.009", "ja": "クラウドAPI", "en": "Cloud API", "desc_en": "Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, PowerShell modules like Azure for PowerShell, or software developer kits (SDKs) available for languages such as Python.", "desc_ja": "敵対者は、クラウドAPIを悪用してコマンドや操作を実行することがある。" }, { "sid": ".010", "tid": "T1059.010", "ja": "AutoHotKey & AutoIT", "en": "AutoHotKey & AutoIT", "desc_en": "Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.", "desc_ja": "敵対者は、AutoHotKey/AutoITを悪用してコードを実行することがある。" }, { "sid": ".011", "tid": "T1059.011", "ja": "Lua", "en": "Lua", "desc_en": "Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (.lua), or from Lua-embedded programs (through the struct lua_State).", "desc_ja": "敵対者は、Luaスクリプトを悪用してコードを実行することがある。" }, { "sid": ".012", "tid": "T1059.012", "ja": "ハイパーバイザCLI", "en": "Hypervisor CLI", "desc_en": "Adversaries may abuse hypervisor command line interpreters (CLIs) to execute malicious commands. Hypervisor CLIs typically enable a wide variety of functionality for managing both the hypervisor itself and the guest virtual machines it hosts.", "desc_ja": "敵対者は、ハイパーバイザのCLIを悪用してコマンドを実行することがある。" }, { "sid": ".013", "tid": "T1059.013", "ja": "コンテナCLI/API", "en": "Container CLI/API", "desc_en": "Adversaries may abuse built-in CLI tools or API calls to execute malicious commands in containerized environments.", "desc_ja": "敵対者は、コンテナのCLI/APIを悪用してコマンドを実行することがある。" } ], "procedures": [ { "id": "C0005", "name": "Operation Spalax", "desc_en": "For Operation Spalax, the threat actors used Nullsoft Scriptable Install System (NSIS) scripts to install malware." }, { "id": "C0029", "name": "Cutting Edge", "desc_en": "During Cutting Edge, threat actors used Perl scripts to enable the deployment of the THINSPOOL shell script dropper and for enumerating host data." }, { "id": "C0046", "name": "ArcaneDoor", "desc_en": "ArcaneDoor included the adversary executing command line interface (CLI) commands." }, { "id": "C0053", "name": "FLORAHOX Activity", "desc_en": "FLORAHOX Activity has executed PHP and Shell scripts to identify and infect subsequent routers for the ORB network." }, { "id": "G0004", "name": "Ke3chang", "desc_en": "Malware used by Ke3chang can run commands on the command-line interface." }, { "id": "G0035", "name": "Dragonfly", "desc_en": "Dragonfly has used the command line for execution." }, { "id": "G0037", "name": "FIN6", "desc_en": "FIN6 has used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files." }, { "id": "G0038", "name": "Stealth Falcon", "desc_en": "Stealth Falcon malware uses WMI to script data collection and command execution on the victim." }, { "id": "G0046", "name": "FIN7", "desc_en": "FIN7 used SQL scripts to help perform tasks on the victim's machine." }, { "id": "G0049", "name": "OilRig", "desc_en": "OilRig has used various types of scripting for execution." }, { "id": "G0050", "name": "APT32", "desc_en": "APT32 has used COM scriptlets to download Cobalt Strike beacons." }, { "id": "G0053", "name": "FIN5", "desc_en": "FIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results." }, { "id": "G0067", "name": "APT37", "desc_en": "APT37 has used Ruby scripts to execute payloads." }, { "id": "G0073", "name": "APT19", "desc_en": "APT19 downloaded and launched code within a SCT file." }, { "id": "G0087", "name": "APT39", "desc_en": "APT39 has utilized custom scripts to perform internal reconnaissance." }, { "id": "G0107", "name": "Whitefly", "desc_en": "Whitefly has used a simple remote shell tool that will call back to the C2 server and wait for commands." }, { "id": "G0117", "name": "Fox Kitten", "desc_en": "Fox Kitten has used a Perl reverse shell to communicate with C2." }, { "id": "G0124", "name": "Windigo", "desc_en": "Windigo has used a Perl script for information gathering." }, { "id": "G0129", "name": "Mustang Panda", "desc_en": "Mustang Panda has utilized meterpreter shellcode." }, { "id": "G1031", "name": "Saint Bear", "desc_en": "Saint Bear has used the Windows Script Host (wscript) to execute intermediate files written to victim machines." }, { "id": "G1035", "name": "Winter Vivern", "desc_en": "Winter Vivern used XLM 4.0 macros for initial code execution for malicious document files." }, { "id": "S0023", "name": "CHOPSTICK", "desc_en": "CHOPSTICK is capable of performing remote command execution." }, { "id": "S0032", "name": "gh0st RAT", "desc_en": "gh0st RAT is able to open a remote shell to execute commands." }, { "id": "S0167", "name": "Matryoshka", "desc_en": "Matryoshka is capable of providing Meterpreter shell access." }, { "id": "S0219", "name": "WINERACK", "desc_en": "WINERACK can create a reverse shell that utilizes statically-linked Wine cmd.exe code to emulate Windows command prompt commands." }, { "id": "S0234", "name": "Bandook", "desc_en": "Bandook can support commands to execute Java-based payloads." }, { "id": "S0330", "name": "Zeus Panda", "desc_en": "Zeus Panda can launch remote scripts on the victim’s machine." }, { "id": "S0334", "name": "DarkComet", "desc_en": "DarkComet can execute various types of scripts on the victim’s machine." }, { "id": "S0363", "name": "Empire", "desc_en": "Empire uses a command-line interface to interact with systems." }, { "id": "S0374", "name": "SpeakUp", "desc_en": "SpeakUp uses Perl scripts." }, { "id": "S0434", "name": "Imminent Monitor", "desc_en": "Imminent Monitor has a CommandPromptPacket and ScriptPacket module(s) for creating a remote shell and executing scripts." }, { "id": "S0460", "name": "Get2", "desc_en": "Get2 has the ability to run executables with command-line arguments." }, { "id": "S0486", "name": "Bonadan", "desc_en": "Bonadan can create bind and reverse shells on the infected system." }, { "id": "S0487", "name": "Kessel", "desc_en": "Kessel can create a reverse shell between the infected host and a specified system." }, { "id": "S0598", "name": "P.A.S. Webshell", "desc_en": "P.A.S. Webshell has the ability to create reverse shells with Perl scripts." }, { "id": "S0618", "name": "FIVEHANDS", "desc_en": "FIVEHANDS can receive a command line argument to limit file encryption to specified directories." }, { "id": "S0695", "name": "Donut", "desc_en": "Donut can generate shellcode outputs that execute via Ruby." }, { "id": "S1110", "name": "SLIGHTPULSE", "desc_en": "SLIGHTPULSE contains functionality to execute arbitrary commands passed to it." }, { "id": "S1130", "name": "Raspberry Robin", "desc_en": "Raspberry Robin variants can be delivered via highly obfuscated Windows Script Files (WSF) for initial execution." }, { "id": "S1151", "name": "ZeroCleare", "desc_en": "ZeroCleare can receive command line arguments from an operator to corrupt the file system using the RawDisk driver." }, { "id": "S1154", "name": "VersaMem", "desc_en": "VersaMem was delivered as a Java Archive (JAR) that runs by attaching itself to the Apache Tomcat Java servlet and web server." }, { "id": "S1192", "name": "NICECURL", "desc_en": "NICECURL has provided an arbitrary command execution interface." }, { "id": "S1227", "name": "StarProxy", "desc_en": "StarProxy has used the command line for execution of commands." }, { "id": "S9032", "name": "MuddyViper", "desc_en": "MuddyViper has launched a reverse shell using a provided command line." } ], "mitigations": [ { "id": "M1021", "name": "Restrict Web-Based Content", "name_ja": "Webベースコンテンツの制限", "desc_en": "Script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.", "desc_ja": "危険なWebコンテンツへのアクセスを制限する。" }, { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "When PowerShell is necessary, consider restricting PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.\n\nPowerShell JEA (Just Enough Administration) may also be used to sandbox administration and limit what commands admins/users can execute through remote PowerShell sessions.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1033", "name": "Limit Software Installation", "name_ja": "ソフトウェアインストールの制限", "desc_en": "Prevent user installation of unrequired command and scripting interpreters.", "desc_ja": "ソフトウェアのインストールを制限し、不正なプログラム導入を防ぐ。" }, { "id": "M1038", "name": "Execution Prevention", "name_ja": "実行防止", "desc_en": "Use application control where appropriate. For example, PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., `Add-Type`).", "desc_ja": "許可されていないコードの実行を防止する。" }, { "id": "M1040", "name": "Behavior Prevention on Endpoint", "name_ja": "エンドポイントでの挙動防止", "desc_en": "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Visual Basic and JavaScript scripts from executing potentially malicious downloaded content .", "desc_ja": "エンドポイントで悪意ある挙動を検出・防止する。" }, { "id": "M1042", "name": "Disable or Remove Feature or Program", "name_ja": "機能・プログラムの無効化または削除", "desc_en": "Disable or remove any unnecessary or unused shells or interpreters.", "desc_ja": "不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。" }, { "id": "M1045", "name": "Code Signing", "name_ja": "コード署名", "desc_en": "Where possible, only permit execution of signed scripts.", "desc_ja": "コード署名を検証し、未署名・不正なコードの実行を防ぐ。" }, { "id": "M1047", "name": "Audit", "name_ja": "監査", "desc_en": "Inventory systems for unauthorized command and scripting interpreter installations.", "desc_ja": "システムやアカウントを監査し、不正な活動を検出する。" }, { "id": "M1049", "name": "Antivirus/Antimalware", "name_ja": "アンチウイルス・アンチマルウェア", "desc_en": "Anti-virus can be used to automatically quarantine suspicious files.", "desc_ja": "アンチウイルス/アンチマルウェアで悪意あるコードを検出・防止する。" } ], "detections": [ { "id": "DET0516", "name": "Behavioral Detection of Command and Scripting Interpreter Abuse", "name_ja": "コマンド&スクリプトインタプリタの検知", "desc_en": "", "desc_ja": "コマンド&スクリプトインタプリタに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1072", "ja": "ソフトウェア展開ツール", "en": "Software Deployment Tools", "desc_en": "Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager.", "desc_ja": "敵対者は、企業内の集中型ソフトウェア展開ツールを悪用してコードを実行し横展開することがある。", "platforms": "Linux, macOS, Network Devices, SaaS, Windows", "version": "3.2", "created": "2017-05-31", "modified": "2026-05-12", "subs": [], "procedures": [ { "id": "C0018", "name": "C0018", "desc_en": "During C0018, the threat actors used PDQ Deploy to move AvosLocker and tools across the network." }, { "id": "G0028", "name": "Threat Group-1314", "desc_en": "Threat Group-1314 actors used a victim's endpoint management platform, Altiris, for lateral movement." }, { "id": "G0034", "name": "Sandworm Team", "desc_en": "Sandworm Team has used the commercially available tool RemoteExec for agentless remote code execution." }, { "id": "G0050", "name": "APT32", "desc_en": "APT32 compromised McAfee ePO to move laterally by distributing malware as a software deployment task." }, { "id": "G0091", "name": "Silence", "desc_en": "Silence has used RAdmin, a remote software tool used to remotely control workstations and ATMs." }, { "id": "G0129", "name": "Mustang Panda", "desc_en": "Mustang Panda has leveraged legitimate software tools such as AntiVirus Agents, Security Services, and App Development tools to execute scripts and to side-load dlls." }, { "id": "G1051", "name": "Medusa Group", "desc_en": "Medusa Group has utilized software deployment and management solutions to deploy their encryption payload to include BigFix and PDQ Deploy." }, { "id": "G1055", "name": "VOID MANTICORE", "desc_en": "VOID MANTICORE has leveraged legitimate built-in features of cloud-based management platforms to include mobile device management (MDM) and Remote Monitoring and Management (RMM) solutions. VOID MANTICORE has also initiated built-in remote wipe instructions using a privileged account within Microsoft Intune." }, { "id": "S0041", "name": "Wiper", "desc_en": "It is believed that a patch management system for an anti-virus product commonly installed among targeted companies was used to distribute the Wiper malware." } ], "mitigations": [ { "id": "M1015", "name": "Active Directory Configuration", "name_ja": "Active Directory構成", "desc_en": "Ensure proper system and access isolation for critical network systems through use of group policy.", "desc_ja": "Active Directoryを適切に構成し、攻撃対象領域を縮小する。" }, { "id": "M1017", "name": "User Training", "name_ja": "ユーザー教育", "desc_en": "Have a strict approval policy for use of deployment systems.", "desc_ja": "ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。" }, { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "Ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required. Ensure proper system and access isolation for critical network systems through use of account privilege separation.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Grant access to application deployment systems only to a limited number of authorized administrators.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1027", "name": "Password Policies", "name_ja": "パスワードポリシー", "desc_en": "Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network.", "desc_ja": "強固なパスワードポリシーを適用し、推測・解読を困難にする。" }, { "id": "M1029", "name": "Remote Data Storage", "name_ja": "リモートデータストレージ", "desc_en": "If the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.", "desc_ja": "重要データをリモートに保管し、破壊・改ざんの影響を軽減する。" }, { "id": "M1030", "name": "Network Segmentation", "name_ja": "ネットワークセグメンテーション", "desc_en": "Ensure proper system isolation for critical network systems through use of firewalls.", "desc_ja": "ネットワークを分割し、横展開や影響範囲を限定する。" }, { "id": "M1032", "name": "Multi-factor Authentication", "name_ja": "多要素認証", "desc_en": "Ensure proper system and access isolation for critical network systems through use of multi-factor authentication.", "desc_ja": "多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。" }, { "id": "M1033", "name": "Limit Software Installation", "name_ja": "ソフトウェアインストールの制限", "desc_en": "Restrict the use of third-party software suites installed within an enterprise network.", "desc_ja": "ソフトウェアのインストールを制限し、不正なプログラム導入を防ぐ。" }, { "id": "M1051", "name": "Update Software", "name_ja": "ソフトウェア更新", "desc_en": "Patch deployment systems regularly to prevent potential remote access through Exploitation for Privilege Escalation.", "desc_ja": "ソフトウェアを最新に保ち、既知の脆弱性を修正する。" } ], "detections": [ { "id": "DET0223", "name": "Detection of Adversary Abuse of Software Deployment Tools", "name_ja": "ソフトウェア展開ツールの検知", "desc_en": "", "desc_ja": "ソフトウェア展開ツールに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1106", "ja": "ネイティブAPI", "en": "Native API", "desc_en": "Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.", "desc_ja": "敵対者は、OSのネイティブAPIを直接呼び出して悪意ある処理を実行することがある。", "platforms": "Linux, macOS, Windows", "version": "2.3", "created": "2017-05-31", "modified": "2026-05-12", "subs": [], "procedures": [ { "id": "C0006", "name": "Operation Honeybee", "desc_en": "During Operation Honeybee, the threat actors deployed malware that used API calls, including `CreateProcessAsUser`." }, { "id": "C0013", "name": "Operation Sharpshooter", "desc_en": "During Operation Sharpshooter, the first stage downloader resolved various Windows libraries and APIs, including `LoadLibraryA()`, `GetProcAddress()`, and `CreateProcessA()`." }, { "id": "C0014", "name": "Operation Wocao", "desc_en": "During Operation Wocao, threat actors used the `CreateProcessA` and `ShellExecute` API functions to launch commands after being injected into a selected process." }, { "id": "C0022", "name": "Operation Dream Job", "desc_en": "During Operation Dream Job, Lazarus Group used Windows API `ObtainUserAgentString` to obtain the victim's User-Agent and used the value to connect to their C2 server." }, { "id": "C0061", "name": "Operation Digital Eye", "desc_en": "During Operation Digital Eye, threat actors used native API such as `GetUserInfo`." }, { "id": "G0010", "name": "Turla", "desc_en": "Turla and its RPC backdoors have used APIs calls for various tasks related to subverting AMSI and accessing then executing commands through RPC and/or named pipes." }, { "id": "G0032", "name": "Lazarus Group", "desc_en": "Lazarus Group has used the Windows API ObtainUserAgentString to obtain the User-Agent from a compromised host to connect to a C2 server. Lazarus Group has also used various, often lesser known, functions to perform various types of Discovery and Process Injection." }, { "id": "G0034", "name": "Sandworm Team", "desc_en": "Sandworm Team uses Prestige to disable and restore file system redirection by using the following functions: `Wow64DisableWow64FsRedirection()` and `Wow64RevertWow64FsRedirection()`." }, { "id": "G0045", "name": "menuPass", "desc_en": "menuPass has used native APIs including GetModuleFileName, lstrcat, CreateFile, and ReadFile." }, { "id": "G0047", "name": "Gamaredon Group", "desc_en": "Gamaredon Group malware has used CreateProcess to launch additional malicious components." }, { "id": "G0067", "name": "APT37", "desc_en": "APT37 leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection." }, { "id": "G0078", "name": "Gorgon Group", "desc_en": "Gorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution." }, { "id": "G0081", "name": "Tropic Trooper", "desc_en": "Tropic Trooper has used multiple Windows APIs including HttpInitialize, HttpCreateHttpHandle, and HttpAddUrl." }, { "id": "G0082", "name": "APT38", "desc_en": "APT38 has used the Windows API to execute code within a victim's system." }, { "id": "G0090", "name": "WIRTE", "desc_en": "WIRTE has used the `RtlIpv4StringToAddressA` to convert IP-formatted string to a byte array." }, { "id": "G0091", "name": "Silence", "desc_en": "Silence has leveraged the Windows API, including using CreateProcess() or ShellExecute(), to perform a variety of tasks." }, { "id": "G0092", "name": "TA505", "desc_en": "TA505 has deployed payloads that use Windows API calls on a compromised host." }, { "id": "G0094", "name": "Kimsuky", "desc_en": "Kimsuky has utilized Native APIs to collect data from victim hosts and facilitate execution of malicious scripts." }, { "id": "G0098", "name": "BlackTech", "desc_en": "BlackTech has used built-in API functions." }, { "id": "G0114", "name": "Chimera", "desc_en": "Chimera has used direct Windows system calls by leveraging Dumpert." }, { "id": "G0126", "name": "Higaisa", "desc_en": "Higaisa has called various native OS APIs." }, { "id": "G0129", "name": "Mustang Panda", "desc_en": "Mustang Panda has used various Windows API calls during execution and defense evasion." }, { "id": "G1008", "name": "SideCopy", "desc_en": "SideCopy has executed malware by calling the API function `CreateProcessW`." }, { "id": "G1022", "name": "ToddyCat", "desc_en": "ToddyCat has used `WinExec` to execute commands received from C2 on compromised hosts." }, { "id": "G1051", "name": "Medusa Group", "desc_en": "Medusa Group has leveraged Windows Native API functions to execute payloads." }, { "id": "S0011", "name": "Taidoor", "desc_en": "Taidoor has the ability to use native APIs for execution including GetProcessHeap, GetProcAddress, and LoadLibrary." }, { "id": "S0013", "name": "PlugX", "desc_en": "PlugX can use the Windows API functions `GetProcAddress`, `LoadLibrary`, and `CreateProcess` to execute another process." }, { "id": "S0022", "name": "Uroburos", "desc_en": "Uroburos can use native Windows APIs including `GetHostByName`." }, { "id": "S0032", "name": "gh0st RAT", "desc_en": "gh0st RAT has used the `InterlockedExchange`, `SeShutdownPrivilege`, and `ExitWindowsEx` Windows API functions." }, { "id": "S0045", "name": "ADVSTORESHELL", "desc_en": "ADVSTORESHELL is capable of starting a process using CreateProcess." }, { "id": "S0083", "name": "Misdat", "desc_en": "Misdat has used Windows APIs, including `ExitWindowsEx` and `GetKeyboardType`." }, { "id": "S0084", "name": "Mis-Type", "desc_en": "Mis-Type has used Windows API calls, including `NetUserAdd` and `NetUserDel`." }, { "id": "S0085", "name": "S-Type", "desc_en": "S-Type has used Windows APIs, including `GetKeyboardType`, `NetUserAdd`, and `NetUserDel`." }, { "id": "S0126", "name": "ComRAT", "desc_en": "ComRAT can load a PE file from memory or the file system and execute it with CreateProcessW." }, { "id": "S0128", "name": "BADNEWS", "desc_en": "BADNEWS has a command to download an .exe and execute it via CreateProcess API. It can also run with ShellExecute." }, { "id": "S0141", "name": "Winnti for Windows", "desc_en": "Winnti for Windows can use Native API to create a new process and to start services." }, { "id": "S0147", "name": "Pteranodon", "desc_en": "Pteranodon has used various API calls." }, { "id": "S0148", "name": "RTM", "desc_en": "RTM can use the FindNextUrlCacheEntryA and FindFirstUrlCacheEntryA functions to search for specific strings within browser history." }, { "id": "S0154", "name": "Cobalt Strike", "desc_en": "Cobalt Strike's Beacon payload is capable of running shell commands without cmd.exe and PowerShell commands without powershell.exe Cobalt Strike can also use `CreateThreadpoolWait`, `SetThreadpoolWait`, and `MessageBoxA` for sandbox evasion and execution of embedded payloads in memory." }, { "id": "S0161", "name": "XAgentOSX", "desc_en": "XAgentOSX contains the execFile function to execute a specified file on the system using the NSTask:launch method." }, { "id": "S0180", "name": "Volgmer", "desc_en": "Volgmer executes payloads using the Windows API call CreateProcessW()." }, { "id": "S0198", "name": "NETWIRE", "desc_en": "NETWIRE can use Native API including CreateProcess GetProcessById, and WriteProcessMemory." }, { "id": "S0234", "name": "Bandook", "desc_en": "Bandook has used the ShellExecuteW() function call." }, { "id": "S0239", "name": "Bankshot", "desc_en": "Bankshot creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA()." }, { "id": "S0240", "name": "ROKRAT", "desc_en": "ROKRAT can use a variety of API calls to execute shellcode." }, { "id": "S0242", "name": "SynAck", "desc_en": "SynAck parses the export tables of system DLLs to locate and call various Windows API functions." }, { "id": "S0256", "name": "Mosquito", "desc_en": "Mosquito leverages the CreateProcess() and LoadLibrary() calls to execute files with the .dll and .exe extensions." }, { "id": "S0259", "name": "InnaputRAT", "desc_en": "InnaputRAT uses the API call ShellExecuteW for execution." }, { "id": "S0260", "name": "InvisiMole", "desc_en": "InvisiMole can use winapiexec tool for indirect execution of ShellExecuteW and CreateProcessA." }, { "id": "S0266", "name": "TrickBot", "desc_en": "TrickBot uses the Windows API call, CreateProcessW(), to manage execution flow. TrickBot has also used Nt* API functions to perform Process Injection." }, { "id": "S0268", "name": "Bisonal", "desc_en": "Bisonal has used the Windows API to communicate with the Service Control Manager to execute a thread." }, { "id": "S0354", "name": "Denis", "desc_en": "Denis used the IsDebuggerPresent, OutputDebugString, and SetLastError APIs to avoid debugging. Denis used GetProcAddress and LoadLibrary to dynamically resolve APIs. Denis also used the Wow64SetThreadContext API as part of a process hollowing process." }, { "id": "S0356", "name": "KONNI", "desc_en": "KONNI has hardcoded API calls within its functions to use on the victim's machine." }, { "id": "S0363", "name": "Empire", "desc_en": "Empire contains a variety of enumeration modules that have an option to use API calls to carry out tasks." }, { "id": "S0367", "name": "Emotet", "desc_en": "Emotet has used `CreateProcess` to create a new process to run its executable and `WNetEnumResourceW` to enumerate non-hidden shares." }, { "id": "S0384", "name": "Dridex", "desc_en": "Dridex has used the OutputDebugStringW function to avoid malware analysis as part of its anti-debugging technique." }, { "id": "S0385", "name": "njRAT", "desc_en": "njRAT has used the ShellExecute() function within a script." }, { "id": "S0386", "name": "Ursnif", "desc_en": "Ursnif has used CreateProcessW to create child processes." }, { "id": "S0391", "name": "HAWKBALL", "desc_en": "HAWKBALL has leveraged several Windows API calls to create processes, gather disk information, and detect debugger activity." }, { "id": "S0395", "name": "LightNeuron", "desc_en": "LightNeuron is capable of starting a process using CreateProcess." }, { "id": "S0396", "name": "EvilBunny", "desc_en": "EvilBunny has used various API calls as part of its checks to see if the malware is running in a sandbox." }, { "id": "S0398", "name": "HyperBro", "desc_en": "HyperBro has the ability to run an application (CreateProcessW) or script/file (ShellExecuteW) via API." }, { "id": "S0412", "name": "ZxShell", "desc_en": "ZxShell can leverage native API including RegisterServiceCtrlHandler to register a service.RegisterServiceCtrlHandler" }, { "id": "S0416", "name": "RDFSNIFFER", "desc_en": "RDFSNIFFER has used several Win32 API functions to interact with the victim machine." }, { "id": "S0431", "name": "HotCroissant", "desc_en": "HotCroissant can perform dynamic DLL importing and API lookups using LoadLibrary and GetProcAddress on obfuscated strings." }, { "id": "S0434", "name": "Imminent Monitor", "desc_en": "Imminent Monitor has leveraged CreateProcessW() call to execute the debugger." }, { "id": "S0435", "name": "PLEAD", "desc_en": "PLEAD can use `ShellExecute` to execute applications." }, { "id": "S0438", "name": "Attor", "desc_en": "Attor's dispatcher has used CreateProcessW API for execution." }, { "id": "S0444", "name": "ShimRat", "desc_en": "ShimRat has used Windows API functions to install the service and shim." }, { "id": "S0445", "name": "ShimRatReporter", "desc_en": "ShimRatReporter used several Windows API functions to gather information from the infected system." }, { "id": "S0446", "name": "Ryuk", "desc_en": "Ryuk has used multiple native APIs including ShellExecuteW to run executables,GetWindowsDirectoryW to create folders, and VirtualAlloc, WriteProcessMemory, and CreateRemoteThread for process injection." }, { "id": "S0447", "name": "Lokibot", "desc_en": "Lokibot has used LoadLibrary(), GetProcAddress() and CreateRemoteThread() API functions to execute its shellcode." }, { "id": "S0448", "name": "Rising Sun", "desc_en": "Rising Sun used dynamic API resolutions to various Windows APIs by leveraging `LoadLibrary()` and `GetProcAddress()`." }, { "id": "S0449", "name": "Maze", "desc_en": "Maze has used several Windows API functions throughout the encryption process including IsDebuggerPresent, TerminateProcess, Process32FirstW, among others." }, { "id": "S0453", "name": "Pony", "desc_en": "Pony has used several Windows functions for various purposes." }, { "id": "S0455", "name": "Metamorfo", "desc_en": "Metamorfo has used native WINAPI calls." }, { "id": "S0456", "name": "Aria-body", "desc_en": "Aria-body has the ability to launch files using ShellExecute." }, { "id": "S0457", "name": "Netwalker", "desc_en": "Netwalker can use Windows API functions to inject the ransomware DLL." }, { "id": "S0458", "name": "Ramsay", "desc_en": "Ramsay can use Windows API functions such as WriteFile, CloseHandle, and GetCurrentHwProfile during its collection and file storage operations. Ramsay can execute its embedded components via CreateProcessA and ShellExecute." }, { "id": "S0466", "name": "WindTail", "desc_en": "WindTail can invoke Apple APIs contentsOfDirectoryAtPath, pathExtension, and (string) compare." }, { "id": "S0470", "name": "BBK", "desc_en": "BBK has the ability to use the CreatePipe API to add a sub-process for execution via cmd." }, { "id": "S0471", "name": "build_downer", "desc_en": "build_downer has the ability to use the WinExec API to execute malware on a compromised host." }, { "id": "S0475", "name": "BackConfig", "desc_en": "BackConfig can leverage API functions such as ShellExecuteA and HttpOpenRequestA in the process of downloading and executing files." }, { "id": "S0477", "name": "Goopy", "desc_en": "Goopy has the ability to enumerate the infected system's user name via GetUserNameW." }, { "id": "S0483", "name": "IcedID", "desc_en": "IcedID has called ZwWriteVirtualMemory, ZwProtectVirtualMemory, ZwQueueApcThread, and NtResumeThread to inject itself into a remote process." }, { "id": "S0484", "name": "Carberp", "desc_en": "Carberp has used the NtQueryDirectoryFile and ZwQueryDirectoryFile functions to hide files and directories." }, { "id": "S0493", "name": "GoldenSpy", "desc_en": "GoldenSpy can execute remote commands in the Windows command shell using the WinExec() API." }, { "id": "S0496", "name": "REvil", "desc_en": "REvil can use Native API for execution and to retrieve active services." }, { "id": "S0499", "name": "Hancitor", "desc_en": "Hancitor has used CallWindowProc and EnumResourceTypesA to interpret and execute shellcode." }, { "id": "S0501", "name": "PipeMon", "desc_en": "PipeMon's first stage has been executed by a call to CreateProcess with the decryption password in an argument. PipeMon has used a call to LoadLibrary to load its installer." }, { "id": "S0512", "name": "FatDuke", "desc_en": "FatDuke can call ShellExecuteW to open the default browser on the URL localhost." }, { "id": "S0517", "name": "Pillowmint", "desc_en": "Pillowmint has used multiple native Windows APIs to execute and conduct process injections." }, { "id": "S0518", "name": "PolyglotDuke", "desc_en": "PolyglotDuke can use LoadLibraryW and CreateProcess to load and execute code." }, { "id": "S0521", "name": "BloodHound", "desc_en": "BloodHound can use .NET API calls in the SharpHound ingestor component to pull Active Directory data." }, { "id": "S0531", "name": "Grandoreiro", "desc_en": "Grandoreiro can execute through the WinExec API." }, { "id": "S0534", "name": "Bazar", "desc_en": "Bazar can use various APIs to allocate memory and facilitate code execution/injection." }, { "id": "S0537", "name": "HyperStack", "desc_en": "HyperStack can use Windows API's ConnectNamedPipe and WNetAddConnection2 to detect incoming connections and connect to remote shares." }, { "id": "S0554", "name": "Egregor", "desc_en": "Egregor has used the Windows API to make detection more difficult." }, { "id": "S0561", "name": "GuLoader", "desc_en": "GuLoader can use a number of different APIs for discovery and execution." }, { "id": "S0562", "name": "SUNSPOT", "desc_en": "SUNSPOT used Windows API functions such as MoveFileEx and NtQueryInformationProcess as part of the SUNBURST injection process." }, { "id": "S0569", "name": "Explosive", "desc_en": "Explosive has a function to call the OpenClipboard wrapper." }, { "id": "S0570", "name": "BitPaymer", "desc_en": "BitPaymer has used dynamic API resolution to avoid identifiable strings within the binary, including RegEnumKeyW." }, { "id": "S0574", "name": "BendyBear", "desc_en": "BendyBear can load and execute modules and Windows Application Programming (API) calls using standard shellcode API hashing." }, { "id": "S0575", "name": "Conti", "desc_en": "Conti has used API calls during execution." }, { "id": "S0576", "name": "MegaCortex", "desc_en": "After escalating privileges, MegaCortex calls TerminateProcess(), CreateRemoteThread, and other Win32 APIs." }, { "id": "S0579", "name": "Waterbear", "desc_en": "Waterbear can leverage API functions for execution." }, { "id": "S0595", "name": "ThiefQuest", "desc_en": "ThiefQuest uses various API to perform behaviors such as executing payloads and performing local enumeration." }, { "id": "S0603", "name": "Stuxnet", "desc_en": "Stuxnet uses the SetSecurityDescriptorDacl API to reduce object integrity levels." }, { "id": "S0606", "name": "Bad Rabbit", "desc_en": "Bad Rabbit has used various Windows API calls." }, { "id": "S0607", "name": "KillDisk", "desc_en": "KillDisk has called the Windows API to retrieve the hard disk handle and shut down the machine." }, { "id": "S0610", "name": "SideTwist", "desc_en": "SideTwist can use GetUserNameW, GetComputerNameW, and GetComputerNameExW to gather information." }, { "id": "S0611", "name": "Clop", "desc_en": "Clop has used built-in API functions such as WNetOpenEnumW(), WNetEnumResourceW(), WNetCloseEnum(), GetProcAddress(), and VirtualAlloc()." }, { "id": "S0612", "name": "WastedLocker", "desc_en": "WastedLocker's custom crypter, CryptOne, leveraged the VirtualAlloc() API function to help execute the payload." }, { "id": "S0614", "name": "CostaBricks", "desc_en": "CostaBricks has used a number of API calls, including `VirtualAlloc`, `VirtualFree`, `LoadLibraryA`, `GetProcAddress`, and `ExitProcess`." }, { "id": "S0615", "name": "SombRAT", "desc_en": "SombRAT has the ability to respawn itself using ShellExecuteW and CreateProcessW." }, { "id": "S0622", "name": "AppleSeed", "desc_en": "AppleSeed has the ability to use multiple dynamically resolved API calls." }, { "id": "S0623", "name": "Siloscape", "desc_en": "Siloscape makes various native API calls." }, { "id": "S0625", "name": "Cuba", "desc_en": "Cuba has used several built-in API functions for discovery like GetIpNetTable and NetShareEnum." }, { "id": "S0627", "name": "SodaMaster", "desc_en": "SodaMaster can use RegOpenKeyW to access the Registry." }, { "id": "S0629", "name": "RainyDay", "desc_en": "The file collection tool used by RainyDay can utilize native API including ReadDirectoryChangeW for folder monitoring." }, { "id": "S0630", "name": "Nebulae", "desc_en": "Nebulae has the ability to use CreateProcess to execute a process." }, { "id": "S0631", "name": "Chaes", "desc_en": "Chaes used the CreateFileW() API function with read permissions to access downloaded payloads." }, { "id": "S0632", "name": "GrimAgent", "desc_en": "GrimAgent can use Native API including GetProcAddress and ShellExecuteW." }, { "id": "S0638", "name": "Babuk", "desc_en": "Babuk can use multiple Windows API calls for actions on compromised hosts including discovery and execution." }, { "id": "S0640", "name": "Avaddon", "desc_en": "Avaddon has used the Windows Crypto API to generate an AES key." }, { "id": "S0650", "name": "QakBot", "desc_en": "QakBot can use GetProcAddress to help delete malicious strings from memory." }, { "id": "S0651", "name": "BoxCaon", "desc_en": "BoxCaon has used Windows API calls to obtain information about the compromised host." }, { "id": "S0652", "name": "MarkiRAT", "desc_en": "MarkiRAT can run the ShellExecuteW API via the Windows Command Shell." }, { "id": "S0653", "name": "xCaon", "desc_en": "xCaon has leveraged native OS function calls to retrieve victim's network adapter's information using GetAdapterInfo() API." }, { "id": "S0659", "name": "Diavol", "desc_en": "Diavol has used several API calls like `GetLogicalDriveStrings`, `SleepEx`, `SystemParametersInfoAPI`, `CryptEncrypt`, and others to execute parts of its attack." }, { "id": "S0661", "name": "FoggyWeb", "desc_en": "FoggyWeb's loader can use API functions to load the FoggyWeb backdoor into the same Application Domain within which the legitimate AD FS managed code is executed." }, { "id": "S0662", "name": "RCSession", "desc_en": "RCSession can use WinSock API for communication including WSASend and WSARecv." }, { "id": "S0663", "name": "SysUpdate", "desc_en": "SysUpdate can call the `GetNetworkParams` API as part of its C2 establishment process." }, { "id": "S0666", "name": "Gelsemium", "desc_en": "Gelsemium has the ability to use various Windows API functions to perform tasks." }, { "id": "S0667", "name": "Chrommme", "desc_en": "Chrommme can use Windows API including `WinExec` for execution." }, { "id": "S0668", "name": "TinyTurla", "desc_en": "TinyTurla has used `WinHTTP`, `CreateProcess`, and other APIs for C2 communications and other functions." }, { "id": "S0669", "name": "KOCTOPUS", "desc_en": "KOCTOPUS can use the `LoadResource` and `CreateProcessW` APIs for execution." }, { "id": "S0670", "name": "WarzoneRAT", "desc_en": "WarzoneRAT can use a variety of API calls on a compromised host." }, { "id": "S0678", "name": "Torisma", "desc_en": "Torisma has used various Windows API calls." }, { "id": "S0680", "name": "LitePower", "desc_en": "LitePower can use various API calls." }, { "id": "S0681", "name": "Lizar", "desc_en": "Lizar has used various Windows API functions on a victim's machine." }, { "id": "S0687", "name": "Cyclops Blink", "desc_en": "Cyclops Blink can use various Linux API functions including those for execution and discovery." }, { "id": "S0688", "name": "Meteor", "desc_en": "Meteor can use `WinAPI` to remove a victim machine from an Active Directory domain." }, { "id": "S0689", "name": "WhisperGate", "desc_en": "WhisperGate has used the `ExitWindowsEx` to flush file buffers to disk and stop running processes and other API calls." }, { "id": "S0692", "name": "SILENTTRINITY", "desc_en": "SILENTTRINITY has the ability to leverage API including `GetProcAddress` and `LoadLibrary`." }, { "id": "S0693", "name": "CaddyWiper", "desc_en": "CaddyWiper has the ability to dynamically resolve and use APIs, including `SeTakeOwnershipPrivilege`." }, { "id": "S0694", "name": "DRATzarus", "desc_en": "DRATzarus can use various API calls to see if it is running in a sandbox." }, { "id": "S0695", "name": "Donut", "desc_en": "Donut code modules use various API functions to load and inject code." }, { "id": "S0696", "name": "Flagpro", "desc_en": "Flagpro can use Native API to enable obfuscation including `GetLastError` and `GetTickCount`." }, { "id": "S0697", "name": "HermeticWiper", "desc_en": "HermeticWiper can call multiple Windows API functions used for privilege escalation, service execution, and to overwrite random bites of data." }, { "id": "S0698", "name": "HermeticWizard", "desc_en": "HermeticWizard can connect to remote shares using `WNetAddConnection2W`." }, { "id": "S1013", "name": "ZxxZ", "desc_en": "ZxxZ has used API functions such as `Process32First`, `Process32Next`, and `ShellExecuteA`." }, { "id": "S1015", "name": "Milan", "desc_en": "Milan can use the API `DnsQuery_A` for DNS resolution." }, { "id": "S1016", "name": "MacMa", "desc_en": "MacMa has used macOS API functions to perform tasks." }, { "id": "S1018", "name": "Saint Bot", "desc_en": "Saint Bot has used different API calls, including `GetProcAddress`, `VirtualAllocEx`, `WriteProcessMemory`, `CreateProcessA`, and `SetThreadContext`." }, { "id": "S1020", "name": "Kevin", "desc_en": "Kevin can use the `ShowWindow` API to avoid detection." }, { "id": "S1025", "name": "Amadey", "desc_en": "Amadey has used a variety of Windows API calls, including `GetComputerNameA`, `GetUserNameA`, and `CreateProcessA`." }, { "id": "S1033", "name": "DCSrv", "desc_en": "DCSrv has used various Windows API functions, including `DeviceIoControl`, as part of its encryption process." }, { "id": "S1034", "name": "StrifeWater", "desc_en": "StrifeWater can use a variety of APIs for execution." }, { "id": "S1039", "name": "Bumblebee", "desc_en": "Bumblebee can use multiple Native APIs." }, { "id": "S1044", "name": "FunnyDream", "desc_en": "FunnyDream can use Native API for defense evasion, discovery, and collection." }, { "id": "S1050", "name": "PcShare", "desc_en": "PcShare has used a variety of Windows API functions." }, { "id": "S1052", "name": "DEADEYE", "desc_en": "DEADEYE can execute the `GetComputerNameA` and `GetComputerNameExA` WinAPI functions." }, { "id": "S1053", "name": "AvosLocker", "desc_en": "AvosLocker has used a variety of Windows API calls, including `NtCurrentPeb` and `GetLogicalDrives`." }, { "id": "S1058", "name": "Prestige", "desc_en": "Prestige has used the `Wow64DisableWow64FsRedirection()` and `Wow64RevertWow64FsRedirection()` functions to disable and restore file system redirection." }, { "id": "S1059", "name": "metaMain", "desc_en": "metaMain can execute an operator-provided Windows command by leveraging functions such as `WinExec`, `WriteFile`, and `ReadFile`." }, { "id": "S1060", "name": "Mafalda", "desc_en": "Mafalda can use a variety of API calls." }, { "id": "S1063", "name": "Brute Ratel C4", "desc_en": "Brute Ratel C4 can call multiple Windows APIs for execution, to share memory, and defense evasion." }, { "id": "S1064", "name": "SVCReady", "desc_en": "SVCReady can use Windows API calls to gather information from an infected host." }, { "id": "S1065", "name": "Woody RAT", "desc_en": "Woody RAT can use multiple native APIs, including `WriteProcessMemory`, `CreateProcess`, and `CreateRemoteThread` for process injection." }, { "id": "S1066", "name": "DarkTortilla", "desc_en": "DarkTortilla can use a variety of API calls for persistence and defense evasion." }, { "id": "S1070", "name": "Black Basta", "desc_en": "Black Basta has the ability to use native APIs for numerous functions including discovery and defense evasion." }, { "id": "S1073", "name": "Royal", "desc_en": "Royal can use multiple APIs for discovery, communication, and execution." }, { "id": "S1076", "name": "QUIETCANARY", "desc_en": "QUIETCANARY can call `System.Net.HttpWebRequest` to identify the default proxy configured on the victim computer." }, { "id": "S1078", "name": "RotaJakiro", "desc_en": "When executing with non-root permissions, RotaJakiro uses the the `shmget` API to create shared memory between other known RotaJakiro processes. RotaJakiro also uses the `execvp` API to help its dead process \"resurrect\"." }, { "id": "S1081", "name": "BADHATCH", "desc_en": "BADHATCH can utilize Native API functions such as, `ToolHelp32` and `Rt1AdjustPrivilege` to enable `SeDebugPrivilege` on a compromised machine." }, { "id": "S1085", "name": "Sardonic", "desc_en": "Sardonic has the ability to call Win32 API functions to determine if `powershell.exe` is running." }, { "id": "S1087", "name": "AsyncRAT", "desc_en": "AsyncRAT has the ability to use OS APIs including `CheckRemoteDebuggerPresent`." }, { "id": "S1089", "name": "SharpDisco", "desc_en": "SharpDisco can leverage Native APIs through plugins including `GetLogicalDrives`." }, { "id": "S1090", "name": "NightClub", "desc_en": "NightClub can use multiple native APIs including `GetKeyState`, `GetForegroundWindow`, `GetWindowThreadProcessId`, and `GetKeyboardLayout`." }, { "id": "S1099", "name": "Samurai", "desc_en": "Samurai has the ability to call Windows APIs." }, { "id": "S1100", "name": "Ninja", "desc_en": "The Ninja loader can call Windows APIs for discovery, process injection, and payload decryption." }, { "id": "S1111", "name": "DarkGate", "desc_en": "DarkGate uses the native Windows API CallWindowProc() to decode and launch encoded shellcode payloads during execution. DarkGate can call kernel mode functions directly to hide the use of process hollowing methods during execution. DarkGate has also used the `CreateToolhelp32Snapshot`, `GetFileAttributesA` and `CreateProcessA` functions to obtain a list of running processes, to check for security products and to execute its malware." }, { "id": "S1122", "name": "Mispadu", "desc_en": "Mispadu has used a variety of Windows API calls, including ShellExecute and WriteProcessMemory." }, { "id": "S1129", "name": "Akira", "desc_en": "Akira executes native Windows functions such as GetFileAttributesW and `GetSystemInfo`." }, { "id": "S1139", "name": "INC Ransomware", "desc_en": "INC Ransomware can use the API `DeviceIoControl` to resize the allocated space for and cause the deletion of volume shadow copy snapshots." }, { "id": "S1145", "name": "Pikabot", "desc_en": "Pikabot uses native Windows APIs to determine if the process is being debugged and analyzed, such as `CheckRemoteDebuggerPresent`, `NtQueryInformationProcess`, `ProcessDebugPort`, and `ProcessDebugFlags`. Other Pikabot variants populate a global list of Windows API addresses from the `NTDLL` and `KERNEL32` libraries, and references these items instead of calling the API items to obfuscate execution." }, { "id": "S1149", "name": "CHIMNEYSWEEP", "desc_en": "CHIMNEYSWEEP can use Windows APIs including `LoadLibrary` and `GetProcAddress`." }, { "id": "S1151", "name": "ZeroCleare", "desc_en": "ZeroCleare can call the `GetSystemDirectoryW` API to locate the system directory." }, { "id": "S1152", "name": "IMAPLoader", "desc_en": "IMAPLoader imports native Windows APIs such as `GetConsoleWindow` and `ShowWindow`." }, { "id": "S1160", "name": "Latrodectus", "desc_en": "Latrodectus has used multiple Windows API post exploitation including `GetAdaptersInfo`, `CreateToolhelp32Snapshot`, and `CreateProcessW`." }, { "id": "S1169", "name": "Mango", "desc_en": "Mango has the ability to use Native APIs." }, { "id": "S1170", "name": "ODAgent", "desc_en": "ODAgent can pass commands using native APIs." }, { "id": "S1172", "name": "OilBooster", "desc_en": "OilBooster has used the `ShowWindow` and `CreateProcessW` APIs." }, { "id": "S1179", "name": "Exbyte", "desc_en": "Exbyte calls `ShellExecuteW` with the `IpOperation` parameter `RunAs` to launch `explorer.exe` with elevated privileges." }, { "id": "S1180", "name": "BlackByte Ransomware", "desc_en": "BlackByte Ransomware uses the `SetThreadExecutionState` API to prevent the victim system from entering sleep." }, { "id": "S1190", "name": "Kapeka", "desc_en": "Kapeka utilizes WinAPI calls to gather victim system information." }, { "id": "S1200", "name": "StealBit", "desc_en": "StealBit can use native APIs including `LoadLibraryExA` for execution and `NtSetInformationProcess` for defense evasion purposes." }, { "id": "S1202", "name": "LockBit 3.0", "desc_en": "LockBit 3.0 has the ability to directly call native Windows API items during execution." }, { "id": "S1207", "name": "XLoader", "desc_en": "XLoader uses the native Windows API for functionality, including defense evasion." }, { "id": "S1210", "name": "Sagerunex", "desc_en": "Sagerunex calls the `WaitForSingleObject` API function as part of time-check logic." }, { "id": "S1226", "name": "BOOKWORM", "desc_en": "BOOKWORM has used various Windows API calls during execution and defense evasion. BOOKWORM has created a buffer on the heap using `HeapCreate` and `HeapAlloc` which allows for copying of shell code and then execution on the heap is initiated through callback function of legitimate API functions such as `EnumChildWindows` or `EnumSystemLanguageGroupsA`." }, { "id": "S1227", "name": "StarProxy", "desc_en": "StarProxy has used native windows API calls such as `GetLocalTime()` to retrieve system data." }, { "id": "S1228", "name": "PUBLOAD", "desc_en": "PUBLOAD has used various Windows API calls during execution, when establishing persistence and defense evasion. PUBLOAD stager leveraged Windows API functions with callback including `GrayStringW`, `EnumDateFormatsA`, and `LineDDA` to bypass anti-virus monitoring. PUBLOAD has also utilized other native windows API functions with callback functions such as `EnumChildWindows` and `EnumSystemLanguageGroupsA`." }, { "id": "S1229", "name": "Havoc", "desc_en": "Havoc can use `NtAllocateVirtualMemory` and `NtCreateThreadEx` to aid process injection." }, { "id": "S1232", "name": "SplatDropper", "desc_en": "SplatDropper has utilized hashed Native Windows API calls." }, { "id": "S1233", "name": "PAKLOG", "desc_en": "PAKLOG has used Windows API `SetWindowsHookExW` with `idHook` set to `WH_KEYBOARD_LL` and a custom hook procedure to support its keylogging functions." }, { "id": "S1234", "name": "SplatCloak", "desc_en": "SplatCloak has utilized Native Windows API calls dynamically through `ZwQuerySystemInformation`." }, { "id": "S1236", "name": "CLAIMLOADER", "desc_en": "CLAIMLOADER has used various Windows API calls during execution, when establishing persistence and defense evasion. CLAIMLOADER has also leveraged the legitimate API functions to run its shellcode through the callback function, including `GetDC()` and `EnumFontsW()`. CLAIMLOADER established persistence by utilizing the API `SHSetValue()`. CLAIMLOADER has utilized APIs with callback functions such as `EnumpropsExW`, `EnumSystemLanguageGroupsA`, and `EnumCalendarInfoExW`." }, { "id": "S1237", "name": "CANONSTAGER", "desc_en": "CANONSTAGER has leveraged Native API calls to execute code within the victim’s system including `GetCurrentDirectoryW`, `RegisterClassW` and `CreateWindowExW`. CANONSTAGER also created a new overlapped window that initiates callback functions to a windows procedure that processes Windows messages until a designated message type of 0x0018 WM_SHOWWINDOW is observed which then initiates the deployment of a subsequent malicious payload." }, { "id": "S1239", "name": "TONESHELL", "desc_en": "TONESHELL has utilized Native Windows API functions such as `WriteProcessMemory` and `CreateRemoteThreadEx`. TONESHELL has also utilized Windows API functions for creating seed values including `CoCreateGuid` and `GetTickCount`. TONESHELL has leveraged the legitimate API function `EnumSystemLocalesA` to run its shellcode through the callback function." }, { "id": "S1242", "name": "Qilin", "desc_en": "Qilin can attempt to log on to the local computer via `LogonUserW` and use `GetLogicalDrives()` and `EnumResourceW()` for discovery." }, { "id": "S1244", "name": "Medusa Ransomware", "desc_en": "Medusa Ransomware has leveraged Windows Native API functions to execute payloads." }, { "id": "S1247", "name": "Embargo", "desc_en": "Embargo has leveraged Windows Native API functions to execute its operations." }, { "id": "S9001", "name": "SystemBC", "desc_en": "SystemBC has utilized native Windows API functions such as `EnumWindows`and `GetVolumeInformationA` during discovery activities." }, { "id": "S9007", "name": "HTTPTroy", "desc_en": "HTTPTroy has leveraged Windows Native API calls, including `GetProcAddress` to execute functions in memory." }, { "id": "S9012", "name": "TRAILBLAZE", "desc_en": "TRAILBLAZE has leveraged raw syscalls to execute commands." }, { "id": "S9016", "name": "Caminho", "desc_en": "Caminho can use `System.Net.WebClient.downloadString()` for file download." }, { "id": "S9018", "name": "HeartCrypt", "desc_en": "HeartCrypt can use Windows API functions to modify the Registry and `FindResourceW`, `LoadResource`, and `LockResource` to acquire a pointer to corresponding code resources." }, { "id": "S9020", "name": "LODEINFO", "desc_en": "LODEINFO can use Windows APIs such as `VirtualAllocEx()`, `WriteProcessMemory()`, `CreateRemoteThread()`, `NtAllocateVirtualMemory()`, `NtWriteVirtualMemory()`, and `RtlCreateUserThread()` to enable memory injection of shellcode." }, { "id": "S9021", "name": "DOWNIISSA", "desc_en": "DOWNIISSA can use the `URLDownloadToFileA()` API to download from remote resources." }, { "id": "S9025", "name": "NOOPLDR", "desc_en": "NOOPLDR can use native APIs `NtProtectVirtualMemory`, `NtWriteVirtualMemory`, and `NtCreateThreadEx` to aid process injection." }, { "id": "S9027", "name": "ANELLDR", "desc_en": "ANELLDR can use the `ZwSetInformationThread` to enable debugger evasion." }, { "id": "S9032", "name": "MuddyViper", "desc_en": "MuddyViper has the ability to relaunch itself using the `CreateProcessW` API." }, { "id": "S9033", "name": "Fooder", "desc_en": "Fooder has used the WinCrypt API for payload decryption, `DuplicateTokenEx` to duplicate the token of a specified process, and `CreateProcessAsUserA` for payload execution." }, { "id": "S9036", "name": "LP-Notes", "desc_en": "LP-Notes has used the `ImpersonateLoggedOnUser` API to impersonate the security context of the taskhostw.exe process. Additionally, LP-Notes has also used the `CredUIPromptForWindowsCredentialsW` API to obtain Windows credentials." }, { "id": "S9037", "name": "RustyWater", "desc_en": "RustyWater has used `CreateObject` to instantiate a WScript.Shell Component Object Model (COM) object.  Additionally, RustyWater has used `VirtualAllocEx` and `WriteProcessMemory` to inject shellcode into explorer.exe." }, { "id": "S9038", "name": "DynoWiper", "desc_en": "DynoWiper has used multiple native Windows functions, such as `GetLogicalDrives` and `FindNextFile` for discovery and file deletion." } ], "mitigations": [ { "id": "M1038", "name": "Execution Prevention", "name_ja": "実行防止", "desc_en": "Identify and block potentially malicious software executed that may be executed through this technique by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.", "desc_ja": "許可されていないコードの実行を防止する。" }, { "id": "M1040", "name": "Behavior Prevention on Endpoint", "name_ja": "エンドポイントでの挙動防止", "desc_en": "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office VBA macros from calling Win32 APIs.", "desc_ja": "エンドポイントで悪意ある挙動を検出・防止する。" } ], "detections": [ { "id": "DET0529", "name": "Behavioral Detection of Native API Invocation via Unusual DLL Loads and Direct Syscalls", "name_ja": "ネイティブAPIの検知", "desc_en": "", "desc_ja": "ネイティブAPIに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1127", "ja": "信頼された開発ツールによるプロキシ実行", "en": "Trusted Developer Utilities Proxy Execution", "desc_en": "Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.", "desc_ja": "敵対者は、署名済みの開発ツールを悪用して悪意あるコードをプロキシ実行することがある。", "platforms": "Windows", "version": "2.0", "created": "2017-05-31", "modified": "2026-05-12", "subs": [ { "sid": ".001", "tid": "T1127.001", "ja": "MSBuild", "en": "MSBuild", "desc_en": "Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.", "desc_ja": "敵対者は、MSBuildを悪用して署名済みプロセス経由でコードを実行することがある。" }, { "sid": ".002", "tid": "T1127.002", "ja": "ClickOnce", "en": "ClickOnce", "desc_en": "Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility. ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.", "desc_ja": "敵対者は、ClickOnceを悪用してコードを実行することがある。" }, { "sid": ".003", "tid": "T1127.003", "ja": "JamPlus", "en": "JamPlus", "desc_en": "Adversaries may use `JamPlus` to proxy the execution of a malicious script. `JamPlus` is a build utility tool for code and data build systems. It works with several popular compilers and can be used for generating workspaces in code editors such as Visual Studio.", "desc_ja": "敵対者は、JamPlusを悪用してコードを実行することがある。" } ], "procedures": [], "mitigations": [ { "id": "M1021", "name": "Restrict Web-Based Content", "name_ja": "Webベースコンテンツの制限", "desc_en": "Consider disabling software installation or execution from the internet via developer utilities.", "desc_ja": "危険なWebコンテンツへのアクセスを制限する。" }, { "id": "M1038", "name": "Execution Prevention", "name_ja": "実行防止", "desc_en": "Certain developer utilities should be blocked or restricted if not required.", "desc_ja": "許可されていないコードの実行を防止する。" }, { "id": "M1042", "name": "Disable or Remove Feature or Program", "name_ja": "機能・プログラムの無効化または削除", "desc_en": "Specific developer utilities may not be necessary within a given environment and should be removed if not used.", "desc_ja": "不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。" } ], "detections": [ { "id": "DET0172", "name": "Behavior-chain, platform-aware detection strategy for T1127 Trusted Developer Utilities Proxy Execution (Windows)", "name_ja": "信頼された開発ツールによるプロキシ実行の検知", "desc_en": "", "desc_ja": "信頼された開発ツールによるプロキシ実行に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1129", "ja": "共有モジュール", "en": "Shared Modules", "desc_en": "Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API).", "desc_ja": "敵対者は、共有モジュール(DLL等)のロード機構を悪用してコードを実行することがある。", "platforms": "Linux, macOS, Windows", "version": "2.3", "created": "2017-05-31", "modified": "2025-10-24", "subs": [], "procedures": [ { "id": "G0129", "name": "Mustang Panda", "desc_en": "Mustang Panda has leveraged `LoadLibrary` to load DLLs." }, { "id": "S0032", "name": "gh0st RAT", "desc_en": "gh0st RAT can load DLLs into memory." }, { "id": "S0196", "name": "PUNCHBUGGY", "desc_en": "PUNCHBUGGY can load a DLL using the LoadLibrary API." }, { "id": "S0203", "name": "Hydraq", "desc_en": "Hydraq creates a backdoor through which remote attackers can load and call DLL functions." }, { "id": "S0352", "name": "OSX_OCEANLOTUS.D", "desc_en": "For network communications, OSX_OCEANLOTUS.D loads a dynamic library (`.dylib` file) using `dlopen()` and obtains a function pointer to execute within that shared library using `dlsym()`." }, { "id": "S0373", "name": "Astaroth", "desc_en": "Astaroth uses the LoadLibraryExW() function to load additional modules." }, { "id": "S0377", "name": "Ebury", "desc_en": "Ebury is executed through hooking the keyutils.so file used by legitimate versions of `OpenSSH` and `libcurl`." }, { "id": "S0415", "name": "BOOSTWRITE", "desc_en": "BOOSTWRITE has used the DWriteCreateFactory() function to load additional modules." }, { "id": "S0438", "name": "Attor", "desc_en": "Attor's dispatcher can execute additional plugins by loading the respective DLLs." }, { "id": "S0455", "name": "Metamorfo", "desc_en": "Metamorfo had used AutoIt to load and execute the DLL payload." }, { "id": "S0467", "name": "TajMahal", "desc_en": "TajMahal has the ability to inject the LoadLibrary call template DLL into running processes." }, { "id": "S0501", "name": "PipeMon", "desc_en": "PipeMon has used call to LoadLibrary to load its installer. PipeMon loads its modules using reflective loading or custom shellcode." }, { "id": "S0520", "name": "BLINDINGCAN", "desc_en": "BLINDINGCAN has loaded and executed DLLs in memory during runtime on a victim machine." }, { "id": "S0567", "name": "Dtrack", "desc_en": "Dtrack contains a function that calls LoadLibrary and GetProcAddress." }, { "id": "S0603", "name": "Stuxnet", "desc_en": "Stuxnet calls LoadLibrary then executes exports from a DLL." }, { "id": "S0607", "name": "KillDisk", "desc_en": "KillDisk loads and executes functions from a DLL." }, { "id": "S0661", "name": "FoggyWeb", "desc_en": "FoggyWeb's loader can call the load() function to load the FoggyWeb dll into an Application Domain on a compromised AD FS server." }, { "id": "S0673", "name": "DarkWatchman", "desc_en": "DarkWatchman can load DLLs." }, { "id": "S1039", "name": "Bumblebee", "desc_en": "Bumblebee can use `LoadLibrary` to attempt to execute GdiPlus.dll." }, { "id": "S1078", "name": "RotaJakiro", "desc_en": "RotaJakiro uses dynamically linked shared libraries (`.so` files) to execute additional functionality using `dlopen()` and `dlsym()`." }, { "id": "S1154", "name": "VersaMem", "desc_en": "VersaMem relied on the Java Instrumentation API and Javassist to dynamically modify Java code existing in memory." }, { "id": "S1185", "name": "LightSpy", "desc_en": "LightSpy's main executable and module `.dylib` binaries are loaded using a combination of `dlopen()` to load the library, `_objc_getClass()` to retrieve the class definition, and `_objec_msgSend()` to invoke/execute the specified method in the loaded class." } ], "mitigations": [ { "id": "M1038", "name": "Execution Prevention", "name_ja": "実行防止", "desc_en": "Identify and block potentially malicious software executed through this technique by using application control tools capable of preventing unknown modules from being loaded.", "desc_ja": "許可されていないコードの実行を防止する。" } ], "detections": [ { "id": "DET0018", "name": "Behavior-chain, platform-aware detection strategy for T1129 Shared Modules", "name_ja": "共有モジュールの検知", "desc_en": "", "desc_ja": "共有モジュールに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1197", "ja": "BITSジョブ", "en": "BITS Jobs", "desc_en": "Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.", "desc_ja": "敵対者は、Windowsのバックグラウンドインテリジェント転送サービス(BITS)を悪用してダウンロードや実行・永続化を行うことがある。", "platforms": "Windows", "version": "2.0", "created": "2018-04-18", "modified": "2026-05-12", "subs": [], "procedures": [ { "id": "G0040", "name": "Patchwork", "desc_en": "Patchwork has used BITS jobs to download malicious payloads." }, { "id": "G0065", "name": "Leviathan", "desc_en": "Leviathan has used BITSAdmin to download additional tools." }, { "id": "G0087", "name": "APT39", "desc_en": "APT39 has used the BITS protocol to exfiltrate stolen data from a compromised host." }, { "id": "G0096", "name": "APT41", "desc_en": "APT41 used BITSAdmin to download and install payloads." }, { "id": "G0102", "name": "Wizard Spider", "desc_en": "Wizard Spider has used batch scripts that utilizes WMIC to execute a BITSAdmin transfer of a ransomware payload to each compromised machine." }, { "id": "S0154", "name": "Cobalt Strike", "desc_en": "Cobalt Strike can download a hosted \"beacon\" payload using BITSAdmin." }, { "id": "S0190", "name": "BITSAdmin", "desc_en": "BITSAdmin can be used to create BITS Jobs to launch a malicious process." }, { "id": "S0201", "name": "JPIN", "desc_en": "A JPIN variant downloads the backdoor payload via the BITS service." }, { "id": "S0333", "name": "UBoatRAT", "desc_en": "UBoatRAT takes advantage of the /SetNotifyCmdLine option in BITSAdmin to ensure it stays running on a system to maintain persistence." }, { "id": "S0534", "name": "Bazar", "desc_en": "Bazar has been downloaded via Windows BITS functionality." }, { "id": "S0554", "name": "Egregor", "desc_en": "Egregor has used BITSadmin to download and execute malicious DLLs." }, { "id": "S0652", "name": "MarkiRAT", "desc_en": "MarkiRAT can use BITS Utility to connect with the C2 server." }, { "id": "S0654", "name": "ProLock", "desc_en": "ProLock can use BITS jobs to download its malicious payload." } ], "mitigations": [ { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "Consider limiting access to the BITS interface to specific users or groups.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1028", "name": "Operating System Configuration", "name_ja": "オペレーティングシステム構成", "desc_en": "Consider reducing the default BITS job lifetime in Group Policy or by editing the JobInactivityTimeout and MaxDownloadTime Registry values in HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\BITS.", "desc_ja": "OSを安全に構成し、攻撃対象領域を縮小する。" }, { "id": "M1037", "name": "Filter Network Traffic", "name_ja": "ネットワークトラフィックのフィルタリング", "desc_en": "Modify network and/or host firewall rules, as well as other network controls, to only allow legitimate BITS traffic.", "desc_ja": "ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。" } ], "detections": [ { "id": "DET0098", "name": "Detect abuse of Windows BITS Jobs for download, execution and persistence", "name_ja": "BITSジョブの検知", "desc_en": "", "desc_ja": "BITSジョブに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1203", "ja": "クライアント実行のための脆弱性悪用", "en": "Exploitation for Client Execution", "desc_en": "Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.", "desc_ja": "敵対者は、クライアントアプリの脆弱性を悪用してコードを実行することがある。", "platforms": "Linux, macOS, Windows", "version": "1.5", "created": "2018-04-18", "modified": "2025-10-24", "subs": [], "procedures": [ { "id": "C0001", "name": "Frankenstein", "desc_en": "During Frankenstein, the threat actors exploited CVE-2017-11882 to execute code on the victim's machine." }, { "id": "C0016", "name": "Operation Dust Storm", "desc_en": "During Operation Dust Storm, the threat actors exploited Adobe Flash vulnerability CVE-2011-0611, Microsoft Windows Help vulnerability CVE-2010-1885, and several Internet Explorer vulnerabilities, including CVE-2011-1255, CVE-2012-1889, and CVE-2014-0322." }, { "id": "C0047", "name": "RedDelta Modified PlugX Infection Chain Operations", "desc_en": "Mustang Panda used the GrimResource exploitation technique via specially crafted MSC files for arbitrary code execution during RedDelta Modified PlugX Infection Chain Operations." }, { "id": "C0056", "name": "RedPenguin", "desc_en": "During RedPenguin, UNC3886 exploited CVE-2025-21590 to bypass Veriexec protections in Junos OS designed to prevent unauthorized binary execution." }, { "id": "C0057", "name": "3CX Supply Chain Attack", "desc_en": "During the 3CX Supply Chain Attack, AppleJeus leveraged the Chrome vulnerability, CVE-2022-0609, in combination with a Drive-by Compromise website." }, { "id": "G0001", "name": "Axiom", "desc_en": "Axiom has used exploits for multiple vulnerabilities including CVE-2014-0322, CVE-2012-4792, CVE-2012-1889, and CVE-2013-3893." }, { "id": "G0005", "name": "APT12", "desc_en": "APT12 has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities (CVE-2009-3129, CVE-2012-0158) and vulnerabilities in Adobe Reader and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611)." }, { "id": "G0007", "name": "APT28", "desc_en": "APT28 has exploited Microsoft Office vulnerability CVE-2017-0262 for execution." }, { "id": "G0012", "name": "Darkhotel", "desc_en": "Darkhotel has exploited Adobe Flash vulnerability CVE-2015-8651 for execution." }, { "id": "G0016", "name": "APT29", "desc_en": "APT29 has used multiple software exploits for common client software, like Microsoft Word, Exchange, and Adobe Reader, to gain code execution." }, { "id": "G0018", "name": "admin@338", "desc_en": "admin@338 has exploited client software vulnerabilities for execution, such as Microsoft Word CVE-2012-0158." }, { "id": "G0022", "name": "APT3", "desc_en": "APT3 has exploited the Adobe Flash Player vulnerability CVE-2015-3113 and Internet Explorer vulnerability CVE-2014-1776." }, { "id": "G0027", "name": "Threat Group-3390", "desc_en": "Threat Group-3390 has exploited CVE-2018-0798 in Equation Editor." }, { "id": "G0032", "name": "Lazarus Group", "desc_en": "Lazarus Group has exploited Adobe Flash vulnerability CVE-2018-4878 for execution." }, { "id": "G0034", "name": "Sandworm Team", "desc_en": "Sandworm Team has exploited vulnerabilities in Microsoft PowerPoint via OLE objects (CVE-2014-4114) and Microsoft Word via crafted TIFF images (CVE-2013-3906)." }, { "id": "G0035", "name": "Dragonfly", "desc_en": "Dragonfly has exploited CVE-2011-0611 in Adobe Flash Player to gain execution on a targeted system." }, { "id": "G0040", "name": "Patchwork", "desc_en": "Patchwork uses malicious documents to deliver remote execution exploits as part of. The group has previously exploited CVE-2017-8570, CVE-2012-1856, CVE-2014-4114, CVE-2017-0199, CVE-2017-11882, and CVE-2015-1641." }, { "id": "G0049", "name": "OilRig", "desc_en": "OilRig has exploited CVE-2024-30088 to run arbitrary code in the context of `SYSTEM`." }, { "id": "G0050", "name": "APT32", "desc_en": "APT32 has used RTF document that includes an exploit to execute malicious code. (CVE-2017-11882)" }, { "id": "G0060", "name": "BRONZE BUTLER", "desc_en": "BRONZE BUTLER has exploited Microsoft Office vulnerabilities CVE-2014-4114, CVE-2018-0802, and CVE-2018-0798 for execution." }, { "id": "G0062", "name": "TA459", "desc_en": "TA459 has exploited Microsoft Word vulnerability CVE-2017-0199 for execution." }, { "id": "G0064", "name": "APT33", "desc_en": "APT33 has attempted to exploit a known vulnerability in WinRAR (CVE-2018-20250), and attempted to gain remote code execution via a security bypass vulnerability (CVE-2017-11774)." }, { "id": "G0065", "name": "Leviathan", "desc_en": "Leviathan has exploited multiple Microsoft Office and .NET vulnerabilities for execution, including CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882." }, { "id": "G0066", "name": "Elderwood", "desc_en": "Elderwood has used exploitation of endpoint software, including Microsoft Internet Explorer Adobe Flash vulnerabilities, to gain execution. They have also used zero-day exploits." }, { "id": "G0067", "name": "APT37", "desc_en": "APT37 has used exploits for Flash Player (CVE-2016-4117, CVE-2018-4878), Word (CVE-2017-0199), Internet Explorer (CVE-2020-1380 and CVE-2020-26411), and Microsoft Edge (CVE-2021-26411) for execution." }, { "id": "G0069", "name": "MuddyWater", "desc_en": "MuddyWater has exploited the Office vulnerability CVE-2017-0199 for execution." }, { "id": "G0080", "name": "Cobalt Group", "desc_en": "Cobalt Group had exploited multiple vulnerabilities for execution, including Microsoft’s Equation Editor (CVE-2017-11882), an Internet Explorer vulnerability (CVE-2018-8174), CVE-2017-8570, CVE-2017-0199, and CVE-2017-8759." }, { "id": "G0081", "name": "Tropic Trooper", "desc_en": "Tropic Trooper has executed commands through Microsoft security vulnerabilities, including CVE-2017-11882, CVE-2018-0802, and CVE-2012-0158." }, { "id": "G0089", "name": "The White Company", "desc_en": "The White Company has taken advantage of a known vulnerability in Microsoft Word (CVE 2012-0158) to execute code." }, { "id": "G0096", "name": "APT41", "desc_en": "APT41 leveraged the follow exploits in their operations: CVE-2012-0158, CVE-2015-1641, CVE-2017-0199, CVE-2017-11882, and CVE-2019-3396." }, { "id": "G0098", "name": "BlackTech", "desc_en": "BlackTech has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities CVE-2012-0158, CVE-2014-6352, CVE-2017-0199, and Adobe Flash CVE-2015-5119." }, { "id": "G0100", "name": "Inception", "desc_en": "Inception has exploited CVE-2012-0158, CVE-2014-1761, CVE-2017-11882 and CVE-2018-0802 for execution." }, { "id": "G0121", "name": "Sidewinder", "desc_en": "Sidewinder has exploited vulnerabilities to gain execution including CVE-2017-11882 and CVE-2020-0674." }, { "id": "G0126", "name": "Higaisa", "desc_en": "Higaisa has exploited CVE-2018-0798 for execution." }, { "id": "G0129", "name": "Mustang Panda", "desc_en": "Mustang Panda has exploited CVE-2017-0199 in Microsoft Word to execute code." }, { "id": "G0131", "name": "Tonto Team", "desc_en": "Tonto Team has exploited Microsoft vulnerabilities, including CVE-2018-0798, CVE-2018-8174, CVE-2018-0802, CVE-2017-11882, CVE-2019-9489 CVE-2020-8468, and CVE-2018-0798 to enable execution of their delivered malicious payloads." }, { "id": "G0134", "name": "Transparent Tribe", "desc_en": "Transparent Tribe has crafted malicious files to exploit CVE-2012-0158 and CVE-2010-3333 for execution." }, { "id": "G0138", "name": "Andariel", "desc_en": "Andariel has exploited numerous ActiveX vulnerabilities, including zero-days." }, { "id": "G0142", "name": "Confucius", "desc_en": "Confucius has exploited Microsoft Office vulnerabilities, including CVE-2015-1641, CVE-2017-11882, and CVE-2018-0802." }, { "id": "G1002", "name": "BITTER", "desc_en": "BITTER has exploited Microsoft Office vulnerabilities CVE-2012-0158, CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802." }, { "id": "G1003", "name": "Ember Bear", "desc_en": "Ember Bear has used exploits to enable follow-on execution of frameworks such as Meterpreter." }, { "id": "G1007", "name": "Aoqin Dragon", "desc_en": "Aoqin Dragon has exploited CVE-2012-0158 and CVE-2010-3333 for execution against targeted systems." }, { "id": "G1011", "name": "EXOTIC LILY", "desc_en": "EXOTIC LILY has used malicious documents containing exploits for CVE-2021-40444 affecting Microsoft MSHTML." }, { "id": "G1031", "name": "Saint Bear", "desc_en": "Saint Bear has leveraged vulnerabilities in client applications such as CVE-2017-11882 in Microsoft Office to enable code execution in victim environments." }, { "id": "G1041", "name": "Sea Turtle", "desc_en": "Sea Turtle has used exploits for vulnerabilities such as CVE-2021-44228, CVE-2021-21974, and CVE-2022-0847 to achieve client code execution." }, { "id": "G1048", "name": "UNC3886", "desc_en": "UNC3886 has exoloited CVE-2023-34048 to enable command execution on vCenter servers and CVE-2023-20867 in VMware Tools to execute unauthenticated Guest Operations from ESXi hosts to guest VMs." }, { "id": "S0154", "name": "Cobalt Strike", "desc_en": "Cobalt Strike can exploit Oracle Java vulnerabilities for execution, including CVE-2011-3544, CVE-2013-2465, CVE-2012-4681, and CVE-2013-2460." }, { "id": "S0239", "name": "Bankshot", "desc_en": "Bankshot leverages a known zero-day vulnerability in Adobe Flash to execute the implant into the victims’ machines." }, { "id": "S0243", "name": "DealersChoice", "desc_en": "DealersChoice leverages vulnerable versions of Flash to perform execution." }, { "id": "S0260", "name": "InvisiMole", "desc_en": "InvisiMole has installed legitimate but vulnerable Total Video Player software and wdigest.dll library drivers on compromised hosts to exploit stack overflow and input validation vulnerabilities for code execution." }, { "id": "S0331", "name": "Agent Tesla", "desc_en": "Agent Tesla has exploited Office vulnerabilities such as CVE-2017-11882 and CVE-2017-8570 for execution during delivery." }, { "id": "S0341", "name": "Xbash", "desc_en": "Xbash can attempt to exploit known vulnerabilities in Hadoop, Redis, or ActiveMQ when it finds those services running in order to conduct further execution." }, { "id": "S0374", "name": "SpeakUp", "desc_en": "SpeakUp attempts to exploit the following vulnerabilities in order to execute its malicious script: CVE-2012-0874, CVE-2010-1871, CVE-2017-10271, CVE-2018-2894, CVE-2016-3088, JBoss AS 3/4/5/6, and the Hadoop YARN ResourceManager." }, { "id": "S0391", "name": "HAWKBALL", "desc_en": "HAWKBALL has exploited Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802 to deliver the payload." }, { "id": "S0396", "name": "EvilBunny", "desc_en": "EvilBunny has exploited CVE-2011-4369, a vulnerability in the PRC component in Adobe Reader." }, { "id": "S0458", "name": "Ramsay", "desc_en": "Ramsay has been embedded in documents exploiting CVE-2017-0199, CVE-2017-11882, and CVE-2017-8570." }, { "id": "S0578", "name": "SUPERNOVA", "desc_en": "SUPERNOVA was installed via exploitation of a SolarWinds Orion API authentication bypass vulnerability (CVE-2020-10148)." }, { "id": "S1065", "name": "Woody RAT", "desc_en": "Woody RAT has relied on CVE-2022-30190 (Follina) for execution during delivery." }, { "id": "S1154", "name": "VersaMem", "desc_en": "VersaMem was installed through exploitation of CVE-2024-39717 in Versa Director servers." }, { "id": "S1207", "name": "XLoader", "desc_en": "XLoader has exploited Office vulnerabilities during local execution such as CVE-2017-11882 and CVE-2018-0798." } ], "mitigations": [ { "id": "M1048", "name": "Application Isolation and Sandboxing", "name_ja": "アプリケーション分離・サンドボックス化", "desc_en": "Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. \n\nOther types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. Risks of additional exploits and weaknesses in those systems may still exist.", "desc_ja": "アプリを分離・サンドボックス化し、影響範囲を限定する。" }, { "id": "M1050", "name": "Exploit Protection", "name_ja": "エクスプロイト保護", "desc_en": "Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. Many of these protections depend on the architecture and target application binary for compatibility.", "desc_ja": "エクスプロイト保護機能で脆弱性悪用を防ぐ。" }, { "id": "M1051", "name": "Update Software", "name_ja": "ソフトウェア更新", "desc_en": "Perform regular software updates to mitigate exploitation risk. Keeping software up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities in client software, reducing the risk of successful attacks.", "desc_ja": "ソフトウェアを最新に保ち、既知の脆弱性を修正する。" } ], "detections": [ { "id": "DET0287", "name": "Exploitation for Client Execution – cross-platform behavior chain (browser/Office/3rd-party apps)", "name_ja": "クライアント実行のための脆弱性悪用の検知", "desc_en": "", "desc_ja": "クライアント実行のための脆弱性悪用に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1204", "ja": "ユーザー実行", "en": "User Execution", "desc_en": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.", "desc_ja": "敵対者は、ユーザーに悪意あるファイルやリンクを開かせることでコードを実行させることがある。", "platforms": "Linux, Windows, macOS, IaaS, Containers", "version": "1.8", "created": "2018-04-18", "modified": "2025-10-24", "subs": [ { "sid": ".001", "tid": "T1204.001", "ja": "悪意あるリンク", "en": "Malicious Link", "desc_en": "An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Link. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution. Links may also lead users to download files that require execution via Malicious File.", "desc_ja": "敵対者は、ユーザーに悪意あるリンクをクリックさせてコードを実行させることがある。" }, { "sid": ".002", "tid": "T1204.002", "ja": "悪意あるファイル", "en": "Malicious File", "desc_en": "An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, .reg, and .iso.", "desc_ja": "敵対者は、ユーザーに悪意あるファイルを開かせてコードを実行させることがある。" }, { "sid": ".003", "tid": "T1204.003", "ja": "悪意あるイメージ", "en": "Malicious Image", "desc_en": "Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via Upload Malware, and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.", "desc_ja": "敵対者は、悪意あるコンテナイメージをユーザーに実行させることがある。" }, { "sid": ".004", "tid": "T1204.004", "ja": "悪意あるコピー&ペースト", "en": "Malicious Copy and Paste", "desc_en": "An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a Command and Scripting Interpreter. One such strategy is \"ClickFix,\" in which adversaries present users with seemingly helpful solutions—such as prompts to fix errors or complete CAPTCHAs—that instead instruct the user to copy and paste malicious code.", "desc_ja": "敵対者は、悪意あるコマンドをコピー&ペーストさせて実行させることがある。" }, { "sid": ".005", "tid": "T1204.005", "ja": "悪意あるライブラリ", "en": "Malicious Library", "desc_en": "Adversaries may rely on a user installing a malicious library to facilitate execution. Threat actors may Upload Malware to package managers such as NPM and PyPi, as well as to public code repositories such as GitHub. User may install libraries without realizing they are malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that establishes persistence, steals data, or mines cryptocurrency.", "desc_ja": "敵対者は、ユーザーに悪意あるライブラリを読み込ませて実行させることがある。" } ], "procedures": [ { "id": "C0037", "name": "Water Curupira Pikabot Distribution", "desc_en": "Water Curupira Pikabot Distribution requires users to interact with malicious attachments in order to start Pikabot installation." }, { "id": "G1004", "name": "LAPSUS$", "desc_en": "LAPSUS$ has recruited target organization employees or contractors who provide credentials and approve an associated MFA prompt, or install remote management software onto a corporate workstation, allowing LAPSUS$ to take control of an authenticated system." }, { "id": "G1015", "name": "Scattered Spider", "desc_en": "Scattered Spider has impersonated organization IT and helpdesk staff to instruct victims to execute commercial remote access tools to gain initial access." }, { "id": "S1130", "name": "Raspberry Robin", "desc_en": "Raspberry Robin execution can rely on users directly interacting with malicious LNK files." }, { "id": "S1213", "name": "Lumma Stealer", "desc_en": "Lumma Stealer has been distributed through a fake CAPTCHA that presents instructions to the victim to open Windows Run window (“Windows Button + R”) and paste clipboard contents (“CTRL + V”) and press “Enter” to execute a Base64-encoded PowerShell." } ], "mitigations": [ { "id": "M1017", "name": "User Training", "name_ja": "ユーザー教育", "desc_en": "Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.", "desc_ja": "ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。" }, { "id": "M1021", "name": "Restrict Web-Based Content", "name_ja": "Webベースコンテンツの制限", "desc_en": "If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files.", "desc_ja": "危険なWebコンテンツへのアクセスを制限する。" }, { "id": "M1031", "name": "Network Intrusion Prevention", "name_ja": "ネットワーク侵入防止", "desc_en": "If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.", "desc_ja": "ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。" }, { "id": "M1033", "name": "Limit Software Installation", "name_ja": "ソフトウェアインストールの制限", "desc_en": "Where possible, consider requiring developers to pull from internal repositories containing verified and approved packages rather than from external ones.", "desc_ja": "ソフトウェアのインストールを制限し、不正なプログラム導入を防ぐ。" }, { "id": "M1038", "name": "Execution Prevention", "name_ja": "実行防止", "desc_en": "Application control may be able to prevent the running of executables masquerading as other files.", "desc_ja": "許可されていないコードの実行を防止する。" }, { "id": "M1040", "name": "Behavior Prevention on Endpoint", "name_ja": "エンドポイントでの挙動防止", "desc_en": "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent executable files from running unless they meet a prevalence, age, or trusted list criteria and to prevent Office applications from creating potentially malicious executable content by blocking malicious code from being written to disk. Note: cloud-delivered protection must be enabled to use certain rules.", "desc_ja": "エンドポイントで悪意ある挙動を検出・防止する。" } ], "detections": [ { "id": "DET0478", "name": "User Execution – multi-surface behavior chain (documents/links → helper/unpacker → LOLBIN/child → egress)", "name_ja": "ユーザー実行の検知", "desc_en": "", "desc_ja": "ユーザー実行に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1559", "ja": "プロセス間通信", "en": "Inter-Process Communication", "desc_en": "Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern.", "desc_ja": "敵対者は、プロセス間通信(IPC)機構を悪用してコードを実行することがある。", "platforms": "Linux, macOS, Windows", "version": "1.4", "created": "2020-02-12", "modified": "2026-05-12", "subs": [ { "sid": ".001", "tid": "T1559.001", "ja": "コンポーネントオブジェクトモデル(COM)", "en": "Component Object Model", "desc_en": "Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE). Remote COM execution is facilitated by Remote Services such as Distributed Component Object Model (DCOM).", "desc_ja": "敵対者は、COMを悪用してプロセス間でコードを実行することがある。" }, { "sid": ".002", "tid": "T1559.002", "ja": "動的データ交換(DDE)", "en": "Dynamic Data Exchange", "desc_en": "Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.", "desc_ja": "敵対者は、DDEを悪用してコードを実行することがある。" }, { "sid": ".003", "tid": "T1559.003", "ja": "XPCサービス", "en": "XPC Services", "desc_en": "Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service C API or the high level NSXPCConnection API in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.", "desc_ja": "敵対者は、XPCサービスを悪用してmacOSでコードを実行することがある。" } ], "procedures": [ { "id": "C0048", "name": "Operation MidnightEclipse", "desc_en": "During Operation MidnightEclipse, threat actors wrote output to stdout then piped it to bash for execution." }, { "id": "C0057", "name": "3CX Supply Chain Attack", "desc_en": "During the 3CX Supply Chain Attack, AppleJeus's VEILEDSIGNAL creates and listens on a Windows named pipe to exchange messages between modules." }, { "id": "S0022", "name": "Uroburos", "desc_en": "Uroburos has the ability to move data between its kernel and user mode components, generally using named pipes." }, { "id": "S0537", "name": "HyperStack", "desc_en": "HyperStack can connect to the IPC$ share on remote machines." }, { "id": "S0687", "name": "Cyclops Blink", "desc_en": "Cyclops Blink has the ability to create a pipe to enable inter-process communication." }, { "id": "S1078", "name": "RotaJakiro", "desc_en": "When executing with non-root permissions, RotaJakiro uses the the `shmget API` to create shared memory between other known RotaJakiro processes. This allows processes to communicate with each other and share their PID." }, { "id": "S1100", "name": "Ninja", "desc_en": "Ninja can use pipes to redirect the standard input and the standard output." }, { "id": "S1123", "name": "PITSTOP", "desc_en": "PITSTOP can listen over the Unix domain socket located at `/data/runtime/cockpit/wd.fd`." }, { "id": "S1130", "name": "Raspberry Robin", "desc_en": "Raspberry Robin contains an embedded custom Tor network client that communicates with the primary payload via shared process memory." }, { "id": "S1141", "name": "LunarWeb", "desc_en": "LunarWeb can retrieve output from arbitrary processes and shell commands via a pipe." }, { "id": "S1150", "name": "ROADSWEEP", "desc_en": "ROADSWEEP can pipe command output to a targeted process." }, { "id": "S1172", "name": "OilBooster", "desc_en": "OilBooster can read the results of command line execution via an unnamed pipe connected to the process." }, { "id": "S1200", "name": "StealBit", "desc_en": "StealBit can use interprocess communication (IPC) to enable the designation of multiple files for exfiltration in a scalable manner." }, { "id": "S1229", "name": "Havoc", "desc_en": "The Havoc SMB demon can use named pipes for communication through a parent demon." }, { "id": "S1239", "name": "TONESHELL", "desc_en": "TONESHELL has facilitated inter-process communication between DLL components via the use of pipes. TONESHELL has also created a reverse shell using two anonymous pipes to write data to stdin and read data from stdout and stderr." }, { "id": "S1244", "name": "Medusa Ransomware", "desc_en": "Medusa Ransomware has leveraged the `CreatePipe` API to enable inter-process communication." }, { "id": "S9024", "name": "SPAWNCHIMERA", "desc_en": "SPAWNCHIMERA has leveraged IPC using a UNIX domain socket between the dsmdm process and the web process." } ], "mitigations": [ { "id": "M1013", "name": "Application Developer Guidance", "name_ja": "アプリケーション開発者向けガイダンス", "desc_en": "Enable the Hardened Runtime capability when developing applications. Do not include the com.apple.security.get-task-allow entitlement with the value set to any variation of true.", "desc_ja": "開発者に対し、脆弱性を生まない安全な設計・実装の指針を提供する。" }, { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Modify Registry settings (directly or using Dcomcnfg.exe) in `HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Classes\\\\AppID\\\\{AppID_GUID}` associated with the process-wide security of individual COM applications.\n\nModify Registry settings (directly or using Dcomcnfg.exe) in `HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Ole` associated with system-wide security defaults for all COM applications that do no set their own process-wide security.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1040", "name": "Behavior Prevention on Endpoint", "name_ja": "エンドポイントでの挙動防止", "desc_en": "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs.", "desc_ja": "エンドポイントで悪意ある挙動を検出・防止する。" }, { "id": "M1042", "name": "Disable or Remove Feature or Program", "name_ja": "機能・プログラムの無効化または削除", "desc_en": "Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel.", "desc_ja": "不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。" }, { "id": "M1048", "name": "Application Isolation and Sandboxing", "name_ja": "アプリケーション分離・サンドボックス化", "desc_en": "Ensure all COM alerts and Protected View are enabled.", "desc_ja": "アプリを分離・サンドボックス化し、影響範囲を限定する。" }, { "id": "M1054", "name": "Software Configuration", "name_ja": "ソフトウェア構成", "desc_en": "Consider disabling embedded files in Office programs, such as OneNote, that do not work with Protected View.", "desc_ja": "ソフトウェアを安全に構成し、悪用を防ぐ。" } ], "detections": [ { "id": "DET0493", "name": "Detect Abuse of Inter-Process Communication (T1559)", "name_ja": "プロセス間通信の検知", "desc_en": "", "desc_ja": "プロセス間通信に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1569", "ja": "システムサービス", "en": "System Services", "desc_en": "Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence (Create or Modify System Process), but adversaries can also abuse services for one-time or temporary execution.", "desc_ja": "敵対者は、システムサービスの仕組みを悪用してコマンドやペイロードを実行することがある。", "platforms": "Windows, macOS, Linux", "version": "1.4", "created": "2020-03-10", "modified": "2025-10-24", "subs": [ { "sid": ".001", "tid": "T1569.001", "ja": "Launchctl", "en": "Launchctl", "desc_en": "Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.", "desc_ja": "敵対者は、launchctlを悪用してmacOSでサービスを実行することがある。" }, { "sid": ".002", "tid": "T1569.002", "ja": "サービス実行", "en": "Service Execution", "desc_en": "Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services. The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and Net.", "desc_ja": "敵対者は、サービス実行機構を悪用してWindowsでコードを実行することがある。" }, { "sid": ".003", "tid": "T1569.003", "ja": "Systemctl", "en": "Systemctl", "desc_en": "Adversaries may abuse systemctl to execute commands or programs. Systemctl is the primary interface for systemd, the Linux init system and service manager. Typically invoked from a shell, Systemctl can also be integrated into scripts or applications.", "desc_ja": "敵対者は、systemctlを悪用してLinuxでサービスを実行することがある。" } ], "procedures": [], "mitigations": [ { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "Prevent users from installing their own launch agents or launch daemons.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1022", "name": "Restrict File and Directory Permissions", "name_ja": "ファイル/ディレクトリ権限の制限", "desc_en": "Ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level.", "desc_ja": "ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。" }, { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1040", "name": "Behavior Prevention on Endpoint", "name_ja": "エンドポイントでの挙動防止", "desc_en": "On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by PsExec from running.", "desc_ja": "エンドポイントで悪意ある挙動を検出・防止する。" } ], "detections": [ { "id": "DET0279", "name": "Detection Strategy for System Services across OS platforms.", "name_ja": "システムサービスの検知", "desc_en": "", "desc_ja": "システムサービスに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1574", "ja": "実行フローの乗っ取り", "en": "Hijack Execution Flow", "desc_en": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.", "desc_ja": "敵対者は、プログラムの実行フロー(DLL探索順等)を乗っ取って悪意あるコードを実行することがある。", "platforms": "Linux, macOS, Windows", "version": "2.0", "created": "2020-03-12", "modified": "2026-05-12", "subs": [ { "sid": ".001", "tid": "T1574.001", "ja": "DLL", "en": "DLL", "desc_en": "Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.", "desc_ja": "敵対者は、DLL探索順やサイドローディングを悪用して実行フローを乗っ取ることがある。" }, { "sid": ".004", "tid": "T1574.004", "ja": "Dylibハイジャック", "en": "Dylib Hijacking", "desc_en": "Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with @rpath, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the LC_LOAD_WEAK_DYLIB function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.", "desc_ja": "敵対者は、dylibハイジャックでmacOSの実行フローを乗っ取ることがある。" }, { "sid": ".005", "tid": "T1574.005", "ja": "実行可能インストーラのファイル権限の弱点", "en": "Executable Installer File Permissions Weakness", "desc_en": "Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.", "desc_ja": "敵対者は、実行可能インストーラのファイル権限の弱点を悪用することがある。" }, { "sid": ".006", "tid": "T1574.006", "ja": "動的リンカーハイジャック", "en": "Dynamic Linker Hijacking", "desc_en": "Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from various environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name. Each platform's linker uses an extensive list of environment variables at different points in execution. These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions in the original library.", "desc_ja": "敵対者は、動的リンカーを悪用して実行フローを乗っ取ることがある。" }, { "sid": ".007", "tid": "T1574.007", "ja": "PATH環境変数によるパス横取り", "en": "Path Interception by PATH Environment Variable", "desc_en": "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line.", "desc_ja": "敵対者は、PATH環境変数を悪用してパスを横取りすることがある。" }, { "sid": ".008", "tid": "T1574.008", "ja": "検索順ハイジャックによるパス横取り", "en": "Path Interception by Search Order Hijacking", "desc_en": "Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.", "desc_ja": "敵対者は、検索順ハイジャックでパスを横取りすることがある。" }, { "sid": ".009", "tid": "T1574.009", "ja": "引用符なしパスによるパス横取り", "en": "Path Interception by Unquoted Path", "desc_en": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.", "desc_ja": "敵対者は、引用符なしパスを悪用してパスを横取りすることがある。" }, { "sid": ".010", "tid": "T1574.010", "ja": "サービスのファイル権限の弱点", "en": "Services File Permissions Weakness", "desc_en": "Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.", "desc_ja": "敵対者は、サービスのファイル権限の弱点を悪用することがある。" }, { "sid": ".011", "tid": "T1574.011", "ja": "サービスのレジストリ権限の弱点", "en": "Services Registry Permissions Weakness", "desc_en": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Flaws in the permissions for Registry keys related to services can allow adversaries to redirect the originally specified executable to one they control, launching their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, PowerShell, or Reg. Access to Registry keys is controlled through access control lists and user permissions.", "desc_ja": "敵対者は、サービスのレジストリ権限の弱点を悪用することがある。" }, { "sid": ".012", "tid": "T1574.012", "ja": "COR_PROFILER", "en": "COR_PROFILER", "desc_en": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.", "desc_ja": "敵対者は、COR_PROFILERを悪用して実行フローを乗っ取ることがある。" }, { "sid": ".013", "tid": "T1574.013", "ja": "KernelCallbackTable", "en": "KernelCallbackTable", "desc_en": "Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow in order to run their own payloads. The KernelCallbackTable can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once user32.dll is loaded.", "desc_ja": "敵対者は、KernelCallbackTableを悪用して実行フローを乗っ取ることがある。" }, { "sid": ".014", "tid": "T1574.014", "ja": "AppDomainManager", "en": "AppDomainManager", "desc_en": "Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` loads assemblies. The .NET framework uses the `AppDomainManager` class to create and manage one or more isolated runtime environments (called application domains) inside a process to host the execution of .NET applications. Assemblies (`.exe` or `.dll` binaries compiled to run as .NET code) may be loaded into an application domain as executable code.", "desc_ja": "敵対者は、AppDomainManagerを悪用して.NETの実行フローを乗っ取ることがある。" } ], "procedures": [ { "id": "C0017", "name": "C0017", "desc_en": "During C0017, APT41 established persistence by loading malicious libraries via modifications to the Import Address Table (IAT) within legitimate Microsoft binaries." }, { "id": "C0036", "name": "Pikabot Distribution February 2024", "desc_en": "Pikabot Distribution February 2024 utilized a tampered legitimate executable, `grepWinNP3.exe`, for its first stage Pikabot loader, modifying the open-source tool to execute malicious code when launched." }, { "id": "S0354", "name": "Denis", "desc_en": "Denis replaces the nonexistent Windows DLL \"msfte.dll\" with its own malicious version, which is loaded by the SearchIndexer.exe and SearchProtocolHost.exe." }, { "id": "S0444", "name": "ShimRat", "desc_en": "ShimRat can hijack the cryptbase.dll within migwiz.exe to escalate privileges and bypass UAC controls." }, { "id": "S0567", "name": "Dtrack", "desc_en": "One of Dtrack can replace the normal flow of a program execution with malicious code." }, { "id": "S1018", "name": "Saint Bot", "desc_en": "Saint Bot will use the malicious file slideshow.mp4 if present to load the core API provided by ntdll.dll to avoid any hooks placed on calls to the original ntdll.dll file by endpoint detection and response or antimalware software." }, { "id": "S1105", "name": "COATHANGER", "desc_en": "COATHANGER will remove and write malicious shared objects associated with legitimate system functions such as `read(2)`." }, { "id": "S1111", "name": "DarkGate", "desc_en": "DarkGate edits the Registry key HKCU\\Software\\Classes\\mscfile\\shell\\open\\command to execute a malicious AutoIt script. When eventvwr.exe is executed, this will call the Microsoft Management Console (mmc.exe), which in turn references the modified Registry key." }, { "id": "S1130", "name": "Raspberry Robin", "desc_en": "Raspberry Robin will drop a copy of itself to a subfolder in %Program Data% or %Program Data%\\\\Microsoft\\\\ to attempt privilege elevation and defense evasion if not running in Session 0." }, { "id": "S1147", "name": "Nightdoor", "desc_en": "Nightdoor uses a legitimate executable to load a malicious DLL file for installation." }, { "id": "S9024", "name": "SPAWNCHIMERA", "desc_en": "SPAWNCHIMERA can persist across system upgrades by hijacking the execution flow of dspkginstall, a binary used during the system upgrade process." } ], "mitigations": [ { "id": "M1013", "name": "Application Developer Guidance", "name_ja": "アプリケーション開発者向けガイダンス", "desc_en": "When possible, include hash values in manifest files to help prevent side-loading of malicious libraries.", "desc_ja": "開発者に対し、脆弱性を生まない安全な設計・実装の指針を提供する。" }, { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.\n\nEnsure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\\Windows\\, to reduce places where malicious files could be placed for execution.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1022", "name": "Restrict File and Directory Permissions", "name_ja": "ファイル/ディレクトリ権限の制限", "desc_en": "Install software in write-protected locations. Set directory access controls to prevent file writes to the search paths for applications, both in the folders where applications are run from and the standard library folders.", "desc_ja": "ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。" }, { "id": "M1024", "name": "Restrict Registry Permissions", "name_ja": "レジストリ権限の制限", "desc_en": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.", "desc_ja": "レジストリキーの権限を制限し、不正な改変を防ぐ。" }, { "id": "M1038", "name": "Execution Prevention", "name_ja": "実行防止", "desc_en": "Adversaries may use new payloads to execute this technique. Identify and block potentially malicious software executed through hijacking by using application control solutions also capable of blocking libraries loaded by legitimate software.", "desc_ja": "許可されていないコードの実行を防止する。" }, { "id": "M1040", "name": "Behavior Prevention on Endpoint", "name_ja": "エンドポイントでの挙動防止", "desc_en": "Some endpoint security solutions can be configured to block some types of behaviors related to process injection/memory tampering based on common sequences of indicators (ex: execution of specific API functions).", "desc_ja": "エンドポイントで悪意ある挙動を検出・防止する。" }, { "id": "M1044", "name": "Restrict Library Loading", "name_ja": "ライブラリロードの制限", "desc_en": "Disallow loading of remote DLLs. This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+.\n\nEnable Safe DLL Search Mode to force search for system DLLs in directories with greater restrictions (e.g. %SYSTEMROOT%)to be used before local directory DLLs (e.g. a user's home directory)\n\nThe Safe DLL Search Mode can be enabled via Group Policy at Computer Configuration > [Policies] > Administrative Templates > MSS (Legacy): MSS: (SafeDllSearchMode) Enable Safe DLL search mode. The associated Windows Registry key for this is located at HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\SafeDLLSearchMode", "desc_ja": "ライブラリのロードを制限し、不正なコード実行を防ぐ。" }, { "id": "M1047", "name": "Audit", "name_ja": "監査", "desc_en": "Use auditing tools capable of detecting hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for hijacking weaknesses.\n\nUse the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-loading vulnerabilities in software.\n\nFind and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate.\n\nClean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.", "desc_ja": "システムやアカウントを監査し、不正な活動を検出する。" }, { "id": "M1051", "name": "Update Software", "name_ja": "ソフトウェア更新", "desc_en": "Update software regularly to include patches that fix DLL side-loading vulnerabilities.", "desc_ja": "ソフトウェアを最新に保ち、既知の脆弱性を修正する。" }, { "id": "M1052", "name": "User Account Control", "name_ja": "ユーザーアカウント制御(UAC)", "desc_en": "Turn off UAC's privilege elevation for standard users [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System] to automatically deny elevation requests, add: \"ConsentPromptBehaviorUser\"=dword:00000000. Consider enabling installer detection for all users by adding: \"EnableInstallerDetection\"=dword:00000001. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: \"EnableInstallerDetection\"=dword:00000000. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged.", "desc_ja": "UACを適切に構成し、権限昇格を防ぐ。" } ], "detections": [ { "id": "DET0218", "name": "Detection Strategy for Hijack Execution Flow across OS platforms.", "name_ja": "実行フローの乗っ取りの検知", "desc_en": "", "desc_ja": "実行フローの乗っ取りに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1609", "ja": "コンテナ管理コマンド", "en": "Container Administration Command", "desc_en": "Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.", "desc_ja": "敵対者は、コンテナ管理サービス/APIを悪用してコンテナ内でコマンドを実行することがある。", "platforms": "Containers", "version": "1.3", "created": "2021-03-29", "modified": "2025-10-24", "subs": [], "procedures": [ { "id": "G0139", "name": "TeamTNT", "desc_en": "TeamTNT executed Hildegard through the kubelet API run command and by executing commands on running containers." }, { "id": "S0599", "name": "Kinsing", "desc_en": "Kinsing was executed with an Ubuntu container entry point that runs shell scripts." }, { "id": "S0601", "name": "Hildegard", "desc_en": "Hildegard was executed through the kubelet API run command and by executing commands on running containers." }, { "id": "S0623", "name": "Siloscape", "desc_en": "Siloscape can send kubectl commands to victim clusters through an IRC channel and can run kubectl locally to spread once within a victim cluster." }, { "id": "S0683", "name": "Peirates", "desc_en": "Peirates can use `kubectl` or the Kubernetes API to run commands." } ], "mitigations": [ { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "Enforce authentication and role-based access control on the container service to restrict users to the least privileges required. When using Kubernetes, avoid giving users wildcard permissions or adding users to the `system:masters` group, and use `RoleBindings` rather than `ClusterRoleBindings` to limit user privileges to specific namespaces.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Ensure containers are not running as root by default. In Kubernetes environments, consider defining Pod Security Standards that prevent pods from running privileged containers and using the `NodeRestriction` admission controller to deny the kublet access to nodes and pods outside of the node it belongs to.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1035", "name": "Limit Access to Resource Over Network", "name_ja": "ネットワーク経由のリソースアクセス制限", "desc_en": "Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server. In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server. Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.", "desc_ja": "ネットワーク越しのリソースアクセスを制限する。" }, { "id": "M1038", "name": "Execution Prevention", "name_ja": "実行防止", "desc_en": "Use read-only containers, read-only file systems, and minimal images when possible to prevent the execution of commands. Where possible, also consider using application control and software restriction tools (such as those provided by SELinux) to restrict access to files, processes, and system calls in containers.", "desc_ja": "許可されていないコードの実行を防止する。" }, { "id": "M1042", "name": "Disable or Remove Feature or Program", "name_ja": "機能・プログラムの無効化または削除", "desc_en": "Remove unnecessary tools and software from containers.", "desc_ja": "不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。" } ], "detections": [ { "id": "DET0065", "name": "Detection Strategy for Container Administration Command Abuse", "name_ja": "コンテナ管理コマンドの検知", "desc_en": "", "desc_ja": "コンテナ管理コマンドに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1610", "ja": "コンテナのデプロイ", "en": "Deploy Container", "desc_en": "Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to Escape to Host and access other containers running on the node.", "desc_ja": "敵対者は、悪意あるコンテナをデプロイしてコードを実行することがある。", "platforms": "Containers", "version": "2.0", "created": "2021-03-29", "modified": "2026-05-12", "subs": [], "procedures": [ { "id": "G0139", "name": "TeamTNT", "desc_en": "TeamTNT has deployed different types of containers into victim environments to facilitate execution. TeamTNT has also transferred cryptocurrency mining software to Kubernetes clusters discovered within local IP address ranges." }, { "id": "S0599", "name": "Kinsing", "desc_en": "Kinsing was run through a deployed Ubuntu container." }, { "id": "S0600", "name": "Doki", "desc_en": "Doki was run through a deployed container." }, { "id": "S0683", "name": "Peirates", "desc_en": "Peirates can deploy a pod that mounts its node’s root file system, then execute a command to create a reverse shell on the node." } ], "mitigations": [ { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "Enforce the principle of least privilege by limiting container dashboard access to only the necessary users. When using Kubernetes, avoid giving users wildcard permissions or adding users to the `system:masters` group, and use `RoleBindings` rather than `ClusterRoleBindings` to limit user privileges to specific namespaces.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1030", "name": "Network Segmentation", "name_ja": "ネットワークセグメンテーション", "desc_en": "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls.", "desc_ja": "ネットワークを分割し、横展開や影響範囲を限定する。" }, { "id": "M1035", "name": "Limit Access to Resource Over Network", "name_ja": "ネットワーク経由のリソースアクセス制限", "desc_en": "Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API, Kubernetes API Server, and container orchestration web applications. In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server. Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.", "desc_ja": "ネットワーク越しのリソースアクセスを制限する。" }, { "id": "M1047", "name": "Audit", "name_ja": "監査", "desc_en": "Scan images before deployment, and block those that are not in compliance with security policies. In Kubernetes environments, the admission controller can be used to validate images after a container deployment request is authenticated but before the container is deployed.", "desc_ja": "システムやアカウントを監査し、不正な活動を検出する。" } ], "detections": [ { "id": "DET0249", "name": "Behavior-chain detection for T1610 Deploy Container across Docker & Kubernetes control/node planes", "name_ja": "コンテナのデプロイの検知", "desc_en": "", "desc_ja": "コンテナのデプロイに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1648", "ja": "サーバーレス実行", "en": "Serverless Execution", "desc_en": "Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers.", "desc_ja": "敵対者は、サーバーレス機能(Lambda等)を悪用してコードを実行することがある。", "platforms": "SaaS, IaaS, Office Suite", "version": "1.2", "created": "2022-05-27", "modified": "2025-04-15", "subs": [], "procedures": [ { "id": "S1091", "name": "Pacu", "desc_en": "Pacu can create malicious Lambda functions." } ], "mitigations": [ { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "Remove permissions to create, modify, or run serverless resources from users that do not explicitly require them.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1036", "name": "Account Use Policies", "name_ja": "アカウント使用ポリシー", "desc_en": "Where possible, consider restricting access to and use of serverless functions. For examples, conditional access policies can be applied to users attempting to create workflows in Microsoft Power Automate. Google Apps Scripts that use OAuth can be limited by restricting access to high-risk OAuth scopes.", "desc_ja": "ログイン試行回数やロックアウト等のアカウント使用ポリシーを設定する。" } ], "detections": [ { "id": "DET0374", "name": "Detection Strategy for Serverless Execution (T1648)", "name_ja": "サーバーレス実行の検知", "desc_en": "", "desc_ja": "サーバーレス実行に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1651", "ja": "クラウド管理コマンド", "en": "Cloud Administration Command", "desc_en": "Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents.", "desc_ja": "敵対者は、クラウドの管理機能を悪用してVM等でコマンドを実行することがある。", "platforms": "IaaS", "version": "2.1", "created": "2023-03-13", "modified": "2026-05-12", "subs": [], "procedures": [ { "id": "G0016", "name": "APT29", "desc_en": "APT29 has used Azure Run Command and Azure Admin-on-Behalf-of (AOBO) to execute code on virtual machines." }, { "id": "G1055", "name": "VOID MANTICORE", "desc_en": "VOID MANTICORE has abused built-in remote wipe or factory reset commands to wipe devices managed within an organization’s Cloud management solution impacting laptops, servers, and mobile devices." }, { "id": "S0677", "name": "AADInternals", "desc_en": "AADInternals can execute commands on Azure virtual machines using the VM agent." }, { "id": "S1091", "name": "Pacu", "desc_en": "Pacu can run commands on EC2 instances using AWS Systems Manager Run Command." } ], "mitigations": [ { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Limit the number of cloud accounts with permissions to remotely execute commands on virtual machines, and ensure that these are not used for day-to-day operations. In Azure, limit the number of accounts with the roles Azure Virtual Machine Contributer and above, and consider using temporary Just-in-Time (JIT) roles to avoid permanently assigning privileged access to virtual machines.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" } ], "detections": [ { "id": "DET0545", "name": "Detection Strategy for Cloud Administration Command", "name_ja": "クラウド管理コマンドの検知", "desc_en": "", "desc_ja": "クラウド管理コマンドに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1674", "ja": "入力インジェクション", "en": "Input Injection", "desc_en": "Adversaries may simulate keystrokes on a victim’s computer by various means to perform any type of action on behalf of the user, such as launching the command interpreter using keyboard shortcuts, typing an inline script to be executed, or interacting directly with a GUI-based application. These actions can be preprogrammed into adversary tooling or executed through physical devices such as Human Interface Devices (HIDs).", "desc_ja": "敵対者は、キーストローク等の入力を注入してコマンドを実行することがある。", "platforms": "Windows, macOS, Linux", "version": "1.0", "created": "2025-03-27", "modified": "2025-04-15", "subs": [], "procedures": [ { "id": "G0046", "name": "FIN7", "desc_en": "FIN7 has used malicious USBs to emulate keystrokes to launch PowerShell to download and execute malware from the adversary's server." } ], "mitigations": [ { "id": "M1034", "name": "Limit Hardware Installation", "name_ja": "ハードウェアインストールの制限", "desc_en": "Limit the use of USB devices and removable media within a network.", "desc_ja": "ハードウェアの接続を制限し、不正な機器の導入を防ぐ。" }, { "id": "M1038", "name": "Execution Prevention", "name_ja": "実行防止", "desc_en": "Denylist scripting and use application control where appropriate. For example, PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., `Add-Type`).", "desc_ja": "許可されていないコードの実行を防止する。" } ], "detections": [ { "id": "DET0568", "name": "Detection Strategy for Input Injection", "name_ja": "入力インジェクションの検知", "desc_en": "", "desc_ja": "入力インジェクションに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1675", "ja": "ESXi管理コマンド", "en": "ESXi Administration Command", "desc_en": "Adversaries may abuse ESXi administration services to execute commands on guest machines hosted within an ESXi virtual environment. Persistent background services on ESXi-hosted VMs, such as the VMware Tools Daemon Service, allow for remote management from the ESXi server. The tools daemon service runs as `vmtoolsd.exe` on Windows guest operating systems, `vmware-tools-daemon` on macOS, and `vmtoolsd ` on Linux.", "desc_ja": "敵対者は、ESXiの管理機能を悪用してコマンドを実行することがある。", "platforms": "ESXi", "version": "1.0", "created": "2025-03-28", "modified": "2025-04-16", "subs": [], "procedures": [ { "id": "G1048", "name": "UNC3886", "desc_en": "UNC3886 used `vmtoolsd.exe` to run commands on guest virtual machines from a compromised ESXi host." }, { "id": "S1217", "name": "VIRTUALPITA", "desc_en": "VIRTUALPITA can execute commands on guest virtual machines from compromised ESXi hypervisors." } ], "mitigations": [ { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "If not required, restrict the permissions of users to perform Guest Operations on ESXi-hosted VMs.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" } ], "detections": [ { "id": "DET0232", "name": "Detection Strategy for ESXi Administration Command", "name_ja": "ESXi管理コマンドの検知", "desc_en": "", "desc_ja": "ESXi管理コマンドに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1677", "ja": "汚染パイプライン実行", "en": "Poisoned Pipeline Execution", "desc_en": "Adversaries may manipulate continuous integration / continuous development (CI/CD) processes by injecting malicious code into the build process. There are several mechanisms for poisoning pipelines:", "desc_ja": "敵対者は、CI/CDパイプラインを汚染して悪意あるコードを実行することがある。", "platforms": "SaaS", "version": "1.0", "created": "2025-05-22", "modified": "2026-05-12", "subs": [], "procedures": [ { "id": "S9008", "name": "Shai-Hulud", "desc_en": "Shai-Hulud has also leveraged GitHub actions from stolen accounts in order to create a malicious Github workflow within `.github/workflows/discussion.yaml`." } ], "mitigations": [ { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "Ensure that CI/CD pipelines only have permissions they require to complete their operations. Additionally, limit the number of users who have write access to internal repositories to only those necessary.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1054", "name": "Software Configuration", "name_ja": "ソフトウェア構成", "desc_en": "Where possible, avoid allowing pipelines to run unreviewed code. Where this is necessary, ensure that these pipelines are executed on isolated nodes without access to secrets. In GitHub, avoid using the `pull_request_target` trigger if possible, do not treat user-controlled inputs (such as branch names) as trusted, and do not use self-hosted runners on public repositories.", "desc_ja": "ソフトウェアを安全に構成し、悪用を防ぐ。" } ], "detections": [ { "id": "DET0533", "name": "Detection Strategy for Poisoned Pipeline Execution via SaaS CI/CD Workflows", "name_ja": "汚染パイプライン実行の検知", "desc_en": "", "desc_ja": "汚染パイプライン実行に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] } ] }, { "tactic": "TA0003", "tactic_en": "Persistence", "tactic_ja": "永続化", "techniques": [ { "tid": "T1037", "ja": "起動/ログオン初期化スクリプト", "en": "Boot or Logon Initialization Scripts", "desc_en": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely.", "desc_ja": "敵対者は、起動/ログオン時に実行される初期化スクリプトを悪用して永続化することがある。", "platforms": "ESXi, Linux, macOS, Network Devices, Windows", "version": "2.4", "created": "2017-05-31", "modified": "2026-05-12", "subs": [ { "sid": ".001", "tid": "T1037.001", "ja": "ログオンスクリプト(Windows)", "en": "Logon Script (Windows)", "desc_en": "Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system. This is done via adding a path to a script to the HKCU\\Environment\\UserInitMprLogonScript Registry key.", "desc_ja": "敵対者は、Windowsのログオンスクリプトを悪用して、ログオン時に悪意あるコードを実行し永続化することがある。" }, { "sid": ".002", "tid": "T1037.002", "ja": "ログインフック", "en": "Login Hook", "desc_en": "Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the /Library/Preferences/com.apple.loginwindow.plist file and can be modified using the defaults command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.", "desc_ja": "敵対者は、macOSのログインフックを悪用して永続化することがある。" }, { "sid": ".003", "tid": "T1037.003", "ja": "ネットワークログオンスクリプト", "en": "Network Logon Script", "desc_en": "Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects. These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems. \n \nAdversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.", "desc_ja": "敵対者は、ネットワークログオンスクリプトを悪用して永続化することがある。" }, { "sid": ".004", "tid": "T1037.004", "ja": "RCスクリプト", "en": "RC Scripts", "desc_en": "Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.", "desc_ja": "敵対者は、RCスクリプト(rc.local等)を悪用して起動時に永続化することがある。" }, { "sid": ".005", "tid": "T1037.005", "ja": "スタートアップアイテム", "en": "Startup Items", "desc_en": "Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.", "desc_ja": "敵対者は、スタートアップアイテムを悪用して起動時に永続化することがある。" } ], "procedures": [ { "id": "C0046", "name": "ArcaneDoor", "desc_en": "ArcaneDoor used malicious boot scripts to install the Line Runner backdoor on victim devices." }, { "id": "G0016", "name": "APT29", "desc_en": "APT29 has hijacked legitimate application-specific startup scripts to enable malware to execute on system startup." }, { "id": "G0096", "name": "APT41", "desc_en": "APT41 used a hidden shell script in `/etc/rc.d/init.d` to leverage the `ADORE.XSEC`backdoor and `Adore-NG` rootkit." }, { "id": "G0106", "name": "Rocke", "desc_en": "Rocke has installed an \"init.d\" startup script to maintain persistence." }, { "id": "G1048", "name": "UNC3886", "desc_en": "UNC3886 has attempted to bypass digital signature verification checks at startup by adding a command to the startup config `/etc/init.d/localnet` within the rootfs.gz archive of both FortiManager and FortiAnalyzer devices." }, { "id": "S1078", "name": "RotaJakiro", "desc_en": "Depending on the Linux distribution and when executing with root permissions, RotaJakiro may install persistence using a `.conf` file in the `/etc/init/` folder." }, { "id": "S1217", "name": "VIRTUALPITA", "desc_en": "VIRTUALPITA can persist as an init.d startup service on Linux vCenter systems." }, { "id": "S9024", "name": "SPAWNCHIMERA", "desc_en": "SPAWNCHIMERA has modified the boot process files within `/tmp/coreboot_fs/bin/init` to establish persistence." } ], "mitigations": [ { "id": "M1022", "name": "Restrict File and Directory Permissions", "name_ja": "ファイル/ディレクトリ権限の制限", "desc_en": "Restrict write access to logon scripts to specific administrators.", "desc_ja": "ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。" }, { "id": "M1024", "name": "Restrict Registry Permissions", "name_ja": "レジストリ権限の制限", "desc_en": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.", "desc_ja": "レジストリキーの権限を制限し、不正な改変を防ぐ。" } ], "detections": [ { "id": "DET0112", "name": "Boot or Logon Initialization Scripts Detection Strategy", "name_ja": "起動/ログオン初期化スクリプトの検知", "desc_en": "", "desc_ja": "起動/ログオン初期化スクリプトに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1053", "ja": "スケジュールされたタスク/ジョブ", "en": "Scheduled Task/Job", "desc_en": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.", "desc_ja": "敵対者は、タスクスケジューラ機能を悪用して、悪意あるコードを定期的または特定時刻に実行することがある。", "platforms": "Containers, ESXi, Linux, macOS, Network Devices, Windows", "version": "2.5", "created": "2017-05-31", "modified": "2026-05-12", "subs": [ { "sid": ".002", "tid": "T1053.002", "ja": "At", "en": "At", "desc_en": "Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of Scheduled Task's schtasks in Windows environments, using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with at by directly leveraging the Windows Management Instrumentation `Win32_ScheduledJob` WMI class.", "desc_ja": "敵対者は、atコマンドを悪用してタスクをスケジュール実行することがある。" }, { "sid": ".003", "tid": "T1053.003", "ja": "Cron", "en": "Cron", "desc_en": "Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.", "desc_ja": "敵対者は、cronを悪用してタスクを定期実行し永続化することがある。" }, { "sid": ".005", "tid": "T1053.005", "ja": "スケジュールされたタスク", "en": "Scheduled Task", "desc_en": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.", "desc_ja": "敵対者は、Windowsのスケジュールされたタスクを悪用して実行・永続化することがある。" }, { "sid": ".006", "tid": "T1053.006", "ja": "systemdタイマー", "en": "Systemd Timers", "desc_en": "Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to Cron in Linux environments. Systemd timers may be activated remotely via the systemctl command line utility, which operates over SSH.", "desc_ja": "敵対者は、systemdタイマーを悪用してタスクを定期実行し永続化することがある。" }, { "sid": ".007", "tid": "T1053.007", "ja": "コンテナオーケストレーションジョブ", "en": "Container Orchestration Job", "desc_en": "Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.", "desc_ja": "敵対者は、コンテナオーケストレーションのジョブ機能を悪用してタスクを実行・永続化することがある。" } ], "procedures": [ { "id": "C0063", "name": "2025 Poland Wiper Attacks", "desc_en": "During the 2025 Poland Wiper Attacks, the adversaries set FortiGate scheduled tasks to run the adversary generated CLI scripts weekly." }, { "id": "S0447", "name": "Lokibot", "desc_en": "Lokibot's second stage DLL has set a timer using “timeSetEvent” to schedule its next execution." } ], "mitigations": [ { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1022", "name": "Restrict File and Directory Permissions", "name_ja": "ファイル/ディレクトリ権限の制限", "desc_en": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "desc_ja": "ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。" }, { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1028", "name": "Operating System Configuration", "name_ja": "オペレーティングシステム構成", "desc_en": "Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled.", "desc_ja": "OSを安全に構成し、攻撃対象領域を縮小する。" }, { "id": "M1047", "name": "Audit", "name_ja": "監査", "desc_en": "Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges.", "desc_ja": "システムやアカウントを監査し、不正な活動を検出する。" } ], "detections": [ { "id": "DET0094", "name": "Cross-Platform Behavioral Detection of Scheduled Task/Job Abuse", "name_ja": "スケジュールされたタスク/ジョブの検知", "desc_en": "", "desc_ja": "スケジュールされたタスク/ジョブに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1078", "ja": "有効なアカウント", "en": "Valid Accounts", "desc_en": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.", "desc_ja": "敵対者は、有効なアカウントの認証情報を用いて検知を回避しアクセスすることがある。", "platforms": "Containers, ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows", "version": "3.0", "created": "2017-05-31", "modified": "2026-05-12", "subs": [ { "sid": ".001", "tid": "T1078.001", "ja": "デフォルトアカウント", "en": "Default Accounts", "desc_en": "Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.", "desc_ja": "敵対者は、デフォルトアカウントの認証情報を悪用してアクセスや権限維持を行うことがある。" }, { "sid": ".002", "tid": "T1078.002", "ja": "ドメインアカウント", "en": "Domain Accounts", "desc_en": "Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.", "desc_ja": "敵対者は、ドメインアカウントの認証情報を悪用してアクセスや横展開を行うことがある。" }, { "sid": ".003", "tid": "T1078.003", "ja": "ローカルアカウント", "en": "Local Accounts", "desc_en": "Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.", "desc_ja": "敵対者は、ローカルアカウントの認証情報を悪用してアクセスを行うことがある。" }, { "sid": ".004", "tid": "T1078.004", "ja": "クラウドアカウント", "en": "Cloud Accounts", "desc_en": "Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.", "desc_ja": "敵対者は、クラウドアカウントの認証情報を悪用してアクセスや権限維持を行うことがある。" } ], "procedures": [ { "id": "C0002", "name": "Night Dragon", "desc_en": "During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems." }, { "id": "C0014", "name": "Operation Wocao", "desc_en": "During Operation Wocao, threat actors used valid VPN credentials to gain initial access." }, { "id": "C0024", "name": "SolarWinds Compromise", "desc_en": "During the SolarWinds Compromise, APT29 used different compromised credentials for remote access and to move laterally." }, { "id": "C0028", "name": "2015 Ukraine Electric Power Attack", "desc_en": "During the 2015 Ukraine Electric Power Attack, Sandworm Team used valid accounts on the corporate network to escalate privileges, move laterally, and establish persistence within the corporate network." }, { "id": "C0032", "name": "C0032", "desc_en": "During the C0032 campaign, TEMP.Veles used compromised VPN accounts." }, { "id": "C0038", "name": "HomeLand Justice", "desc_en": "During HomeLand Justice, threat actors used a compromised Exchange account to search mailboxes and create new Exchange accounts." }, { "id": "C0048", "name": "Operation MidnightEclipse", "desc_en": "During Operation MidnightEclipse, threat actors extracted sensitive credentials while moving laterally through compromised networks." }, { "id": "C0049", "name": "Leviathan Australian Intrusions", "desc_en": "Leviathan used captured, valid account information to log into victim web applications and appliances during Leviathan Australian Intrusions." }, { "id": "C0056", "name": "RedPenguin", "desc_en": "During RedPenguin, UNC3886 used legitimate credentials to gain priviliged access to Juniper routers." }, { "id": "C0057", "name": "3CX Supply Chain Attack", "desc_en": "During 3CX Supply Chain Attack, AppleJeus has gained access to the 3CX corporate environment through legitimate VPN credentials." }, { "id": "C0062", "name": "Anthropic AI-orchestrated Campaign", "desc_en": "During the Anthropic AI-orchestrated Campaign, the adversary used harvested credentials to authenticate against internal APIs, database systems, container registries, and logging infrastructure across targeted networks." }, { "id": "G0001", "name": "Axiom", "desc_en": "Axiom has used previously compromised administrative accounts to escalate privileges." }, { "id": "G0004", "name": "Ke3chang", "desc_en": "Ke3chang has used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts." }, { "id": "G0007", "name": "APT28", "desc_en": "APT28 has used legitimate credentials to gain initial access, maintain access, and exfiltrate data from a victim network. The group has specifically used credentials stolen through a spearphishing email to login to the DCCC network. The group has also leveraged default manufacturer's passwords to gain initial access to corporate networks via IoT devices such as a VOIP phone, printer, and video decoder." }, { "id": "G0008", "name": "Carbanak", "desc_en": "Carbanak actors used legitimate credentials of banking employees to perform operations that sent them millions of dollars." }, { "id": "G0011", "name": "PittyTiger", "desc_en": "PittyTiger attempts to obtain legitimate credentials during operations." }, { "id": "G0016", "name": "APT29", "desc_en": "APT29 has used a compromised account to access an organization's VPN infrastructure." }, { "id": "G0026", "name": "APT18", "desc_en": "APT18 actors leverage legitimate credentials to log into external remote services." }, { "id": "G0027", "name": "Threat Group-3390", "desc_en": "Threat Group-3390 actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks." }, { "id": "G0032", "name": "Lazarus Group", "desc_en": "Lazarus Group has used administrator credentials to gain access to restricted network segments." }, { "id": "G0034", "name": "Sandworm Team", "desc_en": "Sandworm Team have used previously acquired legitimate credentials prior to attacks." }, { "id": "G0035", "name": "Dragonfly", "desc_en": "Dragonfly has compromised user credentials and used valid accounts for operations." }, { "id": "G0037", "name": "FIN6", "desc_en": "To move laterally on a victim network, FIN6 has used credentials stolen from various systems on which it gathered usernames and password hashes." }, { "id": "G0039", "name": "Suckfly", "desc_en": "Suckfly used legitimate account credentials that they dumped to navigate the internal victim network as though they were the legitimate account owner." }, { "id": "G0045", "name": "menuPass", "desc_en": "menuPass has used valid accounts including shared between Managed Service Providers and clients to move between the two environments." }, { "id": "G0046", "name": "FIN7", "desc_en": "FIN7 has harvested valid administrative credentials for lateral movement." }, { "id": "G0049", "name": "OilRig", "desc_en": "OilRig has used compromised credentials to access other systems on a victim network." }, { "id": "G0051", "name": "FIN10", "desc_en": "FIN10 has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor." }, { "id": "G0053", "name": "FIN5", "desc_en": "FIN5 has used legitimate VPN, RDP, Citrix, or VNC credentials to maintain access to a victim environment." }, { "id": "G0061", "name": "FIN8", "desc_en": "FIN8 has used valid accounts for persistence and lateral movement." }, { "id": "G0064", "name": "APT33", "desc_en": "APT33 has used valid accounts for initial access and privilege escalation." }, { "id": "G0065", "name": "Leviathan", "desc_en": "Leviathan has obtained valid accounts to gain initial access." }, { "id": "G0085", "name": "FIN4", "desc_en": "FIN4 has used legitimate credentials to hijack email communications." }, { "id": "G0087", "name": "APT39", "desc_en": "APT39 has used stolen credentials to compromise Outlook Web Access (OWA)." }, { "id": "G0091", "name": "Silence", "desc_en": "Silence has used compromised credentials to log on to other systems and escalate privileges." }, { "id": "G0093", "name": "GALLIUM", "desc_en": "GALLIUM leveraged valid accounts to maintain access to a victim network." }, { "id": "G0096", "name": "APT41", "desc_en": "APT41 used compromised credentials to log on to other systems." }, { "id": "G0102", "name": "Wizard Spider", "desc_en": "Wizard Spider has used valid credentials for privileged accounts with the goal of accessing domain controllers." }, { "id": "G0114", "name": "Chimera", "desc_en": "Chimera has used a valid account to maintain persistence via scheduled task." }, { "id": "G0117", "name": "Fox Kitten", "desc_en": "Fox Kitten has used valid credentials with various services during lateral movement." }, { "id": "G0119", "name": "Indrik Spider", "desc_en": "Indrik Spider has used valid accounts for initial access and lateral movement. Indrik Spider has also maintained access to the victim environment through the VPN infrastructure." }, { "id": "G0122", "name": "Silent Librarian", "desc_en": "Silent Librarian has used compromised credentials to obtain unauthorized access to online accounts." }, { "id": "G1004", "name": "LAPSUS$", "desc_en": "LAPSUS$ has used compromised credentials and/or session tokens to gain access into a victim's VPN, VDI, RDP, and IAMs." }, { "id": "G1005", "name": "POLONIUM", "desc_en": "POLONIUM has used valid compromised credentials to gain access to victim environments." }, { "id": "G1015", "name": "Scattered Spider", "desc_en": "Scattered Spider has used compromised credentials for initial access." }, { "id": "G1017", "name": "Volt Typhoon", "desc_en": "Volt Typhoon relies primarily on valid credentials for persistence." }, { "id": "G1021", "name": "Cinnamon Tempest", "desc_en": "Cinnamon Tempest has used compromised user accounts to deploy payloads and create system services." }, { "id": "G1024", "name": "Akira", "desc_en": "Akira uses valid account information to remotely access victim networks, such as VPN credentials." }, { "id": "G1032", "name": "INC Ransom", "desc_en": "INC Ransom has used compromised valid accounts for access to victim environments." }, { "id": "G1033", "name": "Star Blizzard", "desc_en": "Star Blizzard has used stolen credentials to sign into victim email accounts." }, { "id": "G1040", "name": "Play", "desc_en": "Play has used valid VPN accounts to achieve initial access." }, { "id": "G1041", "name": "Sea Turtle", "desc_en": "Sea Turtle used compromised credentials to maintain long-term access to victim environments." }, { "id": "G1043", "name": "BlackByte", "desc_en": "BlackByte has gained access to victim environments through legitimate VPN credentials." }, { "id": "G1048", "name": "UNC3886", "desc_en": "UNC3886 has used tools to hijack valid SSH accounts." }, { "id": "G1051", "name": "Medusa Group", "desc_en": "Medusa Group has utilized compromised legitimate local and domain accounts within the victim environment to facilitate remote access and lateral movement sometimes in combination with PsExec." }, { "id": "G1055", "name": "VOID MANTICORE", "desc_en": "VOID MANTICORE has leveraged valid accounts to log into VPN infrastructure. VOID MANTICORE has used compromised valid credentials to gain access to management infrastructure and enterprise control systems. VOID MANTICORE has also validated and tested authentication using compromised credentials prior to malicious actions." }, { "id": "S0038", "name": "Duqu", "desc_en": "Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware." }, { "id": "S0053", "name": "SeaDuke", "desc_en": "Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials." }, { "id": "S0362", "name": "Linux Rabbit", "desc_en": "Linux Rabbit acquires valid SSH accounts through brute force." }, { "id": "S0567", "name": "Dtrack", "desc_en": "Dtrack used hard-coded credentials to gain access to a network share." }, { "id": "S0599", "name": "Kinsing", "desc_en": "Kinsing has used valid SSH credentials to access remote hosts." }, { "id": "S0604", "name": "Industroyer", "desc_en": "Industroyer can use supplied user credentials to execute processes and stop services." }, { "id": "S9036", "name": "LP-Notes", "desc_en": "LP-Notes has used stolen Windows credentials to log in as the users." } ], "mitigations": [ { "id": "M1013", "name": "Application Developer Guidance", "name_ja": "アプリケーション開発者向けガイダンス", "desc_en": "Ensure that applications do not store sensitive data or credentials insecurely. (e.g. plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).", "desc_ja": "開発者に対し、脆弱性を生まない安全な設計・実装の指針を提供する。" }, { "id": "M1015", "name": "Active Directory Configuration", "name_ja": "Active Directory構成", "desc_en": "Disable legacy authentication, which does not support MFA, and require the use of modern authentication protocols instead.", "desc_ja": "Active Directoryを適切に構成し、攻撃対象領域を縮小する。" }, { "id": "M1017", "name": "User Training", "name_ja": "ユーザー教育", "desc_en": "Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.", "desc_ja": "ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。" }, { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "Regularly audit user accounts for activity and deactivate or remove any that are no longer needed.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. These audits should also include if default accounts have been enabled, or if new local accounts are created that have not been authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1027", "name": "Password Policies", "name_ja": "パスワードポリシー", "desc_en": "Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. When possible, applications that use SSH keys should be updated periodically and properly secured.\n\nPolicies should minimize (if not eliminate) reuse of passwords between different user accounts, especially employees using the same credentials for personal accounts that may not be defended by enterprise security resources.", "desc_ja": "強固なパスワードポリシーを適用し、推測・解読を困難にする。" }, { "id": "M1032", "name": "Multi-factor Authentication", "name_ja": "多要素認証", "desc_en": "Implement multi-factor authentication (MFA) across all account types, including default, local, domain, and cloud accounts, to prevent unauthorized access, even if credentials are compromised. MFA provides a critical layer of security by requiring multiple forms of verification beyond just a password. This measure significantly reduces the risk of adversaries abusing valid accounts to gain initial access, escalate privileges, maintain persistence, or evade defenses within your network.", "desc_ja": "多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。" }, { "id": "M1036", "name": "Account Use Policies", "name_ja": "アカウント使用ポリシー", "desc_en": "Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.", "desc_ja": "ログイン試行回数やロックアウト等のアカウント使用ポリシーを設定する。" } ], "detections": [ { "id": "DET0560", "name": "Detection of Valid Account Abuse Across Platforms", "name_ja": "有効なアカウントの検知", "desc_en": "", "desc_ja": "有効なアカウントに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1098", "ja": "アカウント操作", "en": "Account Manipulation", "desc_en": "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.", "desc_ja": "敵対者は、アカウントの権限や認証情報を操作してアクセスを維持することがある。", "platforms": "Containers, ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows", "version": "2.8", "created": "2017-05-31", "modified": "2026-05-12", "subs": [ { "sid": ".001", "tid": "T1098.001", "ja": "追加のクラウド認証情報", "en": "Additional Cloud Credentials", "desc_en": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.", "desc_ja": "敵対者は、追加のクラウド認証情報を登録してアクセスを維持することがある。" }, { "sid": ".002", "tid": "T1098.002", "ja": "追加のメール委任権限", "en": "Additional Email Delegate Permissions", "desc_en": "Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account.", "desc_ja": "敵対者は、追加のメール委任権限を付与してアクセスを維持することがある。" }, { "sid": ".003", "tid": "T1098.003", "ja": "追加のクラウドロール", "en": "Additional Cloud Roles", "desc_en": "An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).", "desc_ja": "敵対者は、追加のクラウドロールを付与して権限を維持/昇格することがある。" }, { "sid": ".004", "tid": "T1098.004", "ja": "SSH認証鍵", "en": "SSH Authorized Keys", "desc_en": "Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys (or, on ESXi, `/etc/ssh/keys-/authorized_keys`). Users may edit the system’s SSH config file to modify the directives `PubkeyAuthentication` and `RSAAuthentication` to the value `yes` to ensure public key and RSA authentication are enabled, as well as modify the directive `PermitRootLogin` to the value `yes` to enable root authentication via SSH. The SSH config file is usually located under /etc/ssh/sshd_config.", "desc_ja": "敵対者は、SSH認証鍵を追加してアクセスを維持することがある。" }, { "sid": ".005", "tid": "T1098.005", "ja": "デバイス登録", "en": "Device Registration", "desc_en": "Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.", "desc_ja": "敵対者は、デバイスを登録してアクセスや永続化を行うことがある。" }, { "sid": ".006", "tid": "T1098.006", "ja": "追加のコンテナクラスタロール", "en": "Additional Container Cluster Roles", "desc_en": "An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account. Where attribute-based access control (ABAC) is in use, an adversary with sufficient permissions may modify a Kubernetes ABAC policy to give the target account additional permissions.\n \nThis account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised.", "desc_ja": "敵対者は、追加のコンテナクラスタロールを付与して権限を維持することがある。" }, { "sid": ".007", "tid": "T1098.007", "ja": "追加のローカル/ドメイングループ", "en": "Additional Local or Domain Groups", "desc_en": "An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain.", "desc_ja": "敵対者は、ローカル/ドメイングループへの追加でアクセスや権限を維持することがある。" } ], "procedures": [ { "id": "C0025", "name": "2016 Ukraine Electric Power Attack", "desc_en": "During the 2016 Ukraine Electric Power Attack, Sandworm Team used the `sp_addlinkedsrvlogin` command in MS-SQL to create a link between a created account and other servers in the network." }, { "id": "G0032", "name": "Lazarus Group", "desc_en": "Lazarus Group malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account." }, { "id": "G0125", "name": "HAFNIUM", "desc_en": "HAFNIUM has granted privileges to domain accounts and reset the password for default admin accounts." }, { "id": "G1015", "name": "Scattered Spider", "desc_en": "Scattered Spider has added accounts to the ESX Admins group to grant them full admin rights in vSphere." }, { "id": "G1055", "name": "VOID MANTICORE", "desc_en": "VOID MANTICORE has leveraged access to administrative control systems to achieve disruptive effects, consistent with administrative account abuse or privilege escalation within existing access." }, { "id": "S0002", "name": "Mimikatz", "desc_en": "The Mimikatz credential dumper has been extended to include Skeleton Key domain controller authentication bypass functionality. The LSADUMP::ChangeNTLM and LSADUMP::SetNTLM modules can also manipulate the password hash of an account without knowing the clear text value." }, { "id": "S0274", "name": "Calisto", "desc_en": "Calisto adds permissions and remote logins to all users." }, { "id": "S9008", "name": "Shai-Hulud", "desc_en": "Shai-Hulud has modified GitHub account settings for private repositories and changed them to public." } ], "mitigations": [ { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "Ensure that low-privileged user accounts do not have permissions to modify accounts or account-related policies.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1022", "name": "Restrict File and Directory Permissions", "name_ja": "ファイル/ディレクトリ権限の制限", "desc_en": "Restrict access to potentially sensitive files that deal with authentication and/or authorization.", "desc_ja": "ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。" }, { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1028", "name": "Operating System Configuration", "name_ja": "オペレーティングシステム構成", "desc_en": "Protect domain controllers by ensuring proper security configuration for critical servers to limit access by potentially unnecessary protocols and services, such as SMB file sharing.", "desc_ja": "OSを安全に構成し、攻撃対象領域を縮小する。" }, { "id": "M1030", "name": "Network Segmentation", "name_ja": "ネットワークセグメンテーション", "desc_en": "Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems.", "desc_ja": "ネットワークを分割し、横展開や影響範囲を限定する。" }, { "id": "M1032", "name": "Multi-factor Authentication", "name_ja": "多要素認証", "desc_en": "Use multi-factor authentication for user and privileged accounts.", "desc_ja": "多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。" }, { "id": "M1042", "name": "Disable or Remove Feature or Program", "name_ja": "機能・プログラムの無効化または削除", "desc_en": "Remove unnecessary and potentially abusable authentication and authorization mechanisms where possible.", "desc_ja": "不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。" } ], "detections": [ { "id": "DET0096", "name": "Account Manipulation Behavior Chain Detection", "name_ja": "アカウント操作の検知", "desc_en": "", "desc_ja": "アカウント操作に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1112", "ja": "レジストリの変更", "en": "Modify Registry", "desc_en": "Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.", "desc_ja": "敵対者は、レジストリを改変して永続化や防御妨害を行うことがある。", "platforms": "Windows", "version": "3.0", "created": "2017-05-31", "modified": "2026-05-12", "subs": [], "procedures": [ { "id": "C0002", "name": "Night Dragon", "desc_en": "During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and manipulate the Registry." }, { "id": "C0006", "name": "Operation Honeybee", "desc_en": "During Operation Honeybee, the threat actors used batch files that modified registry keys." }, { "id": "C0014", "name": "Operation Wocao", "desc_en": "During Operation Wocao, the threat actors enabled Wdigest by changing the `HKLM\\SYSTEM\\\\ControlSet001\\\\Control\\\\SecurityProviders\\\\WDigest` registry value from 0 (disabled) to 1 (enabled)." }, { "id": "C0028", "name": "2015 Ukraine Electric Power Attack", "desc_en": "During the 2015 Ukraine Electric Power Attack, Sandworm Team modified in-registry Internet settings to lower internet security before launching `rundll32.exe`, which in-turn launches the malware and communicates with C2 servers over the Internet. ." }, { "id": "C0058", "name": "SharePoint ToolShell Exploitation", "desc_en": "During SharePoint ToolShell Exploitation, threat actors, including Storm-2603, disabled security services via Registry modifications." }, { "id": "G0010", "name": "Turla", "desc_en": "Turla has modified Registry values to store payloads." }, { "id": "G0027", "name": "Threat Group-3390", "desc_en": "A Threat Group-3390 tool has created new Registry keys under `HKEY_CURRENT_USER\\Software\\Classes\\` and `HKLM\\SYSTEM\\CurrentControlSet\\services`." }, { "id": "G0030", "name": "Lotus Blossom", "desc_en": "Lotus Blossom has installed tools such as Sagerunex by writing them to the Windows registry." }, { "id": "G0035", "name": "Dragonfly", "desc_en": "Dragonfly has modified the Registry to perform multiple techniques through the use of Reg." }, { "id": "G0040", "name": "Patchwork", "desc_en": "A Patchwork payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent effort to trick users into thinking there were no issues during application runs." }, { "id": "G0047", "name": "Gamaredon Group", "desc_en": "Gamaredon Group has removed security settings for VBA macro execution by changing registry values HKCU\\Software\\Microsoft\\Office\\<version>\\<product>\\Security\\VBAWarnings and HKCU\\Software\\Microsoft\\Office\\<version>\\<product>\\Security\\AccessVBOM. Gamaredon Group has also modified Registry keys to hide folders and system files and to add the C2 address under `HKEY_CURRENT_USER\\Console\\WindowsUpdate`." }, { "id": "G0049", "name": "OilRig", "desc_en": "OilRig has used reg.exe to modify system configuration." }, { "id": "G0050", "name": "APT32", "desc_en": "APT32's backdoor has modified the Windows Registry to store the backdoor's configuration." }, { "id": "G0059", "name": "Magic Hound", "desc_en": "Magic Hound has modified Registry settings for security tools." }, { "id": "G0061", "name": "FIN8", "desc_en": "FIN8 has deleted Registry keys during post compromise cleanup activities." }, { "id": "G0073", "name": "APT19", "desc_en": "APT19 uses a Port 22 malware variant to modify several Registry keys." }, { "id": "G0078", "name": "Gorgon Group", "desc_en": "Gorgon Group malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under HKCU\\Software\\Microsoft\\Office\\." }, { "id": "G0082", "name": "APT38", "desc_en": "APT38 uses a tool called CLEANTOAD that has the capability to modify Registry keys." }, { "id": "G0091", "name": "Silence", "desc_en": "Silence can create, delete, or modify a specified Registry key or value." }, { "id": "G0092", "name": "TA505", "desc_en": "TA505 has used malware to disable Windows Defender through modification of the Registry." }, { "id": "G0094", "name": "Kimsuky", "desc_en": "Kimsuky has modified Registry settings for default file associations to enable all macros and for persistence. Kimsuky has also modified the registry entry for `HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` registry key for persistence with the name WindowsSecurityCheck." }, { "id": "G0096", "name": "APT41", "desc_en": "APT41 used a malware variant called GOODLUCK to modify the registry in order to steal credentials." }, { "id": "G0102", "name": "Wizard Spider", "desc_en": "Wizard Spider has modified the Registry key HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest by setting the UseLogonCredential registry value to 1 in order to force credentials to be stored in clear text in memory. Wizard Spider has also modified the WDigest registry key to allow plaintext credentials to be cached in memory." }, { "id": "G0108", "name": "Blue Mockingbird", "desc_en": "Blue Mockingbird has used Windows Registry modifications to specify a DLL payload." }, { "id": "G0119", "name": "Indrik Spider", "desc_en": "Indrik Spider has modified registry keys to prepare for ransomware execution and to disable common administrative utilities." }, { "id": "G0143", "name": "Aquatic Panda", "desc_en": "Aquatic Panda modified the victim registry to enable the `RestrictedAdmin` mode feature, allowing for pass the hash behaviors to function via RDP." }, { "id": "G1003", "name": "Ember Bear", "desc_en": "Ember Bear modifies registry values for anti-forensics and defense evasion purposes." }, { "id": "G1006", "name": "Earth Lusca", "desc_en": "Earth Lusca modified the registry using the command reg add “HKEY_CURRENT_USER\\Environment” /v UserInitMprLogonScript /t REG_SZ /d “[file path]” for persistence." }, { "id": "G1014", "name": "LuminousMoth", "desc_en": "LuminousMoth has used malware that adds Registry keys for persistence." }, { "id": "G1017", "name": "Volt Typhoon", "desc_en": "Volt Typhoon has used `netsh` to create a PortProxy Registry modification on a compromised server running the Paessler Router Traffic Grapher (PRTG)." }, { "id": "G1031", "name": "Saint Bear", "desc_en": "Saint Bear will leverage malicious Windows batch scripts to modify registry values associated with Windows Defender functionality." }, { "id": "G1043", "name": "BlackByte", "desc_en": "BlackByte performed Registry modifications to escalate privileges and disable security tools." }, { "id": "G1044", "name": "APT42", "desc_en": "APT42 has modified Registry keys to maintain persistence." }, { "id": "G1051", "name": "Medusa Group", "desc_en": "Medusa Group has modified Registry keys to elevate privileges, maintain persistence and allow remote access." }, { "id": "S0011", "name": "Taidoor", "desc_en": "Taidoor has the ability to modify the Registry on compromised hosts using RegDeleteValueA and RegCreateKeyExA." }, { "id": "S0012", "name": "PoisonIvy", "desc_en": "PoisonIvy creates a Registry subkey that registers a new system device." }, { "id": "S0013", "name": "PlugX", "desc_en": "PlugX has a module to create, delete, or modify Registry keys." }, { "id": "S0019", "name": "Regin", "desc_en": "Regin appears to have functionality to modify remote Registry information." }, { "id": "S0022", "name": "Uroburos", "desc_en": "Uroburos can store configuration information in the Registry including the initialization vector and AES key needed to find and decrypt other Uroburos components." }, { "id": "S0023", "name": "CHOPSTICK", "desc_en": "CHOPSTICK may modify Registry keys to store RC4 encrypted configuration information." }, { "id": "S0031", "name": "BACKSPACE", "desc_en": "BACKSPACE is capable of deleting Registry keys, sub-keys, and values on a victim system." }, { "id": "S0032", "name": "gh0st RAT", "desc_en": "gh0st RAT has altered the InstallTime subkey." }, { "id": "S0045", "name": "ADVSTORESHELL", "desc_en": "ADVSTORESHELL is capable of setting and deleting Registry values." }, { "id": "S0075", "name": "Reg", "desc_en": "Reg may be used to interact with and modify the Windows Registry of a local or remote system at the command-line interface." }, { "id": "S0090", "name": "Rover", "desc_en": "Rover has functionality to remove Registry Run key persistence as a cleanup procedure." }, { "id": "S0115", "name": "Crimson", "desc_en": "Crimson can set a Registry key to determine how long it has been installed and possibly to indicate the version number." }, { "id": "S0126", "name": "ComRAT", "desc_en": "ComRAT has modified Registry values to store encrypted orchestrator code and payloads." }, { "id": "S0140", "name": "Shamoon", "desc_en": "Once Shamoon has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy to 1." }, { "id": "S0142", "name": "StreamEx", "desc_en": "StreamEx has the ability to modify the Registry." }, { "id": "S0148", "name": "RTM", "desc_en": "RTM can delete all Registry entries created during its execution." }, { "id": "S0154", "name": "Cobalt Strike", "desc_en": "Cobalt Strike can modify Registry values within HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\\\Excel\\Security\\AccessVBOM\\ to enable the execution of additional code." }, { "id": "S0157", "name": "SOUNDBITE", "desc_en": "SOUNDBITE is capable of modifying the Registry." }, { "id": "S0158", "name": "PHOREAL", "desc_en": "PHOREAL is capable of manipulating the Registry." }, { "id": "S0180", "name": "Volgmer", "desc_en": "Volgmer modifies the Registry to store an encoded configuration file in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Security." }, { "id": "S0198", "name": "NETWIRE", "desc_en": "NETWIRE can modify the Registry to store its configuration information." }, { "id": "S0203", "name": "Hydraq", "desc_en": "Hydraq creates a Registry subkey to register its created service, and can also uninstall itself later by deleting this value. Hydraq's backdoor also enables remote attackers to modify and delete subkeys." }, { "id": "S0205", "name": "Naid", "desc_en": "Naid creates Registry entries that store information about a created service and point to a malicious DLL dropped to disk." }, { "id": "S0210", "name": "Nerex", "desc_en": "Nerex creates a Registry subkey that registers a new service." }, { "id": "S0229", "name": "Orz", "desc_en": "Orz can perform Registry operations." }, { "id": "S0239", "name": "Bankshot", "desc_en": "Bankshot writes data into the Registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Pniumj." }, { "id": "S0240", "name": "ROKRAT", "desc_en": "ROKRAT can modify the `HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\` registry key so it can bypass the VB object model (VBOM) on a compromised host." }, { "id": "S0242", "name": "SynAck", "desc_en": "SynAck can manipulate Registry keys." }, { "id": "S0245", "name": "BADCALL", "desc_en": "BADCALL modifies the firewall Registry key SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfileGloballyOpenPorts\\\\List." }, { "id": "S0254", "name": "PLAINTEE", "desc_en": "PLAINTEE uses reg add to add a Registry Run key for persistence." }, { "id": "S0256", "name": "Mosquito", "desc_en": "Mosquito can modify Registry keys under HKCU\\Software\\Microsoft\\[dllname] to store configuration values. Mosquito also modifies Registry keys under HKCR\\CLSID\\...\\InprocServer32 with a path to the launcher." }, { "id": "S0260", "name": "InvisiMole", "desc_en": "InvisiMole has a command to create, set, copy, or delete a specified Registry key or value." }, { "id": "S0261", "name": "Catchamas", "desc_en": "Catchamas creates three Registry keys to establish persistence by adding a Windows Service." }, { "id": "S0262", "name": "QuasarRAT", "desc_en": "QuasarRAT has a command to edit the Registry on the victim’s machine." }, { "id": "S0263", "name": "TYPEFRAME", "desc_en": "TYPEFRAME can install encrypted configuration data under the Registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\laxhost.dll and HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PrintConfigs." }, { "id": "S0266", "name": "TrickBot", "desc_en": "TrickBot can modify registry entries." }, { "id": "S0267", "name": "FELIXROOT", "desc_en": "FELIXROOT deletes the Registry key HKCU\\Software\\Classes\\Applications\\rundll32.exe\\shell\\open." }, { "id": "S0268", "name": "Bisonal", "desc_en": "Bisonal has deleted Registry keys to clean up its prior activity." }, { "id": "S0269", "name": "QUADAGENT", "desc_en": "QUADAGENT modifies an HKCU Registry key to store a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications." }, { "id": "S0271", "name": "KEYMARBLE", "desc_en": "KEYMARBLE has a command to create Registry entries for storing data under HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\WABE\\DataPath." }, { "id": "S0330", "name": "Zeus Panda", "desc_en": "Zeus Panda modifies several Registry keys under HKCU\\Software\\Microsoft\\Internet Explorer\\ PhishingFilter\\ to disable phishing filters." }, { "id": "S0331", "name": "Agent Tesla", "desc_en": "Agent Tesla can achieve persistence by modifying Registry key entries." }, { "id": "S0332", "name": "Remcos", "desc_en": "Remcos has full control of the Registry, including the ability to modify it." }, { "id": "S0334", "name": "DarkComet", "desc_en": "DarkComet adds a Registry value for its installation routine to the Registry Key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System Enable LUA=”0” and HKEY_CURRENT_USER\\Software\\DC3_FEXEC." }, { "id": "S0336", "name": "NanoCore", "desc_en": "NanoCore has the capability to edit the Registry." }, { "id": "S0342", "name": "GreyEnergy", "desc_en": "GreyEnergy modifies conditions in the Registry and adds keys." }, { "id": "S0343", "name": "Exaramel for Windows", "desc_en": "Exaramel for Windows adds the configuration to the Registry in XML format." }, { "id": "S0348", "name": "Cardinal RAT", "desc_en": "Cardinal RAT sets HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load to point to its executable." }, { "id": "S0350", "name": "zwShell", "desc_en": "zwShell can modify the Registry." }, { "id": "S0356", "name": "KONNI", "desc_en": "KONNI has modified registry keys of ComSysApp, Svchost, and xmlProv on the machine to gain persistence." }, { "id": "S0376", "name": "HOPLIGHT", "desc_en": "HOPLIGHT has modified Managed Object Format (MOF) files within the Registry to run specific commands and create persistence on the system." }, { "id": "S0385", "name": "njRAT", "desc_en": "njRAT can create, delete, or modify a specified Registry key or value." }, { "id": "S0386", "name": "Ursnif", "desc_en": "Ursnif has used Registry modifications as part of its installation routine." }, { "id": "S0397", "name": "LoJax", "desc_en": "LoJax has modified the Registry key ‘HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\BootExecute’ from ‘autocheck autochk *’ to ‘autocheck autoche *’." }, { "id": "S0412", "name": "ZxShell", "desc_en": "ZxShell can create Registry entries to enable services to run." }, { "id": "S0428", "name": "PoetRAT", "desc_en": "PoetRAT has made registry modifications to alter its behavior upon execution." }, { "id": "S0438", "name": "Attor", "desc_en": "Attor's dispatcher can modify the Run registry key." }, { "id": "S0441", "name": "PowerShower", "desc_en": "PowerShower has added a registry key so future powershell.exe instances are spawned off-screen by default, and has removed all registry entries that are left behind during the dropper process." }, { "id": "S0444", "name": "ShimRat", "desc_en": "ShimRat has registered two registry keys for shim databases." }, { "id": "S0447", "name": "Lokibot", "desc_en": "Lokibot has modified the Registry as part of its UAC bypass process." }, { "id": "S0455", "name": "Metamorfo", "desc_en": "Metamorfo has written process names to the Registry, disabled IE browser features, deleted Registry keys, and changed the ExtendedUIHoverTime key." }, { "id": "S0457", "name": "Netwalker", "desc_en": "Netwalker can add the following registry entry: HKEY_CURRENT_USER\\SOFTWARE\\{8 random characters}." }, { "id": "S0467", "name": "TajMahal", "desc_en": "TajMahal can set the KeepPrintedJobs attribute for configured printers in SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers to enable document stealing." }, { "id": "S0476", "name": "Valak", "desc_en": "Valak has the ability to modify the Registry key HKCU\\Software\\ApplicationContainer\\Appsw64 to store information regarding the C2 server and downloads." }, { "id": "S0488", "name": "CrackMapExec", "desc_en": "CrackMapExec can create a registry key using wdigest." }, { "id": "S0496", "name": "REvil", "desc_en": "REvil can modify the Registry to save encryption parameters and system information." }, { "id": "S0501", "name": "PipeMon", "desc_en": "PipeMon has modified the Registry to store its encrypted payload." }, { "id": "S0511", "name": "RegDuke", "desc_en": "RegDuke can create seemingly legitimate Registry key to store its encryption key." }, { "id": "S0517", "name": "Pillowmint", "desc_en": "Pillowmint has modified the Registry key HKLM\\SOFTWARE\\Microsoft\\DRM to store a malicious payload." }, { "id": "S0518", "name": "PolyglotDuke", "desc_en": "PolyglotDuke can write encrypted JSON configuration files to the Registry." }, { "id": "S0527", "name": "CSPY Downloader", "desc_en": "CSPY Downloader can write to the Registry under the %windir% variable to execute tasks." }, { "id": "S0531", "name": "Grandoreiro", "desc_en": "Grandoreiro can modify the Registry to store its configuration at `HKCU\\Software\\` under frequently changing names including %USERNAME% and ToolTech-RM." }, { "id": "S0533", "name": "SLOTHFULMEDIA", "desc_en": "SLOTHFULMEDIA can add, modify, and/or delete registry keys. It has changed the proxy configuration of a victim system by modifying the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap registry." }, { "id": "S0537", "name": "HyperStack", "desc_en": "HyperStack can add the name of its communication pipe to HKLM\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\lanmanserver\\\\parameters\\NullSessionPipes." }, { "id": "S0559", "name": "SUNBURST", "desc_en": "SUNBURST had commands that allow an attacker to write or delete registry keys, and was observed stopping services by setting their HKLM\\SYSTEM\\CurrentControlSet\\services\\\\[service_name]\\\\Start registry entries to value 4. It also deleted previously-created Image File Execution Options (IFEO) Debugger registry values and registry keys related to HTTP proxy to clean up traces of its activity." }, { "id": "S0560", "name": "TEARDROP", "desc_en": "TEARDROP modified the Registry to create a Windows service for itself on a compromised host." }, { "id": "S0568", "name": "EVILNUM", "desc_en": "EVILNUM can make modifications to the Regsitry for persistence." }, { "id": "S0569", "name": "Explosive", "desc_en": "Explosive has a function to write itself to Registry values." }, { "id": "S0570", "name": "BitPaymer", "desc_en": "BitPaymer can set values in the Registry to help in execution." }, { "id": "S0572", "name": "Caterpillar WebShell", "desc_en": "Caterpillar WebShell has a command to modify a Registry key." }, { "id": "S0576", "name": "MegaCortex", "desc_en": "MegaCortex has added entries to the Registry for ransom contact information." }, { "id": "S0579", "name": "Waterbear", "desc_en": "Waterbear has deleted certain values from the Registry to load a malicious DLL." }, { "id": "S0583", "name": "Pysa", "desc_en": "Pysa has modified the registry key “SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System” and added the ransom note." }, { "id": "S0589", "name": "Sibot", "desc_en": "Sibot has modified the Registry to install a second-stage script in the HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\sibot." }, { "id": "S0596", "name": "ShadowPad", "desc_en": "ShadowPad can modify the Registry to store and maintain a configuration block and virtual file system." }, { "id": "S0603", "name": "Stuxnet", "desc_en": "Stuxnet can create registry keys to load driver files." }, { "id": "S0608", "name": "Conficker", "desc_en": "Conficker adds keys to the Registry at HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services and various other Registry locations." }, { "id": "S0611", "name": "Clop", "desc_en": "Clop can make modifications to Registry keys." }, { "id": "S0612", "name": "WastedLocker", "desc_en": "WastedLocker can modify registry values within the Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap registry key." }, { "id": "S0631", "name": "Chaes", "desc_en": "Chaes can modify Registry values to stored information and establish persistence." }, { "id": "S0640", "name": "Avaddon", "desc_en": "Avaddon modifies several registry keys for persistence and UAC bypass." }, { "id": "S0649", "name": "SMOKEDHAM", "desc_en": "SMOKEDHAM has modified registry keys for persistence, to enable credential caching for credential access, and to facilitate lateral movement via RDP." }, { "id": "S0650", "name": "QakBot", "desc_en": "QakBot can modify the Registry to store its configuration information in a randomly named subkey under HKCU\\Software\\Microsoft." }, { "id": "S0660", "name": "Clambling", "desc_en": "Clambling can set and delete Registry keys." }, { "id": "S0662", "name": "RCSession", "desc_en": "RCSession can write its configuration file to the Registry." }, { "id": "S0663", "name": "SysUpdate", "desc_en": "SysUpdate can write its configuration file to Software\\Classes\\scConfig in either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER." }, { "id": "S0664", "name": "Pandora", "desc_en": "Pandora can write an encrypted token to the Registry to enable processing of remote commands." }, { "id": "S0665", "name": "ThreatNeedle", "desc_en": "ThreatNeedle can modify the Registry to save its configuration data as the following RC4-encrypted Registry key: `HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\GameCon`." }, { "id": "S0666", "name": "Gelsemium", "desc_en": "Gelsemium can modify the Registry to store its components." }, { "id": "S0668", "name": "TinyTurla", "desc_en": "TinyTurla can set its configuration parameters in the Registry." }, { "id": "S0669", "name": "KOCTOPUS", "desc_en": "KOCTOPUS has added and deleted keys from the Registry." }, { "id": "S0670", "name": "WarzoneRAT", "desc_en": "WarzoneRAT can create `HKCU\\Software\\Classes\\Folder\\shell\\open\\command` as a new registry key during privilege escalation." }, { "id": "S0673", "name": "DarkWatchman", "desc_en": "DarkWatchman can modify Registry values to store configuration strings, keylogger, and output of components." }, { "id": "S0674", "name": "CharmPower", "desc_en": "CharmPower can remove persistence-related artifacts from the Registry." }, { "id": "S0677", "name": "AADInternals", "desc_en": "AADInternals can modify registry keys as part of setting a new pass-through authentication agent." }, { "id": "S0679", "name": "Ferocious", "desc_en": "Ferocious has the ability to add a Class ID in the current user Registry hive to enable persistence mechanisms." }, { "id": "S0691", "name": "Neoichor", "desc_en": "Neoichor has the ability to configure browser settings by modifying Registry entries under `HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer`." }, { "id": "S0692", "name": "SILENTTRINITY", "desc_en": "SILENTTRINITY can modify registry keys, including to enable or disable Remote Desktop Protocol (RDP)." }, { "id": "S0697", "name": "HermeticWiper", "desc_en": "HermeticWiper has the ability to modify Registry keys to disable crash dumps, colors for compressed files, and pop-up information about folders and desktop items." }, { "id": "S1011", "name": "Tarrask", "desc_en": "Tarrask is able to delete the Security Descriptor (`SD`) registry subkey in order to “hide” scheduled tasks." }, { "id": "S1025", "name": "Amadey", "desc_en": "Amadey has overwritten registry keys for persistence." }, { "id": "S1033", "name": "DCSrv", "desc_en": "DCSrv has created Registry keys for persistence." }, { "id": "S1047", "name": "Mori", "desc_en": "Mori can write data to `HKLM\\Software\\NFC\\IPA` and `HKLM\\Software\\NFC\\` and delete Registry values." }, { "id": "S1050", "name": "PcShare", "desc_en": "PcShare can delete its persistence mechanisms from the registry." }, { "id": "S1058", "name": "Prestige", "desc_en": "Prestige has the ability to register new registry keys for a new extension handler via `HKCR\\.enc` and `HKCR\\enc\\shell\\open\\command`." }, { "id": "S1059", "name": "metaMain", "desc_en": "metaMain can write the process ID of a target process into the `HKEY_LOCAL_MACHINE\\SOFTWARE\\DDE\\tpid` Registry value as part of its reflective loading activity." }, { "id": "S1060", "name": "Mafalda", "desc_en": "Mafalda can manipulate the system registry on a compromised host." }, { "id": "S1066", "name": "DarkTortilla", "desc_en": "DarkTortilla has modified registry keys for persistence." }, { "id": "S1068", "name": "BlackCat", "desc_en": "BlackCat has the ability to add the following registry key on compromised networks to maintain persistence: `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services \\LanmanServer\\Paramenters`" }, { "id": "S1070", "name": "Black Basta", "desc_en": "Black Basta has modified the Registry to enable itself to run in safe mode, to change the icons and file extensions for encrypted files, and to add the malware path for persistence." }, { "id": "S1090", "name": "NightClub", "desc_en": "NightClub can modify the Registry to set the ServiceDLL for a service created by the malware for persistence." }, { "id": "S1099", "name": "Samurai", "desc_en": "The Samurai loader component can create multiple Registry keys to force the svchost.exe process to load the final backdoor." }, { "id": "S1131", "name": "NPPSPY", "desc_en": "NPPSPY modifies the Registry to record the malicious listener for output from the Winlogon process." }, { "id": "S1132", "name": "IPsec Helper", "desc_en": "IPsec Helper can make arbitrary changes to registry keys based on provided input." }, { "id": "S1149", "name": "CHIMNEYSWEEP", "desc_en": "CHIMNEYSWEEP can use the Windows Registry Environment key to change the `%windir%` variable to point to `c:\\Windows` to enable payload execution." }, { "id": "S1178", "name": "ShrinkLocker", "desc_en": "ShrinkLocker modifies various registry keys associated with system logon and BitLocker functionality to effectively lock-out users following disk encryption." }, { "id": "S1180", "name": "BlackByte Ransomware", "desc_en": "BlackByte Ransomware modifies the victim Registry to prevent system recovery." }, { "id": "S1181", "name": "BlackByte 2.0 Ransomware", "desc_en": "BlackByte 2.0 Ransomware modifies the victim Registry to allow for elevated execution." }, { "id": "S1190", "name": "Kapeka", "desc_en": "Kapeka writes persistent configuration information to the victim host registry." }, { "id": "S1199", "name": "LockBit 2.0", "desc_en": "LockBit 2.0 can create Registry keys to bypass UAC and for persistence." }, { "id": "S1201", "name": "TRANSLATEXT", "desc_en": "TRANSLATEXT has modified the following registry key to install itself as the value, granting permission to install specified extensions: ` HKCU\\Software\\Policies\\Google\\Chrome\\ExtensionInstallForcelist`." }, { "id": "S1202", "name": "LockBit 3.0", "desc_en": "LockBit 3.0 can change the Registry values for Group Policy refresh time, to disable SmartScreen, and to disable Windows Defender." }, { "id": "S1226", "name": "BOOKWORM", "desc_en": "BOOKWORM has modified Registry key values as part of its created service `DeviceSync`." }, { "id": "S1230", "name": "HIUPAN", "desc_en": "HIUPAN has modified registry keys to ensure hidden files and extensions are not visible through the modification of `HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced`." }, { "id": "S1242", "name": "Qilin", "desc_en": "Qilin can make Registry modifications to share networked drives between elevated and non-elevated processes and to increase the number of outstanding network requests per client. Qilin can also modify `HKEY_CURRENT_USER\\Control Panel\\Desktop\\Wallpaper` to enable posting of ransom messages." }, { "id": "S1247", "name": "Embargo", "desc_en": "Embargo has modified and deleted Registry keys to add services, and to disable Security Solutions such as Windows Defender." }, { "id": "S9023", "name": "HiddenFace", "desc_en": "HiddenFace can store its configuration file in the Registry." }, { "id": "S9025", "name": "NOOPLDR", "desc_en": "NOOPLDR can store its payload in the Registry using a random hex string in `HKCU\\SOFTWARE\\Microsoft\\COM3`." }, { "id": "S9032", "name": "MuddyViper", "desc_en": "MuddyViper has the ability to clear the Registry values in the Windows Startup folder that were previously set for persistence." } ], "mitigations": [ { "id": "M1024", "name": "Restrict Registry Permissions", "name_ja": "レジストリ権限の制限", "desc_en": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.", "desc_ja": "レジストリキーの権限を制限し、不正な改変を防ぐ。" } ], "detections": [ { "id": "DET0280", "name": "Behavior-Based Registry Modification Detection on Windows", "name_ja": "レジストリの変更の検知", "desc_en": "", "desc_ja": "レジストリの変更に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1133", "ja": "外部リモートサービス", "en": "External Remote Services", "desc_en": "Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.", "desc_ja": "敵対者は、外部公開されたリモートサービスを悪用して永続的にアクセスすることがある。", "platforms": "Containers, Linux, macOS, Windows", "version": "2.5", "created": "2017-05-31", "modified": "2026-05-12", "subs": [], "procedures": [ { "id": "C0002", "name": "Night Dragon", "desc_en": "During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems." }, { "id": "C0004", "name": "CostaRicto", "desc_en": "During CostaRicto, the threat actors set up remote tunneling using an SSH tool to maintain access to a compromised environment." }, { "id": "C0012", "name": "Operation CuckooBees", "desc_en": "During Operation CuckooBees, the threat actors enabled WinRM over HTTP/HTTPS as a backup persistence mechanism using the following command: `cscript //nologo \"C:\\Windows\\System32\\winrm.vbs\" set winrm/config/service@{EnableCompatibilityHttpsListener=\"true\"}`." }, { "id": "C0014", "name": "Operation Wocao", "desc_en": "During Operation Wocao, threat actors used stolen credentials to connect to the victim's network via VPN." }, { "id": "C0024", "name": "SolarWinds Compromise", "desc_en": "For the SolarWinds Compromise, APT29 used compromised identities to access networks via SSH, VPNs, and other remote access tools." }, { "id": "C0027", "name": "C0027", "desc_en": "During C0027, Scattered Spider used Citrix and VPNs to persist in compromised environments." }, { "id": "C0028", "name": "2015 Ukraine Electric Power Attack", "desc_en": "During the 2015 Ukraine Electric Power Attack, Sandworm Team installed a modified Dropbear SSH client as the backdoor to target systems." }, { "id": "C0032", "name": "C0032", "desc_en": "During the C0032 campaign, TEMP.Veles used VPN access to persist in the victim environment." }, { "id": "C0046", "name": "ArcaneDoor", "desc_en": "ArcaneDoor used WebVPN sessions commonly associated with Clientless SSLVPN services to communicate to compromised devices." }, { "id": "C0063", "name": "2025 Poland Wiper Attacks", "desc_en": "During the 2025 Poland Wiper Attacks, threat actors leveraged the FortiGate VPN interface that was exposed to the internet to gain access to the victim environment." }, { "id": "G0004", "name": "Ke3chang", "desc_en": "Ke3chang has gained access through VPNs including with compromised accounts and stolen VPN certificates." }, { "id": "G0007", "name": "APT28", "desc_en": "APT28 has used Tor and a variety of commercial VPN services to route brute force authentication attempts." }, { "id": "G0016", "name": "APT29", "desc_en": "APT29 has used compromised identities to access networks via VPNs and Citrix." }, { "id": "G0026", "name": "APT18", "desc_en": "APT18 actors leverage legitimate credentials to log into external remote services." }, { "id": "G0027", "name": "Threat Group-3390", "desc_en": "Threat Group-3390 actors look for and use VPN profiles during an operation to access the network using external VPN services. Threat Group-3390 has also obtained OWA account credentials during intrusions that it subsequently used to attempt to regain access when evicted from a victim network." }, { "id": "G0034", "name": "Sandworm Team", "desc_en": "Sandworm Team has used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the target network. Sandworm Team has also used VPN tunnels established in legitimate software company infrastructure to gain access to internal networks of that software company's users." }, { "id": "G0035", "name": "Dragonfly", "desc_en": "Dragonfly has used VPNs and Outlook Web Access (OWA) to maintain access to victim networks." }, { "id": "G0049", "name": "OilRig", "desc_en": "OilRig uses remote services such as VPN, Citrix, or OWA to persist in an environment." }, { "id": "G0053", "name": "FIN5", "desc_en": "FIN5 has used legitimate VPN, Citrix, or VNC credentials to maintain access to a victim environment." }, { "id": "G0065", "name": "Leviathan", "desc_en": "Leviathan has used external remote services such as virtual private networks (VPN) to gain initial access." }, { "id": "G0093", "name": "GALLIUM", "desc_en": "GALLIUM has used VPN services, including SoftEther VPN, to access and maintain persistence in victim environments." }, { "id": "G0094", "name": "Kimsuky", "desc_en": "Kimsuky has used RDP to establish persistence." }, { "id": "G0096", "name": "APT41", "desc_en": "APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service." }, { "id": "G0099", "name": "APT-C-36", "desc_en": "APT-C-36 has used VPNs in their operational infrastructure." }, { "id": "G0102", "name": "Wizard Spider", "desc_en": "Wizard Spider has accessed victim networks by using stolen credentials to access the corporate VPN infrastructure." }, { "id": "G0114", "name": "Chimera", "desc_en": "Chimera has used legitimate credentials to login to an external VPN, Citrix, SSH, and other remote services." }, { "id": "G0115", "name": "GOLD SOUTHFIELD", "desc_en": "GOLD SOUTHFIELD has used publicly-accessible RDP and remote management and monitoring (RMM) servers to gain access to victim machines." }, { "id": "G0139", "name": "TeamTNT", "desc_en": "TeamTNT has used open-source tools such as Weave Scope to target exposed Docker API ports and gain initial access to victim environments. TeamTNT has also targeted exposed kubelets for Kubernetes environments." }, { "id": "G1003", "name": "Ember Bear", "desc_en": "Ember Bear have used VPNs both for initial access to victim environments and for persistence within them following compromise." }, { "id": "G1004", "name": "LAPSUS$", "desc_en": "LAPSUS$ has gained access to internet-facing systems and applications, including virtual private network (VPN), remote desktop protocol (RDP), and virtual desktop infrastructure (VDI) including Citrix." }, { "id": "G1015", "name": "Scattered Spider", "desc_en": "Scattered Spider has leveraged legitimate remote management tools to maintain persistent access." }, { "id": "G1016", "name": "FIN13", "desc_en": "FIN13 has gained access to compromised environments via remote access services such as the corporate virtual private network (VPN)." }, { "id": "G1017", "name": "Volt Typhoon", "desc_en": "Volt Typhoon has used VPNs to connect to victim environments and enable post-exploitation actions." }, { "id": "G1024", "name": "Akira", "desc_en": "Akira uses compromised VPN accounts for initial access to victim networks." }, { "id": "G1040", "name": "Play", "desc_en": "Play has used Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN) for initial access." }, { "id": "G1041", "name": "Sea Turtle", "desc_en": "Sea Turtle has used external-facing SSH to achieve initial access to the IT environments of victim organizations." }, { "id": "G1047", "name": "Velvet Ant", "desc_en": "Velvet Ant has leveraged access to internet-facing remote services to compromise and retain access to victim environments." }, { "id": "G1055", "name": "VOID MANTICORE", "desc_en": "VOID MANTICORE has leveraged public facing VPN infrastructure to gain initial access to victim environments." }, { "id": "S0362", "name": "Linux Rabbit", "desc_en": "Linux Rabbit attempts to gain access to the server via SSH." }, { "id": "S0599", "name": "Kinsing", "desc_en": "Kinsing was executed in an Ubuntu container deployed via an open Docker daemon API." }, { "id": "S0600", "name": "Doki", "desc_en": "Doki was executed through an open Docker daemon API port." }, { "id": "S0601", "name": "Hildegard", "desc_en": "Hildegard was executed through an unsecure kubelet that allowed anonymous access to the victim environment." }, { "id": "S1060", "name": "Mafalda", "desc_en": "Mafalda can establish an SSH connection from a compromised host to a server." } ], "mitigations": [ { "id": "M1021", "name": "Restrict Web-Based Content", "name_ja": "Webベースコンテンツの制限", "desc_en": "Restrict all traffic to and from public Tor nodes.", "desc_ja": "危険なWebコンテンツへのアクセスを制限する。" }, { "id": "M1030", "name": "Network Segmentation", "name_ja": "ネットワークセグメンテーション", "desc_en": "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls.", "desc_ja": "ネットワークを分割し、横展開や影響範囲を限定する。" }, { "id": "M1032", "name": "Multi-factor Authentication", "name_ja": "多要素認証", "desc_en": "Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of Multi-Factor Authentication Interception techniques for some two-factor authentication implementations.", "desc_ja": "多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。" }, { "id": "M1035", "name": "Limit Access to Resource Over Network", "name_ja": "ネットワーク経由のリソースアクセス制限", "desc_en": "Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.", "desc_ja": "ネットワーク越しのリソースアクセスを制限する。" }, { "id": "M1042", "name": "Disable or Remove Feature or Program", "name_ja": "機能・プログラムの無効化または削除", "desc_en": "Disable or block remotely available services that may be unnecessary.", "desc_ja": "不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。" } ], "detections": [ { "id": "DET0354", "name": "Behavior-chain detection for T1133 External Remote Services across Windows, Linux, macOS, Containers", "name_ja": "外部リモートサービスの検知", "desc_en": "", "desc_ja": "外部リモートサービスに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1136", "ja": "アカウントの作成", "en": "Create Account", "desc_en": "Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.", "desc_ja": "敵対者は、新規アカウントを作成してアクセスを維持することがある。", "platforms": "Windows, IaaS, Linux, macOS, Network Devices, Containers, SaaS, Office Suite, Identity Provider, ESXi", "version": "2.6", "created": "2017-12-14", "modified": "2025-10-24", "subs": [ { "sid": ".001", "tid": "T1136.001", "ja": "ローカルアカウント", "en": "Local Account", "desc_en": "Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.", "desc_ja": "敵対者は、ローカルアカウントを作成して永続化することがある。" }, { "sid": ".002", "tid": "T1136.002", "ja": "ドメインアカウント", "en": "Domain Account", "desc_en": "Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.", "desc_ja": "敵対者は、ドメインアカウントを作成して永続化することがある。" }, { "sid": ".003", "tid": "T1136.003", "ja": "クラウドアカウント", "en": "Cloud Account", "desc_en": "Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.", "desc_ja": "敵対者は、クラウドアカウントを作成して永続化することがある。" } ], "procedures": [ { "id": "C0025", "name": "2016 Ukraine Electric Power Attack", "desc_en": "During the 2016 Ukraine Electric Power Attack, Sandworm Team added a login to a SQL Server with `sp_addlinkedsrvlogin`." }, { "id": "G0119", "name": "Indrik Spider", "desc_en": "Indrik Spider used wmic.exe to add a new user to the system." }, { "id": "G1015", "name": "Scattered Spider", "desc_en": "Scattered Spider creates new user identities within the compromised organization." }, { "id": "G1045", "name": "Salt Typhoon", "desc_en": "Salt Typhoon has created Linux-level users on compromised network devices through modification of `/etc/shadow` and `/etc/passwd`." }, { "id": "S1199", "name": "LockBit 2.0", "desc_en": "LockBit 2.0 has been observed creating accounts for persistence using simple names like \"a\"." } ], "mitigations": [ { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Limit the number of accounts with permissions to create other accounts. Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1028", "name": "Operating System Configuration", "name_ja": "オペレーティングシステム構成", "desc_en": "Protect domain controllers by ensuring proper security configuration for critical servers.", "desc_ja": "OSを安全に構成し、攻撃対象領域を縮小する。" }, { "id": "M1030", "name": "Network Segmentation", "name_ja": "ネットワークセグメンテーション", "desc_en": "Configure access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts.", "desc_ja": "ネットワークを分割し、横展開や影響範囲を限定する。" }, { "id": "M1032", "name": "Multi-factor Authentication", "name_ja": "多要素認証", "desc_en": "Use multi-factor authentication for user and privileged accounts.", "desc_ja": "多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。" } ], "detections": [ { "id": "DET0583", "name": "Detection Strategy for T1136 - Create Account across platforms", "name_ja": "アカウントの作成の検知", "desc_en": "", "desc_ja": "アカウントの作成に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1137", "ja": "Officeアプリ起動", "en": "Office Application Startup", "desc_en": "Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.", "desc_ja": "敵対者は、Officeアプリの起動機構(テンプレート/ルール等)を悪用して永続化することがある。", "platforms": "Windows, Office Suite", "version": "1.4", "created": "2017-12-14", "modified": "2025-10-24", "subs": [ { "sid": ".001", "tid": "T1137.001", "ja": "Officeテンプレートマクロ", "en": "Office Template Macros", "desc_en": "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts.", "desc_ja": "敵対者は、Officeテンプレートのマクロを悪用して永続化することがある。" }, { "sid": ".002", "tid": "T1137.002", "ja": "Office Test", "en": "Office Test", "desc_en": "Adversaries may abuse the Microsoft Office \"Office Test\" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.", "desc_ja": "敵対者は、Office Test機能を悪用して永続化することがある。" }, { "sid": ".003", "tid": "T1137.003", "ja": "Outlookフォーム", "en": "Outlook Forms", "desc_en": "Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.", "desc_ja": "敵対者は、Outlookフォームを悪用して永続化することがある。" }, { "sid": ".004", "tid": "T1137.004", "ja": "Outlookホームページ", "en": "Outlook Home Page", "desc_en": "Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.", "desc_ja": "敵対者は、Outlookホームページを悪用して永続化することがある。" }, { "sid": ".005", "tid": "T1137.005", "ja": "Outlookルール", "en": "Outlook Rules", "desc_en": "Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.", "desc_ja": "敵対者は、Outlookルールを悪用して永続化することがある。" }, { "sid": ".006", "tid": "T1137.006", "ja": "アドイン", "en": "Add-ins", "desc_en": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins.", "desc_ja": "敵対者は、Officeアドインを悪用して永続化することがある。" } ], "procedures": [ { "id": "G0047", "name": "Gamaredon Group", "desc_en": "Gamaredon Group has inserted malicious macros into existing documents, providing persistence when they are reopened. Gamaredon Group has loaded the group's previously delivered VBA project by relaunching Microsoft Outlook with the /altvba option, once the Application.Startup event is received." }, { "id": "G0050", "name": "APT32", "desc_en": "APT32 have replaced Microsoft Outlook's VbaProject.OTM file to install a backdoor macro for persistence." } ], "mitigations": [ { "id": "M1040", "name": "Behavior Prevention on Endpoint", "name_ja": "エンドポイントでの挙動防止", "desc_en": "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk.", "desc_ja": "エンドポイントで悪意ある挙動を検出・防止する。" }, { "id": "M1042", "name": "Disable or Remove Feature or Program", "name_ja": "機能・プログラムの無効化または削除", "desc_en": "Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing.\n\nDisable Office add-ins. If they are required, follow best practices for securing them by requiring them to be signed and disabling user notification for allowing add-ins. For some add-ins types (WLL, VBA) additional mitigation is likely required as disabling add-ins in the Office Trust Center does not disable WLL nor does it prevent VBA code from executing.", "desc_ja": "不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。" }, { "id": "M1051", "name": "Update Software", "name_ja": "ソフトウェア更新", "desc_en": "For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine. Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.", "desc_ja": "ソフトウェアを最新に保ち、既知の脆弱性を修正する。" }, { "id": "M1054", "name": "Software Configuration", "name_ja": "ソフトウェア構成", "desc_en": "For the Office Test method, create the Registry key used to execute it and set the permissions to \"Read Control\" to prevent easy access to the key without administrator permissions or requiring Privilege Escalation.", "desc_ja": "ソフトウェアを安全に構成し、悪用を防ぐ。" } ], "detections": [ { "id": "DET0398", "name": "Detect Office Startup-Based Persistence via Macros, Forms, and Registry Hooks", "name_ja": "Officeアプリ起動の検知", "desc_en": "", "desc_ja": "Officeアプリ起動に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1176", "ja": "ソフトウェア拡張機能", "en": "Software Extensions", "desc_en": "Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applications, including web browsers, Integrated Development Environments (IDEs), and other platforms. Extensions are typically installed via official marketplaces, app stores, or manually loaded by users, and they often inherit the permissions and access levels of the host application.", "desc_ja": "敵対者は、ブラウザやIDEの拡張機能を悪用して永続化することがある。", "platforms": "Linux, macOS, Windows", "version": "2.0", "created": "2018-01-16", "modified": "2025-10-24", "subs": [ { "sid": ".001", "tid": "T1176.001", "ja": "ブラウザ拡張機能", "en": "Browser Extensions", "desc_en": "Adversaries may abuse internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality to and customize aspects of internet browsers. They can be installed directly via a local file or custom URL or through a browser's app store - an official online platform where users can browse, install, and manage extensions for a specific web browser. Extensions generally inherit the web browser's permissions previously granted. \n \nMalicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores, so it may not be difficult for malicious extensions to defeat automated scanners. Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary-controlled server or manipulate the mobile configuration file to silently install additional extensions.", "desc_ja": "敵対者は、ブラウザ拡張機能を悪用して永続化や情報窃取を行うことがある。" }, { "sid": ".002", "tid": "T1176.002", "ja": "IDE拡張機能", "en": "IDE Extensions", "desc_en": "Adversaries may abuse an integrated development environment (IDE) extension to establish persistent access to victim systems. IDEs such as Visual Studio Code, IntelliJ IDEA, and Eclipse support extensions - software components that add features like code linting, auto-completion, task automation, or integration with tools like Git and Docker. A malicious extension can be installed through an extension marketplace (i.e., Compromise Software Dependencies and Development Tools) or side-loaded directly into the IDE.", "desc_ja": "敵対者は、IDE拡張機能を悪用して永続化やコード実行を行うことがある。" } ], "procedures": [], "mitigations": [ { "id": "M1017", "name": "User Training", "name_ja": "ユーザー教育", "desc_en": "Train users to minimize extension use, and to only install trusted extensions.", "desc_ja": "ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。" }, { "id": "M1033", "name": "Limit Software Installation", "name_ja": "ソフトウェアインストールの制限", "desc_en": "Only install extensions from trusted sources that can be verified.", "desc_ja": "ソフトウェアのインストールを制限し、不正なプログラム導入を防ぐ。" }, { "id": "M1038", "name": "Execution Prevention", "name_ja": "実行防止", "desc_en": "Set an extension allow or deny list as appropriate for your security policy.", "desc_ja": "許可されていないコードの実行を防止する。" }, { "id": "M1047", "name": "Audit", "name_ja": "監査", "desc_en": "Ensure extensions that are installed are the intended ones, as many malicious extensions may masquerade as legitimate ones.", "desc_ja": "システムやアカウントを監査し、不正な活動を検出する。" }, { "id": "M1051", "name": "Update Software", "name_ja": "ソフトウェア更新", "desc_en": "Ensure operating systems and software are using the most current version.", "desc_ja": "ソフトウェアを最新に保ち、既知の脆弱性を修正する。" } ], "detections": [ { "id": "DET0092", "name": "Detection of Malicious or Unauthorized Software Extensions", "name_ja": "ソフトウェア拡張機能の検知", "desc_en": "", "desc_ja": "ソフトウェア拡張機能に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1197", "ja": "BITSジョブ", "en": "BITS Jobs", "desc_en": "Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.", "desc_ja": "敵対者は、Windowsのバックグラウンドインテリジェント転送サービス(BITS)を悪用してダウンロードや実行・永続化を行うことがある。", "platforms": "Windows", "version": "2.0", "created": "2018-04-18", "modified": "2026-05-12", "subs": [], "procedures": [ { "id": "G0040", "name": "Patchwork", "desc_en": "Patchwork has used BITS jobs to download malicious payloads." }, { "id": "G0065", "name": "Leviathan", "desc_en": "Leviathan has used BITSAdmin to download additional tools." }, { "id": "G0087", "name": "APT39", "desc_en": "APT39 has used the BITS protocol to exfiltrate stolen data from a compromised host." }, { "id": "G0096", "name": "APT41", "desc_en": "APT41 used BITSAdmin to download and install payloads." }, { "id": "G0102", "name": "Wizard Spider", "desc_en": "Wizard Spider has used batch scripts that utilizes WMIC to execute a BITSAdmin transfer of a ransomware payload to each compromised machine." }, { "id": "S0154", "name": "Cobalt Strike", "desc_en": "Cobalt Strike can download a hosted \"beacon\" payload using BITSAdmin." }, { "id": "S0190", "name": "BITSAdmin", "desc_en": "BITSAdmin can be used to create BITS Jobs to launch a malicious process." }, { "id": "S0201", "name": "JPIN", "desc_en": "A JPIN variant downloads the backdoor payload via the BITS service." }, { "id": "S0333", "name": "UBoatRAT", "desc_en": "UBoatRAT takes advantage of the /SetNotifyCmdLine option in BITSAdmin to ensure it stays running on a system to maintain persistence." }, { "id": "S0534", "name": "Bazar", "desc_en": "Bazar has been downloaded via Windows BITS functionality." }, { "id": "S0554", "name": "Egregor", "desc_en": "Egregor has used BITSadmin to download and execute malicious DLLs." }, { "id": "S0652", "name": "MarkiRAT", "desc_en": "MarkiRAT can use BITS Utility to connect with the C2 server." }, { "id": "S0654", "name": "ProLock", "desc_en": "ProLock can use BITS jobs to download its malicious payload." } ], "mitigations": [ { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "Consider limiting access to the BITS interface to specific users or groups.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1028", "name": "Operating System Configuration", "name_ja": "オペレーティングシステム構成", "desc_en": "Consider reducing the default BITS job lifetime in Group Policy or by editing the JobInactivityTimeout and MaxDownloadTime Registry values in HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\BITS.", "desc_ja": "OSを安全に構成し、攻撃対象領域を縮小する。" }, { "id": "M1037", "name": "Filter Network Traffic", "name_ja": "ネットワークトラフィックのフィルタリング", "desc_en": "Modify network and/or host firewall rules, as well as other network controls, to only allow legitimate BITS traffic.", "desc_ja": "ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。" } ], "detections": [ { "id": "DET0098", "name": "Detect abuse of Windows BITS Jobs for download, execution and persistence", "name_ja": "BITSジョブの検知", "desc_en": "", "desc_ja": "BITSジョブに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1205", "ja": "トラフィックシグナリング", "en": "Traffic Signaling", "desc_en": "Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. Port Knocking), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.", "desc_ja": "敵対者は、特定のパケット列を合図にバックドアを起動して検知を回避することがある。", "platforms": "Linux, macOS, Network Devices, Windows", "version": "3.0", "created": "2018-04-18", "modified": "2026-05-12", "subs": [ { "sid": ".001", "tid": "T1205.001", "ja": "ポートノッキング", "en": "Port Knocking", "desc_en": "Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.", "desc_ja": "敵対者は、特定ポートへの接続列(ポートノッキング)を合図にバックドアを起動することがある。" }, { "sid": ".002", "tid": "T1205.002", "ja": "ソケットフィルタ", "en": "Socket Filters", "desc_en": "Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.", "desc_ja": "敵対者は、ソケットフィルタを用いて特定パケットを合図に動作することがある。" } ], "procedures": [ { "id": "C0029", "name": "Cutting Edge", "desc_en": "During Cutting Edge, threat actors sent a magic 48-byte sequence to enable the PITSOCK backdoor to communicate via the `/tmp/clientsDownload.sock` socket." }, { "id": "C0056", "name": "RedPenguin", "desc_en": "During RedPenguin, UNC3886 leveraged malware capable of inpecting packets for a magic-string to activate backdoor functionalities." }, { "id": "G0094", "name": "Kimsuky", "desc_en": "Kimsuky has used TRANSLATEXT to redirect clients to legitimate Gmail, Naver or Kakao pages if the clients connect with no parameters." }, { "id": "G0129", "name": "Mustang Panda", "desc_en": "Mustang Panda has utilized a magic value in C2 communications and only executes in memory when response packets match specific values of “17 03 03” or “46 77 4d”." }, { "id": "G1048", "name": "UNC3886", "desc_en": "UNC3886 has used the TABLEFLIP traffic redirection utility to listen for specialized command packets on compromised FortiManager devices." }, { "id": "S0022", "name": "Uroburos", "desc_en": "Uroburos can intercept the first client to server packet in the 3-way TCP handshake to determine if the packet contains the correct unique value for a specific Uroburos implant. If the value does not match, the packet and the rest of the TCP session are passed to the legitimate listening application." }, { "id": "S0220", "name": "Chaos", "desc_en": "Chaos provides a reverse shell is triggered upon receipt of a packet with a special string, sent to any port." }, { "id": "S0221", "name": "Umbreon", "desc_en": "Umbreon provides additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet." }, { "id": "S0430", "name": "Winnti for Linux", "desc_en": "Winnti for Linux has used a passive listener, capable of identifying a specific magic value before executing tasking, as a secondary command and control (C2) mechanism." }, { "id": "S0446", "name": "Ryuk", "desc_en": "Ryuk has used Wake-on-Lan to power on turned off systems for lateral movement." }, { "id": "S0519", "name": "SYNful Knock", "desc_en": "SYNful Knock can be sent instructions via special packets to change its functionality. Code for new functionality can be included in these messages." }, { "id": "S0587", "name": "Penquin", "desc_en": "Penquin will connect to C2 only after sniffing a \"magic packet\" value in TCP or UDP packets matching specific conditions." }, { "id": "S0641", "name": "Kobalos", "desc_en": "Kobalos is triggered by an incoming TCP connection to a legitimate service from a specific source port." }, { "id": "S0664", "name": "Pandora", "desc_en": "Pandora can identify if incoming HTTP traffic contains a token and if so it will intercept the traffic and process the received command." }, { "id": "S1114", "name": "ZIPLINE", "desc_en": "ZIPLINE can identify a specific string in intercepted network traffic, `SSH-2.0-OpenSSH_0.3xx.`, to trigger its command functionality." }, { "id": "S1118", "name": "BUSHWALK", "desc_en": "BUSHWALK can modify the `DSUserAgentCap.pm` Perl module on Ivanti Connect Secure VPNs and either activate or deactivate depending on the value of the user agent in incoming HTTP requests." }, { "id": "S1201", "name": "TRANSLATEXT", "desc_en": "TRANSLATEXT has redirected clients to legitimate Gmail, Naver or Kakao pages if the clients connect with no parameters." }, { "id": "S1203", "name": "J-magic", "desc_en": "J-magic can monitor TCP traffic for packets containing one of five different predefined parameters and will spawn a reverse shell if one of the parameters and the proper response string to a subsequent challenge is received." }, { "id": "S1219", "name": "REPTILE", "desc_en": "The REPTILE reverse shell component can listen for a specialized packet in TCP, UDP, or ICMP for activation." }, { "id": "S1228", "name": "PUBLOAD", "desc_en": "PUBLOAD has utilized a magic value in C2 communications and only executes in memory when response packets match specific values of 17 03 03. PUBLOAD has also used magic bytes consisting of 46 77 4d." }, { "id": "S1239", "name": "TONESHELL", "desc_en": "TONESHELL has utilized a magic value in C2 communications and only executes in memory when response packets match specific values." }, { "id": "S9011", "name": "BRUSHFIRE", "desc_en": "BRUSHFIRE has monitored inbound VPN traffic to compromised appliances until specific inbound packets contain a specific magic string/pattern instead of external beaconing." } ], "mitigations": [ { "id": "M1037", "name": "Filter Network Traffic", "name_ja": "ネットワークトラフィックのフィルタリング", "desc_en": "Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented.", "desc_ja": "ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。" }, { "id": "M1042", "name": "Disable or Remove Feature or Program", "name_ja": "機能・プログラムの無効化または削除", "desc_en": "Disable Wake-on-LAN if it is not needed within an environment.", "desc_ja": "不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。" } ], "detections": [ { "id": "DET0524", "name": "Traffic Signaling (Port-knock / magic-packet → firewall or service activation) – T1205", "name_ja": "トラフィックシグナリングの検知", "desc_en": "", "desc_ja": "トラフィックシグナリングに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1505", "ja": "サーバーソフトウェアコンポーネント", "en": "Server Software Component", "desc_en": "Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.", "desc_ja": "敵対者は、サーバーソフトのコンポーネント(Webシェル等)を悪用して永続化することがある。", "platforms": "Windows, Linux, macOS, Network Devices, ESXi", "version": "1.5", "created": "2019-06-28", "modified": "2025-10-24", "subs": [ { "sid": ".001", "tid": "T1505.001", "ja": "SQLストアドプロシージャ", "en": "SQL Stored Procedures", "desc_en": "Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted).", "desc_ja": "敵対者は、SQLストアドプロシージャを悪用して永続化することがある。" }, { "sid": ".002", "tid": "T1505.002", "ja": "トランスポートエージェント", "en": "Transport Agent", "desc_en": "Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails. Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks.", "desc_ja": "敵対者は、メールサーバのトランスポートエージェントを悪用して永続化することがある。" }, { "sid": ".003", "tid": "T1505.003", "ja": "Webシェル", "en": "Web Shell", "desc_en": "Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.", "desc_ja": "敵対者は、Webシェルを設置してサーバへのアクセスを維持することがある。" }, { "sid": ".004", "tid": "T1505.004", "ja": "IISコンポーネント", "en": "IIS Components", "desc_en": "Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers.", "desc_ja": "敵対者は、IISコンポーネント(モジュール等)を悪用して永続化することがある。" }, { "sid": ".005", "tid": "T1505.005", "ja": "ターミナルサービスDLL", "en": "Terminal Services DLL", "desc_en": "Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.", "desc_ja": "敵対者は、ターミナルサービスDLLを悪用して永続化することがある。" }, { "sid": ".006", "tid": "T1505.006", "ja": "vSphereインストールバンドル", "en": "vSphere Installation Bundles", "desc_en": "Adversaries may abuse vSphere Installation Bundles (VIBs) to establish persistent access to ESXi hypervisors. VIBs are collections of files used for software distribution and virtual system management in VMware environments. Since ESXi uses an in-memory filesystem where changes made to most files are stored in RAM rather than in persistent storage, these modifications are lost after a reboot. However, VIBs can be used to create startup tasks, apply custom firewall rules, or deploy binaries that persist across reboots. Typically, administrators use VIBs for updates and system maintenance.", "desc_ja": "敵対者は、vSphereインストールバンドル(VIB)を悪用して永続化することがある。" } ], "procedures": [], "mitigations": [ { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "Enforce the principle of least privilege by limiting privileges of user accounts so only authorized accounts can modify and/or add server software components.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1024", "name": "Restrict Registry Permissions", "name_ja": "レジストリ権限の制限", "desc_en": "Consider using Group Policy to configure and block modifications to service and other critical server parameters in the Registry.", "desc_ja": "レジストリキーの権限を制限し、不正な改変を防ぐ。" }, { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1042", "name": "Disable or Remove Feature or Program", "name_ja": "機能・プログラムの無効化または削除", "desc_en": "Consider disabling software components from servers when possible to prevent abuse by adversaries.", "desc_ja": "不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。" }, { "id": "M1045", "name": "Code Signing", "name_ja": "コード署名", "desc_en": "Ensure all application component binaries are signed by the correct application developers.", "desc_ja": "コード署名を検証し、未署名・不正なコードの実行を防ぐ。" }, { "id": "M1046", "name": "Boot Integrity", "name_ja": "ブートインテグリティ", "desc_en": "Enabling secure boot allows validation of software and drivers during initial system boot.", "desc_ja": "ブートの完全性を検証し、起動段階での改ざんを防ぐ。" }, { "id": "M1047", "name": "Audit", "name_ja": "監査", "desc_en": "Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.", "desc_ja": "システムやアカウントを監査し、不正な活動を検出する。" } ], "detections": [ { "id": "DET0547", "name": "Detection Strategy for T1505 - Server Software Component", "name_ja": "サーバーソフトウェアコンポーネントの検知", "desc_en": "", "desc_ja": "サーバーソフトウェアコンポーネントに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1525", "ja": "内部イメージへの埋め込み", "en": "Implant Internal Image", "desc_en": "Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike Upload Malware, this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.", "desc_ja": "敵対者は、コンテナ/VMのイメージに悪意あるコードを埋め込んで永続化することがある。", "platforms": "IaaS, Containers", "version": "2.2", "created": "2019-09-04", "modified": "2025-10-24", "subs": [], "procedures": [], "mitigations": [ { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Limit permissions associated with creating and modifying platform images or containers based on the principle of least privilege.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1045", "name": "Code Signing", "name_ja": "コード署名", "desc_en": "Several cloud service providers support content trust models that require container images be signed by trusted sources.", "desc_ja": "コード署名を検証し、未署名・不正なコードの実行を防ぐ。" }, { "id": "M1047", "name": "Audit", "name_ja": "監査", "desc_en": "Periodically check the integrity of images and containers used in cloud deployments to ensure they have not been modified to include malicious software.", "desc_ja": "システムやアカウントを監査し、不正な活動を検出する。" } ], "detections": [ { "id": "DET0334", "name": "Detection Strategy for T1525 – Implant Internal Image", "name_ja": "内部イメージへの埋め込みの検知", "desc_en": "", "desc_ja": "内部イメージへの埋め込みに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1542", "ja": "OS起動前ブート", "en": "Pre-OS Boot", "desc_en": "Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.", "desc_ja": "敵対者は、OS起動前のブート機構(ファームウェア/ブートキット等)を悪用して永続化することがある。", "platforms": "Linux, macOS, Network Devices, Windows", "version": "2.0", "created": "2019-11-13", "modified": "2026-05-12", "subs": [ { "sid": ".001", "tid": "T1542.001", "ja": "システムファームウェア", "en": "System Firmware", "desc_en": "Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.", "desc_ja": "敵対者は、システムファームウェアを改変して永続化や防御妨害を行うことがある。" }, { "sid": ".002", "tid": "T1542.002", "ja": "コンポーネントファームウェア", "en": "Component Firmware", "desc_en": "Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components/devices that may not have the same capability or level of integrity checking.", "desc_ja": "敵対者は、コンポーネントファームウェアを改変して永続化することがある。" }, { "sid": ".003", "tid": "T1542.003", "ja": "ブートキット", "en": "Bootkit", "desc_en": "Adversaries may use bootkits to persist on systems. A bootkit is a malware variant that modifies the boot sectors of a hard drive, allowing malicious code to execute before a computer's operating system has loaded. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.", "desc_ja": "敵対者は、ブートキットを用いて起動段階で永続化することがある。" }, { "sid": ".004", "tid": "T1542.004", "ja": "ROMMONkit", "en": "ROMMONkit", "desc_en": "Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect.", "desc_ja": "敵対者は、ROMMONを改変(ROMMONkit)してネットワーク機器で永続化することがある。" }, { "sid": ".005", "tid": "T1542.005", "ja": "TFTPブート", "en": "TFTP Boot", "desc_en": "Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.", "desc_ja": "敵対者は、TFTPブートを悪用してシステムイメージを改変・永続化することがある。" } ], "procedures": [], "mitigations": [ { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to perform these actions", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1035", "name": "Limit Access to Resource Over Network", "name_ja": "ネットワーク経由のリソースアクセス制限", "desc_en": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "desc_ja": "ネットワーク越しのリソースアクセスを制限する。" }, { "id": "M1046", "name": "Boot Integrity", "name_ja": "ブートインテグリティ", "desc_en": "Use Trusted Platform Module technology and a secure or trusted boot process to prevent system integrity from being compromised. Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification.", "desc_ja": "ブートの完全性を検証し、起動段階での改ざんを防ぐ。" }, { "id": "M1047", "name": "Audit", "name_ja": "監査", "desc_en": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "desc_ja": "システムやアカウントを監査し、不正な活動を検出する。" }, { "id": "M1051", "name": "Update Software", "name_ja": "ソフトウェア更新", "desc_en": "Patch the BIOS and EFI as necessary.", "desc_ja": "ソフトウェアを最新に保ち、既知の脆弱性を修正する。" } ], "detections": [ { "id": "DET0278", "name": "Detection Strategy for T1542 Pre-OS Boot", "name_ja": "OS起動前ブートの検知", "desc_en": "", "desc_ja": "OS起動前ブートに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1543", "ja": "システムプロセスの作成/変更", "en": "Create or Modify System Process", "desc_en": "Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters.", "desc_ja": "敵対者は、サービスやデーモン等のシステムプロセスを作成/変更して永続化することがある。", "platforms": "Containers, Linux, macOS, Windows", "version": "1.2", "created": "2020-01-10", "modified": "2026-05-12", "subs": [ { "sid": ".001", "tid": "T1543.001", "ja": "Launch Agent", "en": "Launch Agent", "desc_en": "Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents. Property list files use the Label, ProgramArguments , and RunAtLoad keys to identify the Launch Agent's name, executable location, and execution time. Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.", "desc_ja": "敵対者は、Launch Agentを作成/変更してmacOSで永続化することがある。" }, { "sid": ".002", "tid": "T1543.002", "ja": "systemdサービス", "en": "Systemd Service", "desc_en": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources. Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.", "desc_ja": "敵対者は、systemdサービスを作成/変更してLinuxで永続化することがある。" }, { "sid": ".003", "tid": "T1543.003", "ja": "Windowsサービス", "en": "Windows Service", "desc_en": "Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.", "desc_ja": "敵対者は、Windowsサービスを作成/変更して永続化することがある。" }, { "sid": ".004", "tid": "T1543.004", "ja": "Launch Daemon", "en": "Launch Daemon", "desc_en": "Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/. Required Launch Daemons parameters include a Label to identify the task, Program to provide a path to the executable, and RunAtLoad to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.", "desc_ja": "敵対者は、Launch Daemonを作成/変更してmacOSで永続化することがある。" }, { "sid": ".005", "tid": "T1543.005", "ja": "コンテナサービス", "en": "Container Service", "desc_en": "Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or services on individual hosts. These include software for creating and managing individual containers, such as Docker and Podman, as well as container cluster node-level agents such as kubelet. By modifying these services, an adversary may be able to achieve persistence or escalate their privileges on a host.", "desc_ja": "敵対者は、コンテナサービスを作成/変更して永続化することがある。" } ], "procedures": [ { "id": "S0401", "name": "Exaramel for Linux", "desc_en": "Exaramel for Linux has a hardcoded location that it uses to achieve persistence if the startup system is Upstart or System V and it is running as root." }, { "id": "S1121", "name": "LITTLELAMB.WOOLTEA", "desc_en": "LITTLELAMB.WOOLTEA can initialize itself as a daemon to run persistently in the background." }, { "id": "S1142", "name": "LunarMail", "desc_en": "LunarMail can create an arbitrary process with a specified command line and redirect its output to a staging directory." }, { "id": "S1152", "name": "IMAPLoader", "desc_en": "IMAPLoader modifies Windows tasks on the victim machine to reference a retrieved PE file through a path modification." }, { "id": "S1184", "name": "BOLDMOVE", "desc_en": "BOLDMOVE can free all resources and terminate itself on victim machines." }, { "id": "S1194", "name": "Akira _v2", "desc_en": "Akira _v2 can create a child process for encryption." }, { "id": "S9015", "name": "BRICKSTORM", "desc_en": "BRICKSTORM has created a new background session and has spawned a child process of a parent process when it determines it is not running in its intended state." } ], "mitigations": [ { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "Limit privileges of user accounts and groups so that only authorized administrators can interact with system-level process changes and service configurations.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1022", "name": "Restrict File and Directory Permissions", "name_ja": "ファイル/ディレクトリ権限の制限", "desc_en": "Restrict read/write access to system-level process files to only select privileged users who have a legitimate need to manage system services.", "desc_ja": "ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。" }, { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1028", "name": "Operating System Configuration", "name_ja": "オペレーティングシステム構成", "desc_en": "Ensure that Driver Signature Enforcement is enabled to restrict unsigned drivers from being installed.", "desc_ja": "OSを安全に構成し、攻撃対象領域を縮小する。" }, { "id": "M1033", "name": "Limit Software Installation", "name_ja": "ソフトウェアインストールの制限", "desc_en": "Restrict software installation to trusted repositories only and be cautious of orphaned software packages.", "desc_ja": "ソフトウェアのインストールを制限し、不正なプログラム導入を防ぐ。" }, { "id": "M1040", "name": "Behavior Prevention on Endpoint", "name_ja": "エンドポイントでの挙動防止", "desc_en": "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system. On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed drivers.", "desc_ja": "エンドポイントで悪意ある挙動を検出・防止する。" }, { "id": "M1045", "name": "Code Signing", "name_ja": "コード署名", "desc_en": "Enforce registration and execution of only legitimately signed service drivers where possible.", "desc_ja": "コード署名を検証し、未署名・不正なコードの実行を防ぐ。" }, { "id": "M1047", "name": "Audit", "name_ja": "監査", "desc_en": "Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them.", "desc_ja": "システムやアカウントを監査し、不正な活動を検出する。" }, { "id": "M1054", "name": "Software Configuration", "name_ja": "ソフトウェア構成", "desc_en": "Where possible, consider enforcing the use of container services in rootless mode to limit the possibility of privilege escalation or malicious effects on the host running the container.", "desc_ja": "ソフトウェアを安全に構成し、悪用を防ぐ。" } ], "detections": [ { "id": "DET0571", "name": "Detection of System Process Creation or Modification Across Platforms", "name_ja": "システムプロセスの作成/変更の検知", "desc_en": "", "desc_ja": "システムプロセスの作成/変更に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1546", "ja": "イベントトリガー実行", "en": "Event Triggered Execution", "desc_en": "Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.", "desc_ja": "敵対者は、特定イベントを契機に悪意あるコードが実行されるよう設定して永続化することがある。", "platforms": "Linux, macOS, Windows, SaaS, IaaS, Office Suite", "version": "1.4", "created": "2020-01-22", "modified": "2025-10-24", "subs": [ { "sid": ".001", "tid": "T1546.001", "ja": "既定のファイル関連付けの変更", "en": "Change Default File Association", "desc_en": "Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.", "desc_ja": "敵対者は、既定のファイル関連付けを変更してイベント契機でコードを実行することがある。" }, { "sid": ".002", "tid": "T1546.002", "ja": "スクリーンセーバー", "en": "Screensaver", "desc_en": "Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. The Windows screensaver application scrnsave.scr is located in C:\\Windows\\System32\\, and C:\\Windows\\sysWOW64\\ on 64-bit Windows systems, along with screensavers included with base Windows installations.", "desc_ja": "敵対者は、スクリーンセーバーを悪用してコードを実行することがある。" }, { "sid": ".003", "tid": "T1546.003", "ja": "WMIイベントサブスクリプション", "en": "Windows Management Instrumentation Event Subscription", "desc_en": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer's uptime.", "desc_ja": "敵対者は、WMIイベントサブスクリプションを悪用してイベント契機で実行・永続化することがある。" }, { "sid": ".004", "tid": "T1546.004", "ja": "Unixシェル構成の変更", "en": "Unix Shell Configuration Modification", "desc_en": "Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user’s home directory (~/) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.", "desc_ja": "敵対者は、Unixシェルの構成ファイルを改変してコードを実行することがある。" }, { "sid": ".005", "tid": "T1546.005", "ja": "Trap", "en": "Trap", "desc_en": "Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d.", "desc_ja": "敵対者は、シェルのtrapを悪用してシグナル契機でコードを実行することがある。" }, { "sid": ".006", "tid": "T1546.006", "ja": "LC_LOAD_DYLIBの追加", "en": "LC_LOAD_DYLIB Addition", "desc_en": "Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. There are tools available to perform these changes.", "desc_ja": "敵対者は、LC_LOAD_DYLIBを追加してmach-oバイナリにコードをロードさせることがある。" }, { "sid": ".007", "tid": "T1546.007", "ja": "NetshヘルパDLL", "en": "Netsh Helper DLL", "desc_en": "Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\\SOFTWARE\\Microsoft\\Netsh.", "desc_ja": "敵対者は、NetshヘルパDLLを悪用して永続化することがある。" }, { "sid": ".008", "tid": "T1546.008", "ja": "アクセシビリティ機能", "en": "Accessibility Features", "desc_en": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.", "desc_ja": "敵対者は、アクセシビリティ機能(stickykeys等)を悪用してコードを実行することがある。" }, { "sid": ".009", "tid": "T1546.009", "ja": "AppCert DLL", "en": "AppCert DLLs", "desc_en": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec.", "desc_ja": "敵対者は、AppCert DLLを悪用してコードを実行・永続化することがある。" }, { "sid": ".010", "tid": "T1546.010", "ja": "AppInit DLL", "en": "AppInit DLLs", "desc_en": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows or HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library.", "desc_ja": "敵対者は、AppInit DLLを悪用してコードを実行・永続化することがある。" }, { "sid": ".011", "tid": "T1546.011", "ja": "アプリケーションシミング", "en": "Application Shimming", "desc_en": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.", "desc_ja": "敵対者は、アプリケーションシミング(shim)を悪用して永続化することがある。" }, { "sid": ".012", "tid": "T1546.012", "ja": "IFEOインジェクション", "en": "Image File Execution Options Injection", "desc_en": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\\dbg\\ntsd.exe -g notepad.exe).", "desc_ja": "敵対者は、IFEOインジェクションを悪用してデバッガ起動契機で実行することがある。" }, { "sid": ".013", "tid": "T1546.013", "ja": "PowerShellプロファイル", "en": "PowerShell Profile", "desc_en": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments.", "desc_ja": "敵対者は、PowerShellプロファイルを改変してコードを実行・永続化することがある。" }, { "sid": ".014", "tid": "T1546.014", "ja": "Emond", "en": "Emond", "desc_en": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a Launch Daemon that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and take action once an explicitly defined event takes place.", "desc_ja": "敵対者は、Emondを悪用してイベント契機でコードを実行することがある。" }, { "sid": ".015", "tid": "T1546.015", "ja": "COMハイジャック", "en": "Component Object Model Hijacking", "desc_en": "Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system. References to various COM objects are stored in the Registry.", "desc_ja": "敵対者は、COMハイジャックを悪用してコードを実行・永続化することがある。" }, { "sid": ".016", "tid": "T1546.016", "ja": "インストーラパッケージ", "en": "Installer Packages", "desc_en": "Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.", "desc_ja": "敵対者は、インストーラパッケージを悪用してコードを実行・永続化することがある。" }, { "sid": ".017", "tid": "T1546.017", "ja": "Udevルール", "en": "Udev Rules", "desc_en": "Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.", "desc_ja": "敵対者は、udevルールを悪用してデバイスイベント契機で実行することがある。" }, { "sid": ".018", "tid": "T1546.018", "ja": "Python起動フック", "en": "Python Startup Hooks", "desc_en": "Adversaries may achieve persistence by leveraging Python’s startup mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py` or `usercustomize.py` modules. These files are automatically processed during the initialization of the Python interpreter, allowing for the execution of arbitrary code whenever Python is invoked.", "desc_ja": "敵対者は、Python起動フックを悪用してコードを実行することがある。" } ], "procedures": [ { "id": "C0035", "name": "KV Botnet Activity", "desc_en": "KV Botnet Activity involves managing events on victim systems via libevent to execute a callback function when any running process contains the following references in their path without also having a reference to bioset: busybox, wget, curl, tftp, telnetd, or lua. If the bioset string is not found, the related process is terminated." }, { "id": "S0658", "name": "XCSSET", "desc_en": "XCSSET's `dfhsebxzod` module searches for `.xcodeproj` directories within the user’s home folder and subdirectories. For each match, it locates the corresponding `project.pbxproj` file and embeds an encoded payload into a build rule, target configuration, or project setting. The payload is later executed during the build process." }, { "id": "S1091", "name": "Pacu", "desc_en": "Pacu can set up S3 bucket notifications to trigger a malicious Lambda function when a CloudFormation template is uploaded to the bucket. It can also create Lambda functions that trigger upon the creation of users, roles, and groups." }, { "id": "S1164", "name": "UPSTYLE", "desc_en": "UPSTYLE creates a `.pth` file beginning with the text `import` so that any time another process or script attempts to reference the modified item the malicious code will also run." } ], "mitigations": [ { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1051", "name": "Update Software", "name_ja": "ソフトウェア更新", "desc_en": "Perform regular software updates to mitigate exploitation risk.", "desc_ja": "ソフトウェアを最新に保ち、既知の脆弱性を修正する。" } ], "detections": [ { "id": "DET0010", "name": "Behavioral Detection of Event Triggered Execution Across Platforms", "name_ja": "イベントトリガー実行の検知", "desc_en": "", "desc_ja": "イベントトリガー実行に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1547", "ja": "起動/ログオン時の自動実行", "en": "Boot or Logon Autostart Execution", "desc_en": "Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon. These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.", "desc_ja": "敵対者は、起動/ログオン時の自動実行機構を悪用して永続化することがある。", "platforms": "Linux, macOS, Windows, Network Devices", "version": "1.3", "created": "2020-01-23", "modified": "2025-10-24", "subs": [ { "sid": ".001", "tid": "T1547.001", "ja": "レジストリRunキー/スタートアップフォルダ", "en": "Registry Run Keys / Startup Folder", "desc_en": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.", "desc_ja": "敵対者は、レジストリRunキーやスタートアップフォルダを悪用して永続化することがある。" }, { "sid": ".002", "tid": "T1547.002", "ja": "認証パッケージ", "en": "Authentication Package", "desc_en": "Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.", "desc_ja": "敵対者は、認証パッケージを悪用してコードを実行・永続化することがある。" }, { "sid": ".003", "tid": "T1547.003", "ja": "タイムプロバイダ", "en": "Time Providers", "desc_en": "Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.", "desc_ja": "敵対者は、タイムプロバイダを悪用してコードを実行・永続化することがある。" }, { "sid": ".004", "tid": "T1547.004", "ja": "WinlogonヘルパDLL", "en": "Winlogon Helper DLL", "desc_en": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[\\\\Wow6432Node\\\\]\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper programs and functionalities that support Winlogon.", "desc_ja": "敵対者は、WinlogonヘルパDLLを悪用して永続化することがある。" }, { "sid": ".005", "tid": "T1547.005", "ja": "セキュリティサポートプロバイダ", "en": "Security Support Provider", "desc_en": "Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.", "desc_ja": "敵対者は、セキュリティサポートプロバイダ(SSP)を悪用して永続化することがある。" }, { "sid": ".006", "tid": "T1547.006", "ja": "カーネルモジュールと拡張", "en": "Kernel Modules and Extensions", "desc_en": "Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.", "desc_ja": "敵対者は、カーネルモジュールや拡張を悪用して永続化することがある。" }, { "sid": ".007", "tid": "T1547.007", "ja": "再オープンアプリケーション", "en": "Re-opened Applications", "desc_en": "Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to \"Reopen windows when logging back in\". When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist within the ~/Library/Preferences/ByHost directory. Applications listed in this file are automatically reopened upon the user’s next logon.", "desc_ja": "敵対者は、再オープンアプリケーション機能を悪用して永続化することがある。" }, { "sid": ".008", "tid": "T1547.008", "ja": "LSASSドライバ", "en": "LSASS Driver", "desc_en": "Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.", "desc_ja": "敵対者は、LSASSドライバを悪用してコードを実行・永続化することがある。" }, { "sid": ".009", "tid": "T1547.009", "ja": "ショートカットの変更", "en": "Shortcut Modification", "desc_en": "Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.", "desc_ja": "敵対者は、ショートカット(.lnk)を改変して永続化することがある。" }, { "sid": ".010", "tid": "T1547.010", "ja": "ポートモニタ", "en": "Port Monitors", "desc_en": "Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. This DLL can be located in C:\\Windows\\System32 and will be loaded and run by the print spooler service, `spoolsv.exe`, under SYSTEM level permissions on boot.", "desc_ja": "敵対者は、ポートモニタを悪用して永続化することがある。" }, { "sid": ".012", "tid": "T1547.012", "ja": "プリントプロセッサ", "en": "Print Processors", "desc_en": "Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, `spoolsv.exe`, during boot.", "desc_ja": "敵対者は、プリントプロセッサを悪用して永続化することがある。" }, { "sid": ".013", "tid": "T1547.013", "ja": "XDG自動起動エントリ", "en": "XDG Autostart Entries", "desc_en": "Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (`.desktop`) to configure the user’s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.", "desc_ja": "敵対者は、XDG自動起動エントリを悪用してLinuxで永続化することがある。" }, { "sid": ".014", "tid": "T1547.014", "ja": "Active Setup", "en": "Active Setup", "desc_en": "Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer. These programs will be executed under the context of the user and will have the account's associated permissions level.", "desc_ja": "敵対者は、Active Setupを悪用して永続化することがある。" }, { "sid": ".015", "tid": "T1547.015", "ja": "ログインアイテム", "en": "Login Items", "desc_en": "Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in. Login items can be added via a shared file list or Service Management Framework. Shared file list login items can be set using scripting languages such as AppleScript, whereas the Service Management Framework uses the API call SMLoginItemSetEnabled.", "desc_ja": "敵対者は、ログインアイテムを悪用してmacOSで永続化することがある。" } ], "procedures": [ { "id": "G1044", "name": "APT42", "desc_en": "APT42 has modified the Registry to maintain persistence." }, { "id": "S0083", "name": "Misdat", "desc_en": "Misdat has created registry keys for persistence, including `HKCU\\Software\\dnimtsoleht\\StubPath`, `HKCU\\Software\\snimtsOleht\\StubPath`, `HKCU\\Software\\Backtsaleht\\StubPath`, `HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed. Components\\{3bf41072-b2b1-21c8-b5c1-bd56d32fbda7}`, and `HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{3ef41072-a2f1-21c8-c5c1-70c2c3bc7905}`." }, { "id": "S0084", "name": "Mis-Type", "desc_en": "Mis-Type has created registry keys for persistence, including `HKCU\\Software\\bkfouerioyou`, `HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{6afa8072-b2b1-31a8-b5c1-{Unique Identifier}`, and `HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{3BF41072-B2B1-31A8-B5C1-{Unique Identifier}`." }, { "id": "S0567", "name": "Dtrack", "desc_en": "Dtrack’s RAT makes a persistent target file with auto execution on the host start." }, { "id": "S0651", "name": "BoxCaon", "desc_en": "BoxCaon established persistence by setting the HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\load registry key to point to its executable." }, { "id": "S0653", "name": "xCaon", "desc_en": "xCaon has added persistence via the Registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\load which causes the malware to run each time any user logs in." } ], "mitigations": [], "detections": [ { "id": "DET0274", "name": "Boot or Logon Autostart Execution Detection Strategy", "name_ja": "起動/ログオン時の自動実行の検知", "desc_en": "", "desc_ja": "起動/ログオン時の自動実行に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1554", "ja": "ホストソフトウェアバイナリの侵害", "en": "Compromise Host Software Binary", "desc_en": "Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.", "desc_ja": "敵対者は、正規のソフトウェアバイナリを改ざんして永続化することがある。", "platforms": "ESXi, Linux, macOS, Windows", "version": "2.2", "created": "2020-02-11", "modified": "2026-05-12", "subs": [], "procedures": [ { "id": "C0025", "name": "2016 Ukraine Electric Power Attack", "desc_en": "During the 2016 Ukraine Electric Power Attack, Sandworm Team used a trojanized version of Windows Notepad to add a layer of persistence for Industroyer." }, { "id": "C0029", "name": "Cutting Edge", "desc_en": "During Cutting Edge, threat actors trojanized legitimate files in Ivanti Connect Secure appliances with malicious code." }, { "id": "C0056", "name": "RedPenguin", "desc_en": "During RedPenguin, UNC3886 peformed a local memory patching attack to modify the snmpd and mgd Junos OS daemons." }, { "id": "G1023", "name": "APT5", "desc_en": "APT5 has modified legitimate binaries and scripts for Pulse Secure VPNs including the legitimate DSUpgrade.pm file to install the ATRIUM webshell for persistence." }, { "id": "G1048", "name": "UNC3886", "desc_en": "UNC3886 has trojanized Fortinet firmware and replaced the legitimate `/usr/bin/tac_plus` TACACS+ daemon for Linux with a malicious version containing credential logging functionality." }, { "id": "S0377", "name": "Ebury", "desc_en": "Ebury modifies the `keyutils` library to add malicious behavior to the OpenSSH client and the curl library." }, { "id": "S0486", "name": "Bonadan", "desc_en": "Bonadan has maliciously altered the OpenSSH binary on targeted systems to create a backdoor." }, { "id": "S0487", "name": "Kessel", "desc_en": "Kessel has maliciously altered the OpenSSH binary on targeted systems to create a backdoor." }, { "id": "S0595", "name": "ThiefQuest", "desc_en": "ThiefQuest searches through the /Users/ folder looking for executable files. For each executable, ThiefQuest prepends a copy of itself to the beginning of the file. When the file is executed, the ThiefQuest code is executed first. ThiefQuest creates a hidden file, copies the original target executable to the file, then executes the new hidden file to maintain the appearance of normal behavior." }, { "id": "S0604", "name": "Industroyer", "desc_en": "Industroyer has used a Trojanized version of the Windows Notepad application for an additional backdoor persistence mechanism." }, { "id": "S0641", "name": "Kobalos", "desc_en": "Kobalos replaced the SSH client with a trojanized SSH client to steal credentials on compromised systems." }, { "id": "S0658", "name": "XCSSET", "desc_en": "XCSSET uses a malicious browser application to replace the legitimate browser in order to continuously capture credentials, monitor web traffic, and download additional modules." }, { "id": "S1104", "name": "SLOWPULSE", "desc_en": "SLOWPULSE is applied in compromised environments through modifications to legitimate Pulse Secure files." }, { "id": "S1115", "name": "WIREFIRE", "desc_en": "WIREFIRE can modify the `visits.py` component of Ivanti Connect Secure VPNs for file download and arbitrary command execution." }, { "id": "S1116", "name": "WARPWIRE", "desc_en": "WARPWIRE can embed itself into a legitimate file on compromised Ivanti Connect Secure VPNs." }, { "id": "S1118", "name": "BUSHWALK", "desc_en": "BUSHWALK can embed into the legitimate `querymanifest.cgi` file on compromised Ivanti Connect Secure VPNs." }, { "id": "S1119", "name": "LIGHTWIRE", "desc_en": "LIGHTWIRE can imbed itself into the legitimate `compcheckresult.cgi` component of Ivanti Connect Secure VPNs to enable command execution." }, { "id": "S1120", "name": "FRAMESTING", "desc_en": "FRAMESTING can embed itself in the CAV Python package of an Ivanti Connect Secure VPN located in `/home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/resources/category.py.`" }, { "id": "S1121", "name": "LITTLELAMB.WOOLTEA", "desc_en": "LITTLELAMB.WOOLTEA can append malicious components to the `tmp/tmpmnt/bin/samba_upgrade.tar` archive inside the factory reset partition in attempt to persist post reset." }, { "id": "S1136", "name": "BFG Agonizer", "desc_en": "BFG Agonizer uses DLL unhooking to remove user mode inline hooks that security solutions often implement. BFG Agonizer also uses IAT unhooking to remove user-mode IAT hooks that security solutions also use." }, { "id": "S1184", "name": "BOLDMOVE", "desc_en": "BOLDMOVE contains a watchdog-like feature that monitors a particular file for modification. If modification is detected, the legitimate file is backed up and replaced with a trojanized file to allow for persistence through likely system upgrades." }, { "id": "S9010", "name": "GlassWorm", "desc_en": "GlassWorm can modify hardware wallet applications." }, { "id": "S9014", "name": "PHASEJAM", "desc_en": "PHASEJAM has modified legitimate components to enable persistence and execution, including inserting a web shell into `getComponent.cgi` and `restAuth.cgi`, modifying `DSUpgrade.pm` to block system upgrades, and overwriting `remotedebug` to execute arbitrary commands when specific parameters are provided." } ], "mitigations": [ { "id": "M1045", "name": "Code Signing", "name_ja": "コード署名", "desc_en": "Ensure all application component binaries are signed by the correct application developers.", "desc_ja": "コード署名を検証し、未署名・不正なコードの実行を防ぐ。" } ], "detections": [ { "id": "DET0336", "name": "Detect Compromise of Host Software Binaries", "name_ja": "ホストソフトウェアバイナリの侵害の検知", "desc_en": "", "desc_ja": "ホストソフトウェアバイナリの侵害に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1556", "ja": "認証プロセスの変更", "en": "Modify Authentication Process", "desc_en": "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts.", "desc_ja": "敵対者は、認証メカニズムを改変して永続化や認証情報取得を行うことがある。", "platforms": "IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows", "version": "3.0", "created": "2020-02-11", "modified": "2026-05-12", "subs": [ { "sid": ".001", "tid": "T1556.001", "ja": "ドメインコントローラ認証", "en": "Domain Controller Authentication", "desc_en": "Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts.", "desc_ja": "敵対者は、ドメインコントローラの認証処理を改変して認証を回避/取得することがある。" }, { "sid": ".002", "tid": "T1556.002", "ja": "パスワードフィルタDLL", "en": "Password Filter DLL", "desc_en": "Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated.", "desc_ja": "敵対者は、パスワードフィルタDLLを登録して平文パスワードを取得することがある。" }, { "sid": ".003", "tid": "T1556.003", "ja": "プラガブル認証モジュール(PAM)", "en": "Pluggable Authentication Modules", "desc_en": "Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.", "desc_ja": "敵対者は、LinuxのPAMを改変して認証を回避/取得することがある。" }, { "sid": ".004", "tid": "T1556.004", "ja": "ネットワークデバイス認証", "en": "Network Device Authentication", "desc_en": "Adversaries may use Patch System Image to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.", "desc_ja": "敵対者は、ネットワーク機器の認証処理を改変することがある。" }, { "sid": ".005", "tid": "T1556.005", "ja": "可逆暗号化", "en": "Reversible Encryption", "desc_en": "An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.", "desc_ja": "敵対者は、可逆暗号化を有効化してパスワード取得を容易にすることがある。" }, { "sid": ".006", "tid": "T1556.006", "ja": "多要素認証", "en": "Multi-Factor Authentication", "desc_en": "Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.", "desc_ja": "敵対者は、MFA設定を改変して回避することがある。" }, { "sid": ".007", "tid": "T1556.007", "ja": "ハイブリッドID", "en": "Hybrid Identity", "desc_en": "Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.", "desc_ja": "敵対者は、ハイブリッドID基盤の認証処理を改変することがある。" }, { "sid": ".008", "tid": "T1556.008", "ja": "ネットワークプロバイダDLL", "en": "Network Provider DLL", "desc_en": "Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions. During the logon process, Winlogon (the interactive logon module) sends credentials to the local `mpnotify.exe` process via RPC. The `mpnotify.exe` process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening.", "desc_ja": "敵対者は、ネットワークプロバイダDLLを悪用して認証情報を取得することがある。" }, { "sid": ".009", "tid": "T1556.009", "ja": "条件付きアクセスポリシー", "en": "Conditional Access Policies", "desc_en": "Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource.", "desc_ja": "敵対者は、条件付きアクセスポリシーを改変して認証制御を回避することがある。" } ], "procedures": [ { "id": "C0046", "name": "ArcaneDoor", "desc_en": "ArcaneDoor included modification of the AAA process to bypass authentication mechanisms." }, { "id": "G1016", "name": "FIN13", "desc_en": "FIN13 has replaced legitimate KeePass binaries with trojanized versions to collect passwords from numerous applications." }, { "id": "S0377", "name": "Ebury", "desc_en": "Ebury can intercept private keys using a trojanized ssh-add function." }, { "id": "S0487", "name": "Kessel", "desc_en": "Kessel has trojanized the ssh_login and user-auth_pubkey functions to steal plaintext credentials." }, { "id": "S0692", "name": "SILENTTRINITY", "desc_en": "SILENTTRINITY can create a backdoor in KeePass using a malicious config file and in TortoiseSVN using a registry hook." }, { "id": "S9013", "name": "DRYHOOK", "desc_en": "DRYHOOK has intercepted and logged user credentials by modifying the Perl module in Ivanti Connect Secure VPN edge-devices located within `/home/perl/DSAuth.pm`." } ], "mitigations": [ { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "Ensure that proper policies are implemented to dictate the the secure enrollment and deactivation of authentication mechanisms, such as MFA, for user accounts.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1022", "name": "Restrict File and Directory Permissions", "name_ja": "ファイル/ディレクトリ権限の制限", "desc_en": "Restrict write access to the `/Library/Security/SecurityAgentPlugins` directory.", "desc_ja": "ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。" }, { "id": "M1024", "name": "Restrict Registry Permissions", "name_ja": "レジストリ権限の制限", "desc_en": "Restrict Registry permissions to disallow the modification of sensitive Registry keys such as `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order`.", "desc_ja": "レジストリキーの権限を制限し、不正な改変を防ぐ。" }, { "id": "M1025", "name": "Privileged Process Integrity", "name_ja": "特権プロセスの完全性", "desc_en": "Enabled features, such as Protected Process Light (PPL), for LSA.", "desc_ja": "特権プロセスの完全性を保護し、不正なコード注入を防ぐ。" }, { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. \n\nLimit access to the root account and prevent users from modifying protected components through proper privilege separation (ex SELinux, grsecurity, AppArmor, etc.) and limiting Privilege Escalation opportunities.\n\nLimit on-premises accounts with access to the hybrid identity solution in place. For example, limit Azure AD Global Administrator accounts to only those required, and ensure that these are dedicated cloud-only accounts rather than hybrid ones.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1027", "name": "Password Policies", "name_ja": "パスワードポリシー", "desc_en": "Ensure that AllowReversiblePasswordEncryption property is set to disabled unless there are application requirements.", "desc_ja": "強固なパスワードポリシーを適用し、推測・解読を困難にする。" }, { "id": "M1028", "name": "Operating System Configuration", "name_ja": "オペレーティングシステム構成", "desc_en": "Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (`C:\\Windows\\System32\\` by default) of a domain controller and/or local computer with a corresponding entry in `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages`. \n\nStarting in Windows 11 22H2, the `EnableMPRNotifications` policy can be disabled through Group Policy or through a configuration service provider to prevent Winlogon from sending credentials to network providers.", "desc_ja": "OSを安全に構成し、攻撃対象領域を縮小する。" }, { "id": "M1032", "name": "Multi-factor Authentication", "name_ja": "多要素認証", "desc_en": "Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.", "desc_ja": "多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。" }, { "id": "M1047", "name": "Audit", "name_ja": "監査", "desc_en": "Review authentication logs to ensure that mechanisms such as enforcement of MFA are functioning as intended.\n\nPeriodically review the hybrid identity solution in use for any discrepancies. For example, review all Pass Through Authentication (PTA) agents in the Azure Management Portal to identify any unwanted or unapproved ones. If ADFS is in use, review DLLs and executable files in the AD FS and Global Assembly Cache directories to ensure that they are signed by Microsoft. Note that in some cases binaries may be catalog-signed, which may cause the file to appear unsigned when viewing file properties.\n\nPeriodically review for new and unknown network provider DLLs within the Registry (`HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\\\NetworkProvider\\ProviderPath`). Ensure only valid network provider DLLs are registered. The name of these can be found in the Registry key at `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order`, and have corresponding service subkey pointing to a DLL at `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentC ontrolSet\\Services\\\\NetworkProvider`.", "desc_ja": "システムやアカウントを監査し、不正な活動を検出する。" } ], "detections": [ { "id": "DET0104", "name": "Detect Modification of Authentication Processes Across Platforms", "name_ja": "認証プロセスの変更の検知", "desc_en": "", "desc_ja": "認証プロセスの変更に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1653", "ja": "電源設定", "en": "Power Settings", "desc_en": "Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.", "desc_ja": "敵対者は、電源設定を変更してシステムの可用性や永続化に影響を与えることがある。", "platforms": "Windows, Linux, macOS, Network Devices", "version": "1.1", "created": "2023-06-05", "modified": "2025-10-24", "subs": [], "procedures": [ { "id": "C0046", "name": "ArcaneDoor", "desc_en": "ArcaneDoor involved exploitation of CVE-2024-20353 to force a victim Cisco ASA to reboot, triggering the automated unzipping and execution of the Line Runner implant." }, { "id": "S1186", "name": "Line Dancer", "desc_en": "Line Dancer can modify the crash dump process on infected machines to skip crash dump generation and proceed directly to device reboot for both persistence and forensic evasion purposes." }, { "id": "S1188", "name": "Line Runner", "desc_en": "Line Runner used CVE-2024-20353 to trigger victim devices to reboot, in the process unzipping and installing the Line Dancer payload." } ], "mitigations": [ { "id": "M1047", "name": "Audit", "name_ja": "監査", "desc_en": "Periodically inspect systems for abnormal and unexpected power settings that may indicate malicious activty.", "desc_ja": "システムやアカウントを監査し、不正な活動を検出する。" } ], "detections": [ { "id": "DET0417", "name": "Detection Strategy for Power Settings Abuse", "name_ja": "電源設定の検知", "desc_en": "", "desc_ja": "電源設定に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1668", "ja": "排他的制御", "en": "Exclusive Control", "desc_en": "Adversaries who successfully compromise a system may attempt to maintain persistence by “closing the door” behind them – in other words, by preventing other threat actors from initially accessing or maintaining a foothold on the same system.", "desc_ja": "敵対者は、リソースを排他的に占有して他者のアクセスを排除し永続化することがある。", "platforms": "Linux, macOS, Windows", "version": "1.0", "created": "2025-01-31", "modified": "2025-04-15", "subs": [], "procedures": [], "mitigations": [], "detections": [ { "id": "DET0015", "name": "Detection Strategy for Exclusive Control", "name_ja": "排他的制御の検知", "desc_en": "", "desc_ja": "排他的制御に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1671", "ja": "クラウドアプリ統合", "en": "Cloud Application Integration", "desc_en": "Adversaries may achieve persistence by leveraging OAuth application integrations in a software-as-a-service environment. Adversaries may create a custom application, add a legitimate application into the environment, or even co-opt an existing integration to achieve malicious ends.", "desc_ja": "敵対者は、悪意あるクラウドアプリ統合(OAuthアプリ等)を追加して永続化することがある。", "platforms": "Office Suite, SaaS", "version": "1.0", "created": "2025-03-20", "modified": "2025-04-15", "subs": [], "procedures": [ { "id": "C0059", "name": "Salesforce Data Exfiltration", "desc_en": "During Salesforce Data Exfiltration, threat actors deceived victims into authorizing malicious connected apps to their organization's Salesforce portal." } ], "mitigations": [ { "id": "M1042", "name": "Disable or Remove Feature or Program", "name_ja": "機能・プログラムの無効化または削除", "desc_en": "Do not allow users to add new application integrations into a SaaS environment. In Entra ID environments, consider enforcing the “Do not allow user consent” option.", "desc_ja": "不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。" }, { "id": "M1047", "name": "Audit", "name_ja": "監査", "desc_en": "Periodically review SaaS integrations for unapproved or potentially malicious applications.", "desc_ja": "システムやアカウントを監査し、不正な活動を検出する。" } ], "detections": [ { "id": "DET0539", "name": "Detection Strategy for Cloud Application Integration", "name_ja": "クラウドアプリ統合の検知", "desc_en": "", "desc_ja": "クラウドアプリ統合に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] } ] }, { "tactic": "TA0004", "tactic_en": "Privilege Escalation", "tactic_ja": "権限昇格", "techniques": [ { "tid": "T1037", "ja": "起動/ログオン初期化スクリプト", "en": "Boot or Logon Initialization Scripts", "desc_en": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely.", "desc_ja": "敵対者は、起動/ログオン時に実行される初期化スクリプトを悪用して永続化することがある。", "platforms": "ESXi, Linux, macOS, Network Devices, Windows", "version": "2.4", "created": "2017-05-31", "modified": "2026-05-12", "subs": [ { "sid": ".001", "tid": "T1037.001", "ja": "ログオンスクリプト(Windows)", "en": "Logon Script (Windows)", "desc_en": "Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system. This is done via adding a path to a script to the HKCU\\Environment\\UserInitMprLogonScript Registry key.", "desc_ja": "敵対者は、Windowsのログオンスクリプトを悪用して、ログオン時に悪意あるコードを実行し永続化することがある。" }, { "sid": ".002", "tid": "T1037.002", "ja": "ログインフック", "en": "Login Hook", "desc_en": "Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the /Library/Preferences/com.apple.loginwindow.plist file and can be modified using the defaults command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.", "desc_ja": "敵対者は、macOSのログインフックを悪用して永続化することがある。" }, { "sid": ".003", "tid": "T1037.003", "ja": "ネットワークログオンスクリプト", "en": "Network Logon Script", "desc_en": "Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects. These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems. \n \nAdversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.", "desc_ja": "敵対者は、ネットワークログオンスクリプトを悪用して永続化することがある。" }, { "sid": ".004", "tid": "T1037.004", "ja": "RCスクリプト", "en": "RC Scripts", "desc_en": "Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.", "desc_ja": "敵対者は、RCスクリプト(rc.local等)を悪用して起動時に永続化することがある。" }, { "sid": ".005", "tid": "T1037.005", "ja": "スタートアップアイテム", "en": "Startup Items", "desc_en": "Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.", "desc_ja": "敵対者は、スタートアップアイテムを悪用して起動時に永続化することがある。" } ], "procedures": [ { "id": "C0046", "name": "ArcaneDoor", "desc_en": "ArcaneDoor used malicious boot scripts to install the Line Runner backdoor on victim devices." }, { "id": "G0016", "name": "APT29", "desc_en": "APT29 has hijacked legitimate application-specific startup scripts to enable malware to execute on system startup." }, { "id": "G0096", "name": "APT41", "desc_en": "APT41 used a hidden shell script in `/etc/rc.d/init.d` to leverage the `ADORE.XSEC`backdoor and `Adore-NG` rootkit." }, { "id": "G0106", "name": "Rocke", "desc_en": "Rocke has installed an \"init.d\" startup script to maintain persistence." }, { "id": "G1048", "name": "UNC3886", "desc_en": "UNC3886 has attempted to bypass digital signature verification checks at startup by adding a command to the startup config `/etc/init.d/localnet` within the rootfs.gz archive of both FortiManager and FortiAnalyzer devices." }, { "id": "S1078", "name": "RotaJakiro", "desc_en": "Depending on the Linux distribution and when executing with root permissions, RotaJakiro may install persistence using a `.conf` file in the `/etc/init/` folder." }, { "id": "S1217", "name": "VIRTUALPITA", "desc_en": "VIRTUALPITA can persist as an init.d startup service on Linux vCenter systems." }, { "id": "S9024", "name": "SPAWNCHIMERA", "desc_en": "SPAWNCHIMERA has modified the boot process files within `/tmp/coreboot_fs/bin/init` to establish persistence." } ], "mitigations": [ { "id": "M1022", "name": "Restrict File and Directory Permissions", "name_ja": "ファイル/ディレクトリ権限の制限", "desc_en": "Restrict write access to logon scripts to specific administrators.", "desc_ja": "ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。" }, { "id": "M1024", "name": "Restrict Registry Permissions", "name_ja": "レジストリ権限の制限", "desc_en": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.", "desc_ja": "レジストリキーの権限を制限し、不正な改変を防ぐ。" } ], "detections": [ { "id": "DET0112", "name": "Boot or Logon Initialization Scripts Detection Strategy", "name_ja": "起動/ログオン初期化スクリプトの検知", "desc_en": "", "desc_ja": "起動/ログオン初期化スクリプトに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1053", "ja": "スケジュールされたタスク/ジョブ", "en": "Scheduled Task/Job", "desc_en": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.", "desc_ja": "敵対者は、タスクスケジューラ機能を悪用して、悪意あるコードを定期的または特定時刻に実行することがある。", "platforms": "Containers, ESXi, Linux, macOS, Network Devices, Windows", "version": "2.5", "created": "2017-05-31", "modified": "2026-05-12", "subs": [ { "sid": ".002", "tid": "T1053.002", "ja": "At", "en": "At", "desc_en": "Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of Scheduled Task's schtasks in Windows environments, using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with at by directly leveraging the Windows Management Instrumentation `Win32_ScheduledJob` WMI class.", "desc_ja": "敵対者は、atコマンドを悪用してタスクをスケジュール実行することがある。" }, { "sid": ".003", "tid": "T1053.003", "ja": "Cron", "en": "Cron", "desc_en": "Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.", "desc_ja": "敵対者は、cronを悪用してタスクを定期実行し永続化することがある。" }, { "sid": ".005", "tid": "T1053.005", "ja": "スケジュールされたタスク", "en": "Scheduled Task", "desc_en": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.", "desc_ja": "敵対者は、Windowsのスケジュールされたタスクを悪用して実行・永続化することがある。" }, { "sid": ".006", "tid": "T1053.006", "ja": "systemdタイマー", "en": "Systemd Timers", "desc_en": "Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to Cron in Linux environments. Systemd timers may be activated remotely via the systemctl command line utility, which operates over SSH.", "desc_ja": "敵対者は、systemdタイマーを悪用してタスクを定期実行し永続化することがある。" }, { "sid": ".007", "tid": "T1053.007", "ja": "コンテナオーケストレーションジョブ", "en": "Container Orchestration Job", "desc_en": "Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.", "desc_ja": "敵対者は、コンテナオーケストレーションのジョブ機能を悪用してタスクを実行・永続化することがある。" } ], "procedures": [ { "id": "C0063", "name": "2025 Poland Wiper Attacks", "desc_en": "During the 2025 Poland Wiper Attacks, the adversaries set FortiGate scheduled tasks to run the adversary generated CLI scripts weekly." }, { "id": "S0447", "name": "Lokibot", "desc_en": "Lokibot's second stage DLL has set a timer using “timeSetEvent” to schedule its next execution." } ], "mitigations": [ { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1022", "name": "Restrict File and Directory Permissions", "name_ja": "ファイル/ディレクトリ権限の制限", "desc_en": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "desc_ja": "ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。" }, { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1028", "name": "Operating System Configuration", "name_ja": "オペレーティングシステム構成", "desc_en": "Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled.", "desc_ja": "OSを安全に構成し、攻撃対象領域を縮小する。" }, { "id": "M1047", "name": "Audit", "name_ja": "監査", "desc_en": "Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges.", "desc_ja": "システムやアカウントを監査し、不正な活動を検出する。" } ], "detections": [ { "id": "DET0094", "name": "Cross-Platform Behavioral Detection of Scheduled Task/Job Abuse", "name_ja": "スケジュールされたタスク/ジョブの検知", "desc_en": "", "desc_ja": "スケジュールされたタスク/ジョブに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1055", "ja": "プロセスインジェクション", "en": "Process Injection", "desc_en": "Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.", "desc_ja": "敵対者は、正規プロセスに悪意あるコードを注入して権限昇格やステルスを行うことがある。", "platforms": "Linux, macOS, Windows", "version": "2.0", "created": "2017-05-31", "modified": "2026-05-12", "subs": [ { "sid": ".001", "tid": "T1055.001", "ja": "DLLインジェクション", "en": "Dynamic-link Library Injection", "desc_en": "Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.", "desc_ja": "敵対者は、正規プロセスにDLLを注入して悪意あるコードを実行することがある。" }, { "sid": ".002", "tid": "T1055.002", "ja": "PEインジェクション", "en": "Portable Executable Injection", "desc_en": "Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.", "desc_ja": "敵対者は、正規プロセスにPE(実行ファイル)を注入して実行することがある。" }, { "sid": ".003", "tid": "T1055.003", "ja": "スレッド実行ハイジャック", "en": "Thread Execution Hijacking", "desc_en": "Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process.", "desc_ja": "敵対者は、既存スレッドの実行を乗っ取ってコードを実行することがある。" }, { "sid": ".004", "tid": "T1055.004", "ja": "非同期プロシージャコール(APC)", "en": "Asynchronous Procedure Call", "desc_en": "Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process.", "desc_ja": "敵対者は、非同期プロシージャコール(APC)を悪用してコードを注入することがある。" }, { "sid": ".005", "tid": "T1055.005", "ja": "スレッドローカルストレージ", "en": "Thread Local Storage", "desc_en": "Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.", "desc_ja": "敵対者は、スレッドローカルストレージを悪用してコードを注入することがある。" }, { "sid": ".008", "tid": "T1055.008", "ja": "ptraceシステムコール", "en": "Ptrace System Calls", "desc_en": "Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process.", "desc_ja": "敵対者は、ptraceシステムコールを悪用して他プロセスにコードを注入することがある。" }, { "sid": ".009", "tid": "T1055.009", "ja": "Procメモリ", "en": "Proc Memory", "desc_en": "Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process.", "desc_ja": "敵対者は、/procメモリを悪用してコードを注入することがある。" }, { "sid": ".011", "tid": "T1055.011", "ja": "Extra Window Memoryインジェクション", "en": "Extra Window Memory Injection", "desc_en": "Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.", "desc_ja": "敵対者は、Extra Window Memoryを悪用してコードを注入することがある。" }, { "sid": ".012", "tid": "T1055.012", "ja": "プロセスハロウィング", "en": "Process Hollowing", "desc_en": "Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.", "desc_ja": "敵対者は、プロセスハロウィングで正規プロセスの中身を悪意あるコードに置き換えることがある。" }, { "sid": ".013", "tid": "T1055.013", "ja": "プロセスドッペルゲンギング", "en": "Process Doppelgänging", "desc_en": "Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process.", "desc_ja": "敵対者は、プロセスドッペルゲンギングで検知を回避しつつコードを実行することがある。" }, { "sid": ".014", "tid": "T1055.014", "ja": "VDSOハイジャック", "en": "VDSO Hijacking", "desc_en": "Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process.", "desc_ja": "敵対者は、VDSOハイジャックでコードを注入することがある。" }, { "sid": ".015", "tid": "T1055.015", "ja": "ListPlanting", "en": "ListPlanting", "desc_en": "Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate process.", "desc_ja": "敵対者は、ListPlantingを悪用してコードを注入することがある。" } ], "procedures": [ { "id": "C0013", "name": "Operation Sharpshooter", "desc_en": "During Operation Sharpshooter, threat actors leveraged embedded shellcode to inject a downloader into the memory of Word." }, { "id": "C0014", "name": "Operation Wocao", "desc_en": "During Operation Wocao, threat actors injected code into a selected process, which in turn launches a command as a child process of the original." }, { "id": "C0028", "name": "2015 Ukraine Electric Power Attack", "desc_en": "During the 2015 Ukraine Electric Power Attack, Sandworm Team loaded BlackEnergy into svchost.exe, which then launched iexplore.exe for their C2." }, { "id": "C0029", "name": "Cutting Edge", "desc_en": "During Cutting Edge, threat actors used malicious SparkGateway plugins to inject shared objects into web process memory on compromised Ivanti Secure Connect VPNs to enable deployment of backdoors." }, { "id": "C0046", "name": "ArcaneDoor", "desc_en": "ArcaneDoor included injecting code into the AAA and Crash Dump processes on infected Cisco ASA devices." }, { "id": "C0056", "name": "RedPenguin", "desc_en": "During RedPenguin, UNC3886 exploited CVE-2025-21590 to enable malicious code injection into the memory of legitimate processes." }, { "id": "C0057", "name": "3CX Supply Chain Attack", "desc_en": "During the 3CX Supply Chain Attack, AppleJeus's VEILEDSIGNAL uses process injection to inject the C2 communication module code in the first found process instance of Chrome, Firefox, or Edge web browsers. It also monitors the established named pipe and re-injects the C2 communication module if necessary." }, { "id": "G0010", "name": "Turla", "desc_en": "Turla has also used PowerSploit's Invoke-ReflectivePEInjection.ps1 to reflectively load a PowerShell payload into a random process on the victim system." }, { "id": "G0047", "name": "Gamaredon Group", "desc_en": "Gamaredon Group has injected Remcos into explorer.exe." }, { "id": "G0050", "name": "APT32", "desc_en": "APT32 malware has injected a Cobalt Strike beacon into Rundll32.exe." }, { "id": "G0067", "name": "APT37", "desc_en": "APT37 injects its malware variant, ROKRAT, into the cmd.exe process." }, { "id": "G0068", "name": "PLATINUM", "desc_en": "PLATINUM has used various methods of process injection including hot patching." }, { "id": "G0080", "name": "Cobalt Group", "desc_en": "Cobalt Group has injected code into trusted processes." }, { "id": "G0082", "name": "APT38", "desc_en": "APT38 has injected malicious payloads into the `explorer.exe` process." }, { "id": "G0091", "name": "Silence", "desc_en": "Silence has injected a DLL library containing a Trojan into the fwmain32.exe process." }, { "id": "G0094", "name": "Kimsuky", "desc_en": "Kimsuky has used Win7Elevate to inject malicious code into explorer.exe." }, { "id": "G0096", "name": "APT41", "desc_en": "APT41 malware TIDYELF loaded the main WINTERLOVE component by injecting it into the iexplore.exe process." }, { "id": "G0102", "name": "Wizard Spider", "desc_en": "Wizard Spider has used process injection to execute payloads to escalate privileges." }, { "id": "G1018", "name": "TA2541", "desc_en": "TA2541 has injected malicious code into legitimate .NET related processes including regsvcs.exe, msbuild.exe, and installutil.exe." }, { "id": "G1023", "name": "APT5", "desc_en": "APT5 has used the CLEANPULSE utility to insert command line strings into a targeted process to alter its functionality." }, { "id": "G1043", "name": "BlackByte", "desc_en": "BlackByte has injected Cobalt Strike into `wuauclt.exe` during intrusions. BlackByte has injected ransomware into `svchost.exe` before encryption." }, { "id": "G1047", "name": "Velvet Ant", "desc_en": "Velvet Ant initial execution included launching multiple `svchost` processes and injecting code into them." }, { "id": "S0024", "name": "Dyre", "desc_en": "Dyre has the ability to directly inject its code into the web browser process." }, { "id": "S0032", "name": "gh0st RAT", "desc_en": "gh0st RAT can inject malicious code into process created by the “Command_Create&Inject” function." }, { "id": "S0040", "name": "HTRAN", "desc_en": "HTRAN can inject into into running processes." }, { "id": "S0044", "name": "JHUHUGIT", "desc_en": "JHUHUGIT performs code injection injecting its own functions to browser processes." }, { "id": "S0084", "name": "Mis-Type", "desc_en": "Mis-Type has been injected directly into a running process, including `explorer.exe`." }, { "id": "S0093", "name": "Backdoor.Oldrea", "desc_en": "Backdoor.Oldrea injects itself into explorer.exe." }, { "id": "S0154", "name": "Cobalt Strike", "desc_en": "Cobalt Strike can inject a variety of payloads into processes dynamically chosen by the adversary." }, { "id": "S0168", "name": "Gazer", "desc_en": "Gazer injects its communication module into an Internet accessible process through which it performs C2." }, { "id": "S0176", "name": "Wingbird", "desc_en": "Wingbird performs multiple process injections to hijack system processes and execute malicious code." }, { "id": "S0198", "name": "NETWIRE", "desc_en": "NETWIRE can inject code into system processes including notepad.exe, svchost.exe, and vbc.exe." }, { "id": "S0201", "name": "JPIN", "desc_en": "JPIN can inject content into lsass.exe to load a module." }, { "id": "S0206", "name": "Wiarp", "desc_en": "Wiarp creates a backdoor through which remote attackers can inject files into running processes." }, { "id": "S0226", "name": "Smoke Loader", "desc_en": "Smoke Loader injects into the Internet Explorer process." }, { "id": "S0240", "name": "ROKRAT", "desc_en": "ROKRAT can use `VirtualAlloc`, `WriteProcessMemory`, and then `CreateRemoteThread` to execute shellcode within the address space of `Notepad.exe`." }, { "id": "S0247", "name": "NavRAT", "desc_en": "NavRAT copies itself into a running Internet Explorer process to evade detection." }, { "id": "S0260", "name": "InvisiMole", "desc_en": "InvisiMole can inject itself into another process to avoid detection including use of a technique called ListPlanting that customizes the sorting algorithm in a ListView structure." }, { "id": "S0266", "name": "TrickBot", "desc_en": "TrickBot has used Nt* Native API functions to inject code into legitimate processes such as wermgr.exe." }, { "id": "S0331", "name": "Agent Tesla", "desc_en": "Agent Tesla can inject into known, vulnerable binaries on targeted hosts." }, { "id": "S0332", "name": "Remcos", "desc_en": "Remcos has a command to hide itself by injecting into another process." }, { "id": "S0347", "name": "AuditCred", "desc_en": "AuditCred can inject code from files to other running processes." }, { "id": "S0348", "name": "Cardinal RAT", "desc_en": "Cardinal RAT injects into a newly spawned process created from a native Windows executable." }, { "id": "S0363", "name": "Empire", "desc_en": "Empire contains multiple modules for injecting into processes, such as Invoke-PSInject." }, { "id": "S0376", "name": "HOPLIGHT", "desc_en": "HOPLIGHT has injected into running processes." }, { "id": "S0378", "name": "PoshC2", "desc_en": "PoshC2 contains multiple modules for injecting into processes, such as Invoke-PSInject." }, { "id": "S0380", "name": "StoneDrill", "desc_en": "StoneDrill has relied on injecting its payload directly into the process memory of the victim's preferred browser." }, { "id": "S0398", "name": "HyperBro", "desc_en": "HyperBro can run shellcode it injects into a newly created process." }, { "id": "S0436", "name": "TSCookie", "desc_en": "TSCookie has the ability to inject code into the svchost.exe, iexplorer.exe, explorer.exe, and default browser processes." }, { "id": "S0438", "name": "Attor", "desc_en": "Attor's dispatcher can inject itself into running processes to gain higher privileges and to evade detection." }, { "id": "S0446", "name": "Ryuk", "desc_en": "Ryuk has injected itself into remote processes to encrypt files using a combination of VirtualAlloc, WriteProcessMemory, and CreateRemoteThread." }, { "id": "S0469", "name": "ABK", "desc_en": "ABK has the ability to inject shellcode into svchost.exe." }, { "id": "S0470", "name": "BBK", "desc_en": "BBK has the ability to inject shellcode into svchost.exe." }, { "id": "S0473", "name": "Avenger", "desc_en": "Avenger has the ability to inject shellcode into svchost.exe." }, { "id": "S0496", "name": "REvil", "desc_en": "REvil can inject itself into running processes on a compromised host." }, { "id": "S0533", "name": "SLOTHFULMEDIA", "desc_en": "SLOTHFULMEDIA can inject into running processes on a compromised host." }, { "id": "S0534", "name": "Bazar", "desc_en": "Bazar can inject code through calling VirtualAllocExNuma." }, { "id": "S0554", "name": "Egregor", "desc_en": "Egregor can inject its payload into iexplore.exe process." }, { "id": "S0561", "name": "GuLoader", "desc_en": "GuLoader has the ability to inject shellcode into a donor processes that is started in a suspended state. GuLoader has previously used RegAsm as a donor process." }, { "id": "S0579", "name": "Waterbear", "desc_en": "Waterbear can inject decrypted shellcode into the LanmanServer service." }, { "id": "S0581", "name": "IronNetInjector", "desc_en": "IronNetInjector can use an IronPython scripts to load a .NET injector to inject a payload into its own or a remote process." }, { "id": "S0596", "name": "ShadowPad", "desc_en": "ShadowPad has injected an install module into a newly created process." }, { "id": "S0614", "name": "CostaBricks", "desc_en": "CostaBricks can inject a payload into the memory of a compromised host." }, { "id": "S0633", "name": "Sliver", "desc_en": "Sliver includes multiple methods to perform process injection to migrate the framework into other, potentially privileged processes on the victim machine." }, { "id": "S0650", "name": "QakBot", "desc_en": "QakBot can inject itself into processes including explore.exe, Iexplore.exe, Mobsync.exe., and wermgr.exe." }, { "id": "S0660", "name": "Clambling", "desc_en": "Clambling can inject into the `svchost.exe` process for execution." }, { "id": "S0664", "name": "Pandora", "desc_en": "Pandora can start and inject code into a new `svchost` process." }, { "id": "S0670", "name": "WarzoneRAT", "desc_en": "WarzoneRAT has the ability to inject malicious DLLs into a specific process for privilege escalation." }, { "id": "S0681", "name": "Lizar", "desc_en": "Lizar can migrate the loader into another process." }, { "id": "S0692", "name": "SILENTTRINITY", "desc_en": "SILENTTRINITY can inject shellcode directly into Excel.exe or a specific process." }, { "id": "S0695", "name": "Donut", "desc_en": "Donut includes a subproject DonutTest to inject shellcode into a target process." }, { "id": "S1039", "name": "Bumblebee", "desc_en": "Bumblebee can inject code into multiple processes on infected endpoints." }, { "id": "S1050", "name": "PcShare", "desc_en": "The PcShare payload has been injected into the `logagent.exe` and `rdpclip.exe` processes." }, { "id": "S1059", "name": "metaMain", "desc_en": "metaMain can inject the loader file, Speech02.db, into a process." }, { "id": "S1065", "name": "Woody RAT", "desc_en": "Woody RAT can inject code into a targeted process by writing to the remote memory of an infected system and then create a remote thread." }, { "id": "S1074", "name": "ANDROMEDA", "desc_en": "ANDROMEDA can inject into the `wuauclt.exe` process to perform C2 actions." }, { "id": "S1081", "name": "BADHATCH", "desc_en": "BADHATCH can inject itself into an existing explorer.exe process by using `RtlCreateUserThread`." }, { "id": "S1100", "name": "Ninja", "desc_en": "Ninja has the ability to inject an agent module into a new process and arbitrary shellcode into running processes." }, { "id": "S1105", "name": "COATHANGER", "desc_en": "COATHANGER includes a binary labeled `authd` that can inject a library into a running process and then hook an existing function within that process with a new function from that library." }, { "id": "S1122", "name": "Mispadu", "desc_en": "Mispadu's binary is injected into memory via `WriteProcessMemory`." }, { "id": "S1159", "name": "DUSTTRAP", "desc_en": "DUSTTRAP compromises the `.text` section of a legitimate system DLL in `%windir%` to hold the contents of retrieved plug-ins." }, { "id": "S1181", "name": "BlackByte 2.0 Ransomware", "desc_en": "BlackByte 2.0 Ransomware injects into a newly-created `svchost.exe` process prior to device encryption." }, { "id": "S9019", "name": "PureCrypter", "desc_en": "PureCrypter can inject its final stage into another process on the targeted system." }, { "id": "S9020", "name": "LODEINFO", "desc_en": "LODEINFO can inject shellcode into the memory of compromised hosts." }, { "id": "S9021", "name": "DOWNIISSA", "desc_en": "DOWNIISSA can inject shellcode directly into process memory including WINWORD.exe and msiexec.exe." }, { "id": "S9023", "name": "HiddenFace", "desc_en": "HiddenFace can inject code directly into legitimate applications." }, { "id": "S9025", "name": "NOOPLDR", "desc_en": "NOOPLDR can inject decrypted payloads into processes including wuauclt.exe., rdrleakdiag.exe, and tabcal.exe." } ], "mitigations": [ { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Utilize Yama (ex: /proc/sys/kernel/yama/ptrace_scope) to mitigate ptrace based process injection by restricting the use of ptrace to privileged users only. Other mitigation controls involve the deployment of security kernel modules that provide advanced access control and process restrictions such as SELinux, grsecurity, and AppArmor.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1040", "name": "Behavior Prevention on Endpoint", "name_ja": "エンドポイントでの挙動防止", "desc_en": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. For example, on Windows 10, Attack Surface Reduction (ASR) rules may prevent Office applications from code injection.", "desc_ja": "エンドポイントで悪意ある挙動を検出・防止する。" } ], "detections": [ { "id": "DET0508", "name": "Behavioral Detection of Process Injection Across Platforms", "name_ja": "プロセスインジェクションの検知", "desc_en": "", "desc_ja": "プロセスインジェクションに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1068", "ja": "権限昇格のための脆弱性悪用", "en": "Exploitation for Privilege Escalation", "desc_en": "Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.", "desc_ja": "敵対者は、脆弱性を悪用してより高い権限を取得することがある。", "platforms": "Containers, Linux, macOS, Windows", "version": "1.6", "created": "2017-05-31", "modified": "2025-10-24", "subs": [], "procedures": [ { "id": "C0045", "name": "ShadowRay", "desc_en": "During ShadowRay, threat actors downloaded a privilege escalation payload to gain root access." }, { "id": "C0049", "name": "Leviathan Australian Intrusions", "desc_en": "Leviathan exploited software vulnerabilities in victim environments to escalate privileges during Leviathan Australian Intrusions." }, { "id": "G0007", "name": "APT28", "desc_en": "APT28 has exploited CVE-2014-4076, CVE-2015-2387, CVE-2015-1701, CVE-2017-0263, and CVE-2022-38028 to escalate privileges." }, { "id": "G0010", "name": "Turla", "desc_en": "Turla has exploited vulnerabilities in the VBoxDrv.sys driver to obtain kernel mode privileges." }, { "id": "G0016", "name": "APT29", "desc_en": "APT29 has exploited CVE-2021-36934 to escalate privileges on a compromised host." }, { "id": "G0027", "name": "Threat Group-3390", "desc_en": "Threat Group-3390 has used CVE-2014-6324 and CVE-2017-0213 to escalate privileges." }, { "id": "G0037", "name": "FIN6", "desc_en": "FIN6 has used tools to exploit Windows vulnerabilities in order to escalate privileges. The tools targeted CVE-2013-3660, CVE-2011-2005, and CVE-2010-4398, all of which could allow local users to access kernel-level privileges." }, { "id": "G0049", "name": "OilRig", "desc_en": "OilRig has exploited the Windows Kernel Elevation of Privilege vulnerability, CVE-2024-30088." }, { "id": "G0050", "name": "APT32", "desc_en": "APT32 has used CVE-2016-7255 to escalate privileges." }, { "id": "G0061", "name": "FIN8", "desc_en": "FIN8 has exploited the CVE-2016-0167 local vulnerability." }, { "id": "G0064", "name": "APT33", "desc_en": "APT33 has used a publicly available exploit for CVE-2017-0213 to escalate privileges on a local system." }, { "id": "G0068", "name": "PLATINUM", "desc_en": "PLATINUM has leveraged a zero-day vulnerability to escalate privileges." }, { "id": "G0080", "name": "Cobalt Group", "desc_en": "Cobalt Group has used exploits to increase their levels of rights and privileges." }, { "id": "G0107", "name": "Whitefly", "desc_en": "Whitefly has used an open-source tool to exploit a known Windows privilege escalation vulnerability (CVE-2016-0051) on unpatched computers." }, { "id": "G0125", "name": "HAFNIUM", "desc_en": "HAFNIUM has targeted unpatched applications to elevate access in targeted organizations." }, { "id": "G0128", "name": "ZIRCONIUM", "desc_en": "ZIRCONIUM has exploited CVE-2017-0005 for local privilege escalation." }, { "id": "G0131", "name": "Tonto Team", "desc_en": "Tonto Team has exploited CVE-2019-0803 and MS16-032 to escalate privileges." }, { "id": "G1002", "name": "BITTER", "desc_en": "BITTER has exploited CVE-2021-1732 for privilege escalation." }, { "id": "G1004", "name": "LAPSUS$", "desc_en": "LAPSUS$ has exploited unpatched vulnerabilities on internally accessible servers including JIRA, GitLab, and Confluence for privilege escalation." }, { "id": "G1015", "name": "Scattered Spider", "desc_en": "Scattered Spider has deployed a malicious kernel driver through exploitation of CVE-2015-2291 in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys)." }, { "id": "G1017", "name": "Volt Typhoon", "desc_en": "Volt Typhoon has gained initial access by exploiting privilege escalation vulnerabilities in the operating system or network services." }, { "id": "G1019", "name": "MoustachedBouncer", "desc_en": "MoustachedBouncer has exploited CVE-2021-1732 to execute malware components with elevated rights." }, { "id": "G1043", "name": "BlackByte", "desc_en": "BlackByte has exploited CVE-2024-37085 in VMWare ESXi software for authentication bypass and subsequent privilege escalation." }, { "id": "G1048", "name": "UNC3886", "desc_en": "UNC3886 has exploited zero-day vulnerability CVE-2023-20867 to enable execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs." }, { "id": "S0044", "name": "JHUHUGIT", "desc_en": "JHUHUGIT has exploited CVE-2015-1701 and CVE-2015-2387 to escalate privileges." }, { "id": "S0050", "name": "CosmicDuke", "desc_en": "CosmicDuke attempts to exploit privilege escalation vulnerabilities CVE-2010-0232 or CVE-2010-4398." }, { "id": "S0125", "name": "Remsec", "desc_en": "Remsec has a plugin to drop and execute vulnerable Outpost Sandbox or avast! Virtualization drivers in order to gain kernel mode privileges." }, { "id": "S0154", "name": "Cobalt Strike", "desc_en": "Cobalt Strike can exploit vulnerabilities such as MS14-058." }, { "id": "S0176", "name": "Wingbird", "desc_en": "Wingbird exploits CVE-2016-4117 to allow an executable to gain escalated privileges." }, { "id": "S0260", "name": "InvisiMole", "desc_en": "InvisiMole has exploited CVE-2007-5633 vulnerability in the speedfan.sys driver to obtain kernel mode privileges." }, { "id": "S0363", "name": "Empire", "desc_en": "Empire can exploit vulnerabilities such as MS16-032 and MS16-135." }, { "id": "S0378", "name": "PoshC2", "desc_en": "PoshC2 contains modules for local privilege escalation exploits such as CVE-2016-9192 and CVE-2016-0099." }, { "id": "S0484", "name": "Carberp", "desc_en": "Carberp has exploited multiple Windows vulnerabilities (CVE-2010-2743, CVE-2010-3338, CVE-2010-4398, CVE-2008-1084) and a .NET Runtime Optimization vulnerability for privilege escalation." }, { "id": "S0601", "name": "Hildegard", "desc_en": "Hildegard has used the BOtB tool which exploits CVE-2019-5736." }, { "id": "S0603", "name": "Stuxnet", "desc_en": "Stuxnet used MS10-073 and an undisclosed Task Scheduler vulnerability to escalate privileges on local Windows machines." }, { "id": "S0623", "name": "Siloscape", "desc_en": "Siloscape has leveraged a vulnerability in Windows containers to perform an Escape to Host." }, { "id": "S0654", "name": "ProLock", "desc_en": "ProLock can use CVE-2019-0859 to escalate privileges on a compromised host." }, { "id": "S0658", "name": "XCSSET", "desc_en": "XCSSET has used a zero-day exploit in the ssh launchdaemon to elevate privileges and bypass SIP." }, { "id": "S0664", "name": "Pandora", "desc_en": "Pandora can use CVE-2017-15303 to bypass Windows Driver Signature Enforcement (DSE) protection and load its driver." }, { "id": "S0672", "name": "Zox", "desc_en": "Zox has the ability to leverage local and remote exploits to escalate privileges." }, { "id": "S1151", "name": "ZeroCleare", "desc_en": "ZeroCleare has used a vulnerable signed VBoxDrv driver to bypass Microsoft Driver Signature Enforcement (DSE) protections and subsequently load the unsigned RawDisk driver." }, { "id": "S1181", "name": "BlackByte 2.0 Ransomware", "desc_en": "BlackByte 2.0 Ransomware exploits a vulnerability in the RTCore64.sys driver (CVE-2019-16098) to enable privilege escalation and defense evasion when run as a service." }, { "id": "S1247", "name": "Embargo", "desc_en": "Embargo has leveraged MS4Killer to deliver a vulnerable driver to the victim device, sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD). Embargo has utilized the vulnerable driver probmon.sys version 3.0.0.4 which had a revoked certificated from “ITM System Co.,LTD.”" } ], "mitigations": [ { "id": "M1019", "name": "Threat Intelligence Program", "name_ja": "脅威インテリジェンスプログラム", "desc_en": "Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.", "desc_ja": "脅威インテリジェンスを活用し、対象となる脅威アクターのTTPを把握する。" }, { "id": "M1038", "name": "Execution Prevention", "name_ja": "実行防止", "desc_en": "Consider blocking the execution of known vulnerable drivers that adversaries may exploit to execute code in kernel mode. Validate driver block rules in audit mode to ensure stability prior to production deployment.", "desc_ja": "許可されていないコードの実行を防止する。" }, { "id": "M1048", "name": "Application Isolation and Sandboxing", "name_ja": "アプリケーション分離・サンドボックス化", "desc_en": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist.", "desc_ja": "アプリを分離・サンドボックス化し、影響範囲を限定する。" }, { "id": "M1050", "name": "Exploit Protection", "name_ja": "エクスプロイト保護", "desc_en": "Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. Many of these protections depend on the architecture and target application binary for compatibility and may not work for software components targeted for privilege escalation.", "desc_ja": "エクスプロイト保護機能で脆弱性悪用を防ぐ。" }, { "id": "M1051", "name": "Update Software", "name_ja": "ソフトウェア更新", "desc_en": "Update software regularly by employing patch management for internal enterprise endpoints and servers.", "desc_ja": "ソフトウェアを最新に保ち、既知の脆弱性を修正する。" } ], "detections": [ { "id": "DET0514", "name": "Detection Strategy for Exploitation for Privilege Escalation", "name_ja": "権限昇格のための脆弱性悪用の検知", "desc_en": "", "desc_ja": "権限昇格のための脆弱性悪用に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1078", "ja": "有効なアカウント", "en": "Valid Accounts", "desc_en": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.", "desc_ja": "敵対者は、有効なアカウントの認証情報を用いて検知を回避しアクセスすることがある。", "platforms": "Containers, ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows", "version": "3.0", "created": "2017-05-31", "modified": "2026-05-12", "subs": [ { "sid": ".001", "tid": "T1078.001", "ja": "デフォルトアカウント", "en": "Default Accounts", "desc_en": "Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.", "desc_ja": "敵対者は、デフォルトアカウントの認証情報を悪用してアクセスや権限維持を行うことがある。" }, { "sid": ".002", "tid": "T1078.002", "ja": "ドメインアカウント", "en": "Domain Accounts", "desc_en": "Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.", "desc_ja": "敵対者は、ドメインアカウントの認証情報を悪用してアクセスや横展開を行うことがある。" }, { "sid": ".003", "tid": "T1078.003", "ja": "ローカルアカウント", "en": "Local Accounts", "desc_en": "Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.", "desc_ja": "敵対者は、ローカルアカウントの認証情報を悪用してアクセスを行うことがある。" }, { "sid": ".004", "tid": "T1078.004", "ja": "クラウドアカウント", "en": "Cloud Accounts", "desc_en": "Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.", "desc_ja": "敵対者は、クラウドアカウントの認証情報を悪用してアクセスや権限維持を行うことがある。" } ], "procedures": [ { "id": "C0002", "name": "Night Dragon", "desc_en": "During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems." }, { "id": "C0014", "name": "Operation Wocao", "desc_en": "During Operation Wocao, threat actors used valid VPN credentials to gain initial access." }, { "id": "C0024", "name": "SolarWinds Compromise", "desc_en": "During the SolarWinds Compromise, APT29 used different compromised credentials for remote access and to move laterally." }, { "id": "C0028", "name": "2015 Ukraine Electric Power Attack", "desc_en": "During the 2015 Ukraine Electric Power Attack, Sandworm Team used valid accounts on the corporate network to escalate privileges, move laterally, and establish persistence within the corporate network." }, { "id": "C0032", "name": "C0032", "desc_en": "During the C0032 campaign, TEMP.Veles used compromised VPN accounts." }, { "id": "C0038", "name": "HomeLand Justice", "desc_en": "During HomeLand Justice, threat actors used a compromised Exchange account to search mailboxes and create new Exchange accounts." }, { "id": "C0048", "name": "Operation MidnightEclipse", "desc_en": "During Operation MidnightEclipse, threat actors extracted sensitive credentials while moving laterally through compromised networks." }, { "id": "C0049", "name": "Leviathan Australian Intrusions", "desc_en": "Leviathan used captured, valid account information to log into victim web applications and appliances during Leviathan Australian Intrusions." }, { "id": "C0056", "name": "RedPenguin", "desc_en": "During RedPenguin, UNC3886 used legitimate credentials to gain priviliged access to Juniper routers." }, { "id": "C0057", "name": "3CX Supply Chain Attack", "desc_en": "During 3CX Supply Chain Attack, AppleJeus has gained access to the 3CX corporate environment through legitimate VPN credentials." }, { "id": "C0062", "name": "Anthropic AI-orchestrated Campaign", "desc_en": "During the Anthropic AI-orchestrated Campaign, the adversary used harvested credentials to authenticate against internal APIs, database systems, container registries, and logging infrastructure across targeted networks." }, { "id": "G0001", "name": "Axiom", "desc_en": "Axiom has used previously compromised administrative accounts to escalate privileges." }, { "id": "G0004", "name": "Ke3chang", "desc_en": "Ke3chang has used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts." }, { "id": "G0007", "name": "APT28", "desc_en": "APT28 has used legitimate credentials to gain initial access, maintain access, and exfiltrate data from a victim network. The group has specifically used credentials stolen through a spearphishing email to login to the DCCC network. The group has also leveraged default manufacturer's passwords to gain initial access to corporate networks via IoT devices such as a VOIP phone, printer, and video decoder." }, { "id": "G0008", "name": "Carbanak", "desc_en": "Carbanak actors used legitimate credentials of banking employees to perform operations that sent them millions of dollars." }, { "id": "G0011", "name": "PittyTiger", "desc_en": "PittyTiger attempts to obtain legitimate credentials during operations." }, { "id": "G0016", "name": "APT29", "desc_en": "APT29 has used a compromised account to access an organization's VPN infrastructure." }, { "id": "G0026", "name": "APT18", "desc_en": "APT18 actors leverage legitimate credentials to log into external remote services." }, { "id": "G0027", "name": "Threat Group-3390", "desc_en": "Threat Group-3390 actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks." }, { "id": "G0032", "name": "Lazarus Group", "desc_en": "Lazarus Group has used administrator credentials to gain access to restricted network segments." }, { "id": "G0034", "name": "Sandworm Team", "desc_en": "Sandworm Team have used previously acquired legitimate credentials prior to attacks." }, { "id": "G0035", "name": "Dragonfly", "desc_en": "Dragonfly has compromised user credentials and used valid accounts for operations." }, { "id": "G0037", "name": "FIN6", "desc_en": "To move laterally on a victim network, FIN6 has used credentials stolen from various systems on which it gathered usernames and password hashes." }, { "id": "G0039", "name": "Suckfly", "desc_en": "Suckfly used legitimate account credentials that they dumped to navigate the internal victim network as though they were the legitimate account owner." }, { "id": "G0045", "name": "menuPass", "desc_en": "menuPass has used valid accounts including shared between Managed Service Providers and clients to move between the two environments." }, { "id": "G0046", "name": "FIN7", "desc_en": "FIN7 has harvested valid administrative credentials for lateral movement." }, { "id": "G0049", "name": "OilRig", "desc_en": "OilRig has used compromised credentials to access other systems on a victim network." }, { "id": "G0051", "name": "FIN10", "desc_en": "FIN10 has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor." }, { "id": "G0053", "name": "FIN5", "desc_en": "FIN5 has used legitimate VPN, RDP, Citrix, or VNC credentials to maintain access to a victim environment." }, { "id": "G0061", "name": "FIN8", "desc_en": "FIN8 has used valid accounts for persistence and lateral movement." }, { "id": "G0064", "name": "APT33", "desc_en": "APT33 has used valid accounts for initial access and privilege escalation." }, { "id": "G0065", "name": "Leviathan", "desc_en": "Leviathan has obtained valid accounts to gain initial access." }, { "id": "G0085", "name": "FIN4", "desc_en": "FIN4 has used legitimate credentials to hijack email communications." }, { "id": "G0087", "name": "APT39", "desc_en": "APT39 has used stolen credentials to compromise Outlook Web Access (OWA)." }, { "id": "G0091", "name": "Silence", "desc_en": "Silence has used compromised credentials to log on to other systems and escalate privileges." }, { "id": "G0093", "name": "GALLIUM", "desc_en": "GALLIUM leveraged valid accounts to maintain access to a victim network." }, { "id": "G0096", "name": "APT41", "desc_en": "APT41 used compromised credentials to log on to other systems." }, { "id": "G0102", "name": "Wizard Spider", "desc_en": "Wizard Spider has used valid credentials for privileged accounts with the goal of accessing domain controllers." }, { "id": "G0114", "name": "Chimera", "desc_en": "Chimera has used a valid account to maintain persistence via scheduled task." }, { "id": "G0117", "name": "Fox Kitten", "desc_en": "Fox Kitten has used valid credentials with various services during lateral movement." }, { "id": "G0119", "name": "Indrik Spider", "desc_en": "Indrik Spider has used valid accounts for initial access and lateral movement. Indrik Spider has also maintained access to the victim environment through the VPN infrastructure." }, { "id": "G0122", "name": "Silent Librarian", "desc_en": "Silent Librarian has used compromised credentials to obtain unauthorized access to online accounts." }, { "id": "G1004", "name": "LAPSUS$", "desc_en": "LAPSUS$ has used compromised credentials and/or session tokens to gain access into a victim's VPN, VDI, RDP, and IAMs." }, { "id": "G1005", "name": "POLONIUM", "desc_en": "POLONIUM has used valid compromised credentials to gain access to victim environments." }, { "id": "G1015", "name": "Scattered Spider", "desc_en": "Scattered Spider has used compromised credentials for initial access." }, { "id": "G1017", "name": "Volt Typhoon", "desc_en": "Volt Typhoon relies primarily on valid credentials for persistence." }, { "id": "G1021", "name": "Cinnamon Tempest", "desc_en": "Cinnamon Tempest has used compromised user accounts to deploy payloads and create system services." }, { "id": "G1024", "name": "Akira", "desc_en": "Akira uses valid account information to remotely access victim networks, such as VPN credentials." }, { "id": "G1032", "name": "INC Ransom", "desc_en": "INC Ransom has used compromised valid accounts for access to victim environments." }, { "id": "G1033", "name": "Star Blizzard", "desc_en": "Star Blizzard has used stolen credentials to sign into victim email accounts." }, { "id": "G1040", "name": "Play", "desc_en": "Play has used valid VPN accounts to achieve initial access." }, { "id": "G1041", "name": "Sea Turtle", "desc_en": "Sea Turtle used compromised credentials to maintain long-term access to victim environments." }, { "id": "G1043", "name": "BlackByte", "desc_en": "BlackByte has gained access to victim environments through legitimate VPN credentials." }, { "id": "G1048", "name": "UNC3886", "desc_en": "UNC3886 has used tools to hijack valid SSH accounts." }, { "id": "G1051", "name": "Medusa Group", "desc_en": "Medusa Group has utilized compromised legitimate local and domain accounts within the victim environment to facilitate remote access and lateral movement sometimes in combination with PsExec." }, { "id": "G1055", "name": "VOID MANTICORE", "desc_en": "VOID MANTICORE has leveraged valid accounts to log into VPN infrastructure. VOID MANTICORE has used compromised valid credentials to gain access to management infrastructure and enterprise control systems. VOID MANTICORE has also validated and tested authentication using compromised credentials prior to malicious actions." }, { "id": "S0038", "name": "Duqu", "desc_en": "Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware." }, { "id": "S0053", "name": "SeaDuke", "desc_en": "Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials." }, { "id": "S0362", "name": "Linux Rabbit", "desc_en": "Linux Rabbit acquires valid SSH accounts through brute force." }, { "id": "S0567", "name": "Dtrack", "desc_en": "Dtrack used hard-coded credentials to gain access to a network share." }, { "id": "S0599", "name": "Kinsing", "desc_en": "Kinsing has used valid SSH credentials to access remote hosts." }, { "id": "S0604", "name": "Industroyer", "desc_en": "Industroyer can use supplied user credentials to execute processes and stop services." }, { "id": "S9036", "name": "LP-Notes", "desc_en": "LP-Notes has used stolen Windows credentials to log in as the users." } ], "mitigations": [ { "id": "M1013", "name": "Application Developer Guidance", "name_ja": "アプリケーション開発者向けガイダンス", "desc_en": "Ensure that applications do not store sensitive data or credentials insecurely. (e.g. plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).", "desc_ja": "開発者に対し、脆弱性を生まない安全な設計・実装の指針を提供する。" }, { "id": "M1015", "name": "Active Directory Configuration", "name_ja": "Active Directory構成", "desc_en": "Disable legacy authentication, which does not support MFA, and require the use of modern authentication protocols instead.", "desc_ja": "Active Directoryを適切に構成し、攻撃対象領域を縮小する。" }, { "id": "M1017", "name": "User Training", "name_ja": "ユーザー教育", "desc_en": "Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.", "desc_ja": "ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。" }, { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "Regularly audit user accounts for activity and deactivate or remove any that are no longer needed.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. These audits should also include if default accounts have been enabled, or if new local accounts are created that have not been authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1027", "name": "Password Policies", "name_ja": "パスワードポリシー", "desc_en": "Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. When possible, applications that use SSH keys should be updated periodically and properly secured.\n\nPolicies should minimize (if not eliminate) reuse of passwords between different user accounts, especially employees using the same credentials for personal accounts that may not be defended by enterprise security resources.", "desc_ja": "強固なパスワードポリシーを適用し、推測・解読を困難にする。" }, { "id": "M1032", "name": "Multi-factor Authentication", "name_ja": "多要素認証", "desc_en": "Implement multi-factor authentication (MFA) across all account types, including default, local, domain, and cloud accounts, to prevent unauthorized access, even if credentials are compromised. MFA provides a critical layer of security by requiring multiple forms of verification beyond just a password. This measure significantly reduces the risk of adversaries abusing valid accounts to gain initial access, escalate privileges, maintain persistence, or evade defenses within your network.", "desc_ja": "多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。" }, { "id": "M1036", "name": "Account Use Policies", "name_ja": "アカウント使用ポリシー", "desc_en": "Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.", "desc_ja": "ログイン試行回数やロックアウト等のアカウント使用ポリシーを設定する。" } ], "detections": [ { "id": "DET0560", "name": "Detection of Valid Account Abuse Across Platforms", "name_ja": "有効なアカウントの検知", "desc_en": "", "desc_ja": "有効なアカウントに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1098", "ja": "アカウント操作", "en": "Account Manipulation", "desc_en": "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.", "desc_ja": "敵対者は、アカウントの権限や認証情報を操作してアクセスを維持することがある。", "platforms": "Containers, ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows", "version": "2.8", "created": "2017-05-31", "modified": "2026-05-12", "subs": [ { "sid": ".001", "tid": "T1098.001", "ja": "追加のクラウド認証情報", "en": "Additional Cloud Credentials", "desc_en": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.", "desc_ja": "敵対者は、追加のクラウド認証情報を登録してアクセスを維持することがある。" }, { "sid": ".002", "tid": "T1098.002", "ja": "追加のメール委任権限", "en": "Additional Email Delegate Permissions", "desc_en": "Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account.", "desc_ja": "敵対者は、追加のメール委任権限を付与してアクセスを維持することがある。" }, { "sid": ".003", "tid": "T1098.003", "ja": "追加のクラウドロール", "en": "Additional Cloud Roles", "desc_en": "An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).", "desc_ja": "敵対者は、追加のクラウドロールを付与して権限を維持/昇格することがある。" }, { "sid": ".004", "tid": "T1098.004", "ja": "SSH認証鍵", "en": "SSH Authorized Keys", "desc_en": "Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys (or, on ESXi, `/etc/ssh/keys-/authorized_keys`). Users may edit the system’s SSH config file to modify the directives `PubkeyAuthentication` and `RSAAuthentication` to the value `yes` to ensure public key and RSA authentication are enabled, as well as modify the directive `PermitRootLogin` to the value `yes` to enable root authentication via SSH. The SSH config file is usually located under /etc/ssh/sshd_config.", "desc_ja": "敵対者は、SSH認証鍵を追加してアクセスを維持することがある。" }, { "sid": ".005", "tid": "T1098.005", "ja": "デバイス登録", "en": "Device Registration", "desc_en": "Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.", "desc_ja": "敵対者は、デバイスを登録してアクセスや永続化を行うことがある。" }, { "sid": ".006", "tid": "T1098.006", "ja": "追加のコンテナクラスタロール", "en": "Additional Container Cluster Roles", "desc_en": "An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account. Where attribute-based access control (ABAC) is in use, an adversary with sufficient permissions may modify a Kubernetes ABAC policy to give the target account additional permissions.\n \nThis account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised.", "desc_ja": "敵対者は、追加のコンテナクラスタロールを付与して権限を維持することがある。" }, { "sid": ".007", "tid": "T1098.007", "ja": "追加のローカル/ドメイングループ", "en": "Additional Local or Domain Groups", "desc_en": "An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain.", "desc_ja": "敵対者は、ローカル/ドメイングループへの追加でアクセスや権限を維持することがある。" } ], "procedures": [ { "id": "C0025", "name": "2016 Ukraine Electric Power Attack", "desc_en": "During the 2016 Ukraine Electric Power Attack, Sandworm Team used the `sp_addlinkedsrvlogin` command in MS-SQL to create a link between a created account and other servers in the network." }, { "id": "G0032", "name": "Lazarus Group", "desc_en": "Lazarus Group malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account." }, { "id": "G0125", "name": "HAFNIUM", "desc_en": "HAFNIUM has granted privileges to domain accounts and reset the password for default admin accounts." }, { "id": "G1015", "name": "Scattered Spider", "desc_en": "Scattered Spider has added accounts to the ESX Admins group to grant them full admin rights in vSphere." }, { "id": "G1055", "name": "VOID MANTICORE", "desc_en": "VOID MANTICORE has leveraged access to administrative control systems to achieve disruptive effects, consistent with administrative account abuse or privilege escalation within existing access." }, { "id": "S0002", "name": "Mimikatz", "desc_en": "The Mimikatz credential dumper has been extended to include Skeleton Key domain controller authentication bypass functionality. The LSADUMP::ChangeNTLM and LSADUMP::SetNTLM modules can also manipulate the password hash of an account without knowing the clear text value." }, { "id": "S0274", "name": "Calisto", "desc_en": "Calisto adds permissions and remote logins to all users." }, { "id": "S9008", "name": "Shai-Hulud", "desc_en": "Shai-Hulud has modified GitHub account settings for private repositories and changed them to public." } ], "mitigations": [ { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "Ensure that low-privileged user accounts do not have permissions to modify accounts or account-related policies.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1022", "name": "Restrict File and Directory Permissions", "name_ja": "ファイル/ディレクトリ権限の制限", "desc_en": "Restrict access to potentially sensitive files that deal with authentication and/or authorization.", "desc_ja": "ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。" }, { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1028", "name": "Operating System Configuration", "name_ja": "オペレーティングシステム構成", "desc_en": "Protect domain controllers by ensuring proper security configuration for critical servers to limit access by potentially unnecessary protocols and services, such as SMB file sharing.", "desc_ja": "OSを安全に構成し、攻撃対象領域を縮小する。" }, { "id": "M1030", "name": "Network Segmentation", "name_ja": "ネットワークセグメンテーション", "desc_en": "Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems.", "desc_ja": "ネットワークを分割し、横展開や影響範囲を限定する。" }, { "id": "M1032", "name": "Multi-factor Authentication", "name_ja": "多要素認証", "desc_en": "Use multi-factor authentication for user and privileged accounts.", "desc_ja": "多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。" }, { "id": "M1042", "name": "Disable or Remove Feature or Program", "name_ja": "機能・プログラムの無効化または削除", "desc_en": "Remove unnecessary and potentially abusable authentication and authorization mechanisms where possible.", "desc_ja": "不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。" } ], "detections": [ { "id": "DET0096", "name": "Account Manipulation Behavior Chain Detection", "name_ja": "アカウント操作の検知", "desc_en": "", "desc_ja": "アカウント操作に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1134", "ja": "アクセストークン操作", "en": "Access Token Manipulation", "desc_en": "Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.", "desc_ja": "敵対者は、アクセストークンを操作して別ユーザーになりすまし権限昇格することがある。", "platforms": "Windows", "version": "3.0", "created": "2017-12-14", "modified": "2026-05-12", "subs": [ { "sid": ".001", "tid": "T1134.001", "ja": "トークンの偽装/窃取", "en": "Token Impersonation/Theft", "desc_en": "Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`. The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.", "desc_ja": "敵対者は、トークンを偽装/窃取して別ユーザーになりすますことがある。" }, { "sid": ".002", "tid": "T1134.002", "ja": "トークンを用いたプロセス作成", "en": "Create Process with Token", "desc_en": "Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.", "desc_ja": "敵対者は、窃取したトークンを用いてプロセスを作成することがある。" }, { "sid": ".003", "tid": "T1134.003", "ja": "トークンの作成と偽装", "en": "Make and Impersonate Token", "desc_en": "Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function. The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread.", "desc_ja": "敵対者は、トークンを作成・偽装してなりすますことがある。" }, { "sid": ".004", "tid": "T1134.004", "ja": "親PIDスプーフィング", "en": "Parent PID Spoofing", "desc_en": "Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use. This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.", "desc_ja": "敵対者は、親PIDをスプーフィングしてプロセスの出自を偽装することがある。" }, { "sid": ".005", "tid": "T1134.005", "ja": "SID履歴インジェクション", "en": "SID-History Injection", "desc_en": "Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute , allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).", "desc_ja": "敵対者は、SID履歴を注入して権限を昇格することがある。" } ], "procedures": [ { "id": "C0017", "name": "C0017", "desc_en": "During C0017, APT41 used a ConfuserEx obfuscated BADPOTATO exploit to abuse named-pipe impersonation for local `NT AUTHORITY\\SYSTEM` privilege escalation." }, { "id": "G0030", "name": "Lotus Blossom", "desc_en": "Lotus Blossom has retrieved process tokens for processes to adjust the privileges of the launch process or other items." }, { "id": "G0037", "name": "FIN6", "desc_en": "FIN6 has used has used Metasploit’s named-pipe impersonation technique to escalate privileges." }, { "id": "G0108", "name": "Blue Mockingbird", "desc_en": "Blue Mockingbird has used JuicyPotato to abuse the SeImpersonate token privilege to escalate from web application pool accounts to NT Authority\\SYSTEM." }, { "id": "S0038", "name": "Duqu", "desc_en": "Duqu examines running system processes for tokens that have specific system privileges. If it finds one, it will copy the token and store it for later use. Eventually it will start new processes with the stored token attached. It can also steal tokens to acquire administrative privileges." }, { "id": "S0058", "name": "SslMM", "desc_en": "SslMM contains a feature to manipulate process privileges and tokens." }, { "id": "S0194", "name": "PowerSploit", "desc_en": "PowerSploit's Invoke-TokenManipulation Exfiltration module can be used to manipulate tokens." }, { "id": "S0203", "name": "Hydraq", "desc_en": "Hydraq creates a backdoor through which remote attackers can adjust token privileges." }, { "id": "S0363", "name": "Empire", "desc_en": "Empire can use PowerSploit's Invoke-TokenManipulation to manipulate access tokens." }, { "id": "S0378", "name": "PoshC2", "desc_en": "PoshC2 can use Invoke-TokenManipulation for manipulating tokens." }, { "id": "S0446", "name": "Ryuk", "desc_en": "Ryuk has attempted to adjust its token privileges to have the SeDebugPrivilege." }, { "id": "S0562", "name": "SUNSPOT", "desc_en": "SUNSPOT modified its security token to grants itself debugging privileges by adding SeDebugPrivilege." }, { "id": "S0576", "name": "MegaCortex", "desc_en": "MegaCortex can enable SeDebugPrivilege and adjust token privileges." }, { "id": "S0607", "name": "KillDisk", "desc_en": "KillDisk has attempted to get the access token of a process by calling OpenProcessToken. If KillDisk gets the access token, then it attempt to modify the token privileges with AdjustTokenPrivileges." }, { "id": "S0622", "name": "AppleSeed", "desc_en": "AppleSeed can gain system level privilege by passing SeDebugPrivilege to the AdjustTokenPrivilege API." }, { "id": "S0625", "name": "Cuba", "desc_en": "Cuba has used SeDebugPrivilege and AdjustTokenPrivileges to elevate privileges." }, { "id": "S0633", "name": "Sliver", "desc_en": "Sliver has the ability to manipulate user tokens on targeted Windows systems." }, { "id": "S0666", "name": "Gelsemium", "desc_en": "Gelsemium can use token manipulation to bypass UAC on Windows7 systems." }, { "id": "S0697", "name": "HermeticWiper", "desc_en": "HermeticWiper can use `AdjustTokenPrivileges` to grant itself privileges for debugging with `SeDebugPrivilege`, creating backups with `SeBackupPrivilege`, loading drivers with `SeLoadDriverPrivilege`, and shutting down a local system with `SeShutdownPrivilege`." }, { "id": "S1060", "name": "Mafalda", "desc_en": "Mafalda can use `AdjustTokenPrivileges()` to elevate privileges." }, { "id": "S1068", "name": "BlackCat", "desc_en": "BlackCat has the ability modify access tokens." }, { "id": "S1210", "name": "Sagerunex", "desc_en": "Sagerunex finds the `explorer.exe` process after execution and uses it to change the token of its executing thread." }, { "id": "S1242", "name": "Qilin", "desc_en": "Qilin can use an embedded Mimikatz module for token manipulation." } ], "mitigations": [ { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.\n\nAdministrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" } ], "detections": [ { "id": "DET0283", "name": "Behavior-chain detection for T1134 Access Token Manipulation on Windows", "name_ja": "アクセストークン操作の検知", "desc_en": "", "desc_ja": "アクセストークン操作に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1484", "ja": "ドメイン/テナントポリシーの変更", "en": "Domain or Tenant Policy Modification", "desc_en": "Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation.", "desc_ja": "敵対者は、グループポリシーやテナントポリシーを改変して権限昇格や防御妨害を行うことがある。", "platforms": "Windows, Identity Provider", "version": "4.0", "created": "2019-03-07", "modified": "2026-05-12", "subs": [ { "sid": ".001", "tid": "T1484.001", "ja": "グループポリシーの変更", "en": "Group Policy Modification", "desc_en": "Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path `\\\\SYSVOL\\\\Policies\\`.", "desc_ja": "敵対者は、グループポリシーを改変して権限昇格や防御妨害を行うことがある。" }, { "sid": ".002", "tid": "T1484.002", "ja": "信頼関係の変更", "en": "Trust Modification", "desc_en": "Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow authentication and authorization properties to apply between domains or tenants for the purpose of accessing shared resources. These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.", "desc_ja": "敵対者は、ドメイン/テナントの信頼関係を改変して権限昇格や防御妨害を行うことがある。" } ], "procedures": [], "mitigations": [ { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Use least privilege and protect administrative access to the Domain Controller and Active Directory Federation Services (AD FS) server. Do not create service accounts with administrative privileges.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1047", "name": "Audit", "name_ja": "監査", "desc_en": "Identify and correct GPO permissions abuse opportunities (ex: GPO modification privileges) using auditing tools such as BloodHound (version 1.5.1 and later).", "desc_ja": "システムやアカウントを監査し、不正な活動を検出する。" } ], "detections": [ { "id": "DET0270", "name": "Detection of Domain or Tenant Policy Modifications via AD and Identity Provider", "name_ja": "ドメイン/テナントポリシーの変更の検知", "desc_en": "", "desc_ja": "ドメイン/テナントポリシーの変更に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1543", "ja": "システムプロセスの作成/変更", "en": "Create or Modify System Process", "desc_en": "Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters.", "desc_ja": "敵対者は、サービスやデーモン等のシステムプロセスを作成/変更して永続化することがある。", "platforms": "Containers, Linux, macOS, Windows", "version": "1.2", "created": "2020-01-10", "modified": "2026-05-12", "subs": [ { "sid": ".001", "tid": "T1543.001", "ja": "Launch Agent", "en": "Launch Agent", "desc_en": "Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents. Property list files use the Label, ProgramArguments , and RunAtLoad keys to identify the Launch Agent's name, executable location, and execution time. Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.", "desc_ja": "敵対者は、Launch Agentを作成/変更してmacOSで永続化することがある。" }, { "sid": ".002", "tid": "T1543.002", "ja": "systemdサービス", "en": "Systemd Service", "desc_en": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources. Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.", "desc_ja": "敵対者は、systemdサービスを作成/変更してLinuxで永続化することがある。" }, { "sid": ".003", "tid": "T1543.003", "ja": "Windowsサービス", "en": "Windows Service", "desc_en": "Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.", "desc_ja": "敵対者は、Windowsサービスを作成/変更して永続化することがある。" }, { "sid": ".004", "tid": "T1543.004", "ja": "Launch Daemon", "en": "Launch Daemon", "desc_en": "Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/. Required Launch Daemons parameters include a Label to identify the task, Program to provide a path to the executable, and RunAtLoad to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.", "desc_ja": "敵対者は、Launch Daemonを作成/変更してmacOSで永続化することがある。" }, { "sid": ".005", "tid": "T1543.005", "ja": "コンテナサービス", "en": "Container Service", "desc_en": "Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or services on individual hosts. These include software for creating and managing individual containers, such as Docker and Podman, as well as container cluster node-level agents such as kubelet. By modifying these services, an adversary may be able to achieve persistence or escalate their privileges on a host.", "desc_ja": "敵対者は、コンテナサービスを作成/変更して永続化することがある。" } ], "procedures": [ { "id": "S0401", "name": "Exaramel for Linux", "desc_en": "Exaramel for Linux has a hardcoded location that it uses to achieve persistence if the startup system is Upstart or System V and it is running as root." }, { "id": "S1121", "name": "LITTLELAMB.WOOLTEA", "desc_en": "LITTLELAMB.WOOLTEA can initialize itself as a daemon to run persistently in the background." }, { "id": "S1142", "name": "LunarMail", "desc_en": "LunarMail can create an arbitrary process with a specified command line and redirect its output to a staging directory." }, { "id": "S1152", "name": "IMAPLoader", "desc_en": "IMAPLoader modifies Windows tasks on the victim machine to reference a retrieved PE file through a path modification." }, { "id": "S1184", "name": "BOLDMOVE", "desc_en": "BOLDMOVE can free all resources and terminate itself on victim machines." }, { "id": "S1194", "name": "Akira _v2", "desc_en": "Akira _v2 can create a child process for encryption." }, { "id": "S9015", "name": "BRICKSTORM", "desc_en": "BRICKSTORM has created a new background session and has spawned a child process of a parent process when it determines it is not running in its intended state." } ], "mitigations": [ { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "Limit privileges of user accounts and groups so that only authorized administrators can interact with system-level process changes and service configurations.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1022", "name": "Restrict File and Directory Permissions", "name_ja": "ファイル/ディレクトリ権限の制限", "desc_en": "Restrict read/write access to system-level process files to only select privileged users who have a legitimate need to manage system services.", "desc_ja": "ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。" }, { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1028", "name": "Operating System Configuration", "name_ja": "オペレーティングシステム構成", "desc_en": "Ensure that Driver Signature Enforcement is enabled to restrict unsigned drivers from being installed.", "desc_ja": "OSを安全に構成し、攻撃対象領域を縮小する。" }, { "id": "M1033", "name": "Limit Software Installation", "name_ja": "ソフトウェアインストールの制限", "desc_en": "Restrict software installation to trusted repositories only and be cautious of orphaned software packages.", "desc_ja": "ソフトウェアのインストールを制限し、不正なプログラム導入を防ぐ。" }, { "id": "M1040", "name": "Behavior Prevention on Endpoint", "name_ja": "エンドポイントでの挙動防止", "desc_en": "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system. On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed drivers.", "desc_ja": "エンドポイントで悪意ある挙動を検出・防止する。" }, { "id": "M1045", "name": "Code Signing", "name_ja": "コード署名", "desc_en": "Enforce registration and execution of only legitimately signed service drivers where possible.", "desc_ja": "コード署名を検証し、未署名・不正なコードの実行を防ぐ。" }, { "id": "M1047", "name": "Audit", "name_ja": "監査", "desc_en": "Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them.", "desc_ja": "システムやアカウントを監査し、不正な活動を検出する。" }, { "id": "M1054", "name": "Software Configuration", "name_ja": "ソフトウェア構成", "desc_en": "Where possible, consider enforcing the use of container services in rootless mode to limit the possibility of privilege escalation or malicious effects on the host running the container.", "desc_ja": "ソフトウェアを安全に構成し、悪用を防ぐ。" } ], "detections": [ { "id": "DET0571", "name": "Detection of System Process Creation or Modification Across Platforms", "name_ja": "システムプロセスの作成/変更の検知", "desc_en": "", "desc_ja": "システムプロセスの作成/変更に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1546", "ja": "イベントトリガー実行", "en": "Event Triggered Execution", "desc_en": "Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.", "desc_ja": "敵対者は、特定イベントを契機に悪意あるコードが実行されるよう設定して永続化することがある。", "platforms": "Linux, macOS, Windows, SaaS, IaaS, Office Suite", "version": "1.4", "created": "2020-01-22", "modified": "2025-10-24", "subs": [ { "sid": ".001", "tid": "T1546.001", "ja": "既定のファイル関連付けの変更", "en": "Change Default File Association", "desc_en": "Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.", "desc_ja": "敵対者は、既定のファイル関連付けを変更してイベント契機でコードを実行することがある。" }, { "sid": ".002", "tid": "T1546.002", "ja": "スクリーンセーバー", "en": "Screensaver", "desc_en": "Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. The Windows screensaver application scrnsave.scr is located in C:\\Windows\\System32\\, and C:\\Windows\\sysWOW64\\ on 64-bit Windows systems, along with screensavers included with base Windows installations.", "desc_ja": "敵対者は、スクリーンセーバーを悪用してコードを実行することがある。" }, { "sid": ".003", "tid": "T1546.003", "ja": "WMIイベントサブスクリプション", "en": "Windows Management Instrumentation Event Subscription", "desc_en": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer's uptime.", "desc_ja": "敵対者は、WMIイベントサブスクリプションを悪用してイベント契機で実行・永続化することがある。" }, { "sid": ".004", "tid": "T1546.004", "ja": "Unixシェル構成の変更", "en": "Unix Shell Configuration Modification", "desc_en": "Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user’s home directory (~/) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.", "desc_ja": "敵対者は、Unixシェルの構成ファイルを改変してコードを実行することがある。" }, { "sid": ".005", "tid": "T1546.005", "ja": "Trap", "en": "Trap", "desc_en": "Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d.", "desc_ja": "敵対者は、シェルのtrapを悪用してシグナル契機でコードを実行することがある。" }, { "sid": ".006", "tid": "T1546.006", "ja": "LC_LOAD_DYLIBの追加", "en": "LC_LOAD_DYLIB Addition", "desc_en": "Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. There are tools available to perform these changes.", "desc_ja": "敵対者は、LC_LOAD_DYLIBを追加してmach-oバイナリにコードをロードさせることがある。" }, { "sid": ".007", "tid": "T1546.007", "ja": "NetshヘルパDLL", "en": "Netsh Helper DLL", "desc_en": "Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\\SOFTWARE\\Microsoft\\Netsh.", "desc_ja": "敵対者は、NetshヘルパDLLを悪用して永続化することがある。" }, { "sid": ".008", "tid": "T1546.008", "ja": "アクセシビリティ機能", "en": "Accessibility Features", "desc_en": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.", "desc_ja": "敵対者は、アクセシビリティ機能(stickykeys等)を悪用してコードを実行することがある。" }, { "sid": ".009", "tid": "T1546.009", "ja": "AppCert DLL", "en": "AppCert DLLs", "desc_en": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec.", "desc_ja": "敵対者は、AppCert DLLを悪用してコードを実行・永続化することがある。" }, { "sid": ".010", "tid": "T1546.010", "ja": "AppInit DLL", "en": "AppInit DLLs", "desc_en": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows or HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library.", "desc_ja": "敵対者は、AppInit DLLを悪用してコードを実行・永続化することがある。" }, { "sid": ".011", "tid": "T1546.011", "ja": "アプリケーションシミング", "en": "Application Shimming", "desc_en": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.", "desc_ja": "敵対者は、アプリケーションシミング(shim)を悪用して永続化することがある。" }, { "sid": ".012", "tid": "T1546.012", "ja": "IFEOインジェクション", "en": "Image File Execution Options Injection", "desc_en": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\\dbg\\ntsd.exe -g notepad.exe).", "desc_ja": "敵対者は、IFEOインジェクションを悪用してデバッガ起動契機で実行することがある。" }, { "sid": ".013", "tid": "T1546.013", "ja": "PowerShellプロファイル", "en": "PowerShell Profile", "desc_en": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments.", "desc_ja": "敵対者は、PowerShellプロファイルを改変してコードを実行・永続化することがある。" }, { "sid": ".014", "tid": "T1546.014", "ja": "Emond", "en": "Emond", "desc_en": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a Launch Daemon that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and take action once an explicitly defined event takes place.", "desc_ja": "敵対者は、Emondを悪用してイベント契機でコードを実行することがある。" }, { "sid": ".015", "tid": "T1546.015", "ja": "COMハイジャック", "en": "Component Object Model Hijacking", "desc_en": "Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system. References to various COM objects are stored in the Registry.", "desc_ja": "敵対者は、COMハイジャックを悪用してコードを実行・永続化することがある。" }, { "sid": ".016", "tid": "T1546.016", "ja": "インストーラパッケージ", "en": "Installer Packages", "desc_en": "Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.", "desc_ja": "敵対者は、インストーラパッケージを悪用してコードを実行・永続化することがある。" }, { "sid": ".017", "tid": "T1546.017", "ja": "Udevルール", "en": "Udev Rules", "desc_en": "Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.", "desc_ja": "敵対者は、udevルールを悪用してデバイスイベント契機で実行することがある。" }, { "sid": ".018", "tid": "T1546.018", "ja": "Python起動フック", "en": "Python Startup Hooks", "desc_en": "Adversaries may achieve persistence by leveraging Python’s startup mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py` or `usercustomize.py` modules. These files are automatically processed during the initialization of the Python interpreter, allowing for the execution of arbitrary code whenever Python is invoked.", "desc_ja": "敵対者は、Python起動フックを悪用してコードを実行することがある。" } ], "procedures": [ { "id": "C0035", "name": "KV Botnet Activity", "desc_en": "KV Botnet Activity involves managing events on victim systems via libevent to execute a callback function when any running process contains the following references in their path without also having a reference to bioset: busybox, wget, curl, tftp, telnetd, or lua. If the bioset string is not found, the related process is terminated." }, { "id": "S0658", "name": "XCSSET", "desc_en": "XCSSET's `dfhsebxzod` module searches for `.xcodeproj` directories within the user’s home folder and subdirectories. For each match, it locates the corresponding `project.pbxproj` file and embeds an encoded payload into a build rule, target configuration, or project setting. The payload is later executed during the build process." }, { "id": "S1091", "name": "Pacu", "desc_en": "Pacu can set up S3 bucket notifications to trigger a malicious Lambda function when a CloudFormation template is uploaded to the bucket. It can also create Lambda functions that trigger upon the creation of users, roles, and groups." }, { "id": "S1164", "name": "UPSTYLE", "desc_en": "UPSTYLE creates a `.pth` file beginning with the text `import` so that any time another process or script attempts to reference the modified item the malicious code will also run." } ], "mitigations": [ { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1051", "name": "Update Software", "name_ja": "ソフトウェア更新", "desc_en": "Perform regular software updates to mitigate exploitation risk.", "desc_ja": "ソフトウェアを最新に保ち、既知の脆弱性を修正する。" } ], "detections": [ { "id": "DET0010", "name": "Behavioral Detection of Event Triggered Execution Across Platforms", "name_ja": "イベントトリガー実行の検知", "desc_en": "", "desc_ja": "イベントトリガー実行に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1547", "ja": "起動/ログオン時の自動実行", "en": "Boot or Logon Autostart Execution", "desc_en": "Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon. These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.", "desc_ja": "敵対者は、起動/ログオン時の自動実行機構を悪用して永続化することがある。", "platforms": "Linux, macOS, Windows, Network Devices", "version": "1.3", "created": "2020-01-23", "modified": "2025-10-24", "subs": [ { "sid": ".001", "tid": "T1547.001", "ja": "レジストリRunキー/スタートアップフォルダ", "en": "Registry Run Keys / Startup Folder", "desc_en": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.", "desc_ja": "敵対者は、レジストリRunキーやスタートアップフォルダを悪用して永続化することがある。" }, { "sid": ".002", "tid": "T1547.002", "ja": "認証パッケージ", "en": "Authentication Package", "desc_en": "Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.", "desc_ja": "敵対者は、認証パッケージを悪用してコードを実行・永続化することがある。" }, { "sid": ".003", "tid": "T1547.003", "ja": "タイムプロバイダ", "en": "Time Providers", "desc_en": "Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.", "desc_ja": "敵対者は、タイムプロバイダを悪用してコードを実行・永続化することがある。" }, { "sid": ".004", "tid": "T1547.004", "ja": "WinlogonヘルパDLL", "en": "Winlogon Helper DLL", "desc_en": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[\\\\Wow6432Node\\\\]\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper programs and functionalities that support Winlogon.", "desc_ja": "敵対者は、WinlogonヘルパDLLを悪用して永続化することがある。" }, { "sid": ".005", "tid": "T1547.005", "ja": "セキュリティサポートプロバイダ", "en": "Security Support Provider", "desc_en": "Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.", "desc_ja": "敵対者は、セキュリティサポートプロバイダ(SSP)を悪用して永続化することがある。" }, { "sid": ".006", "tid": "T1547.006", "ja": "カーネルモジュールと拡張", "en": "Kernel Modules and Extensions", "desc_en": "Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.", "desc_ja": "敵対者は、カーネルモジュールや拡張を悪用して永続化することがある。" }, { "sid": ".007", "tid": "T1547.007", "ja": "再オープンアプリケーション", "en": "Re-opened Applications", "desc_en": "Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to \"Reopen windows when logging back in\". When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist within the ~/Library/Preferences/ByHost directory. Applications listed in this file are automatically reopened upon the user’s next logon.", "desc_ja": "敵対者は、再オープンアプリケーション機能を悪用して永続化することがある。" }, { "sid": ".008", "tid": "T1547.008", "ja": "LSASSドライバ", "en": "LSASS Driver", "desc_en": "Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.", "desc_ja": "敵対者は、LSASSドライバを悪用してコードを実行・永続化することがある。" }, { "sid": ".009", "tid": "T1547.009", "ja": "ショートカットの変更", "en": "Shortcut Modification", "desc_en": "Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.", "desc_ja": "敵対者は、ショートカット(.lnk)を改変して永続化することがある。" }, { "sid": ".010", "tid": "T1547.010", "ja": "ポートモニタ", "en": "Port Monitors", "desc_en": "Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. This DLL can be located in C:\\Windows\\System32 and will be loaded and run by the print spooler service, `spoolsv.exe`, under SYSTEM level permissions on boot.", "desc_ja": "敵対者は、ポートモニタを悪用して永続化することがある。" }, { "sid": ".012", "tid": "T1547.012", "ja": "プリントプロセッサ", "en": "Print Processors", "desc_en": "Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, `spoolsv.exe`, during boot.", "desc_ja": "敵対者は、プリントプロセッサを悪用して永続化することがある。" }, { "sid": ".013", "tid": "T1547.013", "ja": "XDG自動起動エントリ", "en": "XDG Autostart Entries", "desc_en": "Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (`.desktop`) to configure the user’s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.", "desc_ja": "敵対者は、XDG自動起動エントリを悪用してLinuxで永続化することがある。" }, { "sid": ".014", "tid": "T1547.014", "ja": "Active Setup", "en": "Active Setup", "desc_en": "Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer. These programs will be executed under the context of the user and will have the account's associated permissions level.", "desc_ja": "敵対者は、Active Setupを悪用して永続化することがある。" }, { "sid": ".015", "tid": "T1547.015", "ja": "ログインアイテム", "en": "Login Items", "desc_en": "Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in. Login items can be added via a shared file list or Service Management Framework. Shared file list login items can be set using scripting languages such as AppleScript, whereas the Service Management Framework uses the API call SMLoginItemSetEnabled.", "desc_ja": "敵対者は、ログインアイテムを悪用してmacOSで永続化することがある。" } ], "procedures": [ { "id": "G1044", "name": "APT42", "desc_en": "APT42 has modified the Registry to maintain persistence." }, { "id": "S0083", "name": "Misdat", "desc_en": "Misdat has created registry keys for persistence, including `HKCU\\Software\\dnimtsoleht\\StubPath`, `HKCU\\Software\\snimtsOleht\\StubPath`, `HKCU\\Software\\Backtsaleht\\StubPath`, `HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed. Components\\{3bf41072-b2b1-21c8-b5c1-bd56d32fbda7}`, and `HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{3ef41072-a2f1-21c8-c5c1-70c2c3bc7905}`." }, { "id": "S0084", "name": "Mis-Type", "desc_en": "Mis-Type has created registry keys for persistence, including `HKCU\\Software\\bkfouerioyou`, `HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{6afa8072-b2b1-31a8-b5c1-{Unique Identifier}`, and `HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{3BF41072-B2B1-31A8-B5C1-{Unique Identifier}`." }, { "id": "S0567", "name": "Dtrack", "desc_en": "Dtrack’s RAT makes a persistent target file with auto execution on the host start." }, { "id": "S0651", "name": "BoxCaon", "desc_en": "BoxCaon established persistence by setting the HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\load registry key to point to its executable." }, { "id": "S0653", "name": "xCaon", "desc_en": "xCaon has added persistence via the Registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\load which causes the malware to run each time any user logs in." } ], "mitigations": [], "detections": [ { "id": "DET0274", "name": "Boot or Logon Autostart Execution Detection Strategy", "name_ja": "起動/ログオン時の自動実行の検知", "desc_en": "", "desc_ja": "起動/ログオン時の自動実行に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1548", "ja": "昇格制御メカニズムの悪用", "en": "Abuse Elevation Control Mechanism", "desc_en": "Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.", "desc_ja": "敵対者は、UACやsudo等の昇格制御メカニズムを悪用して権限昇格することがある。", "platforms": "Linux, macOS, Windows, IaaS, Office Suite, Identity Provider", "version": "2.0", "created": "2020-01-30", "modified": "2026-05-12", "subs": [ { "sid": ".001", "tid": "T1548.001", "ja": "Setuidとsetgid", "en": "Setuid and Setgid", "desc_en": "An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively. Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.", "desc_ja": "敵対者は、setuid/setgidを悪用して権限昇格することがある。" }, { "sid": ".002", "tid": "T1548.002", "ja": "ユーザーアカウント制御(UAC)のバイパス", "en": "Bypass User Account Control", "desc_en": "Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.", "desc_ja": "敵対者は、UAC(ユーザーアカウント制御)をバイパスして権限昇格することがある。" }, { "sid": ".003", "tid": "T1548.003", "ja": "Sudoとsudoキャッシュ", "en": "Sudo and Sudo Caching", "desc_en": "Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.", "desc_ja": "敵対者は、sudoやsudoキャッシュを悪用して権限昇格することがある。" }, { "sid": ".004", "tid": "T1548.004", "ja": "プロンプト付き昇格実行", "en": "Elevated Execution with Prompt", "desc_en": "Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials. The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified.", "desc_ja": "敵対者は、プロンプト付き昇格実行(AuthorizationExecuteWithPrivileges等)を悪用することがある。" }, { "sid": ".005", "tid": "T1548.005", "ja": "一時的な昇格クラウドアクセス", "en": "Temporary Elevated Cloud Access", "desc_en": "Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, pass roles onto resources and services, or otherwise gain short-term access to a set of privileges that may be distinct from their own.", "desc_ja": "敵対者は、一時的な昇格クラウドアクセスを悪用して権限昇格することがある。" }, { "sid": ".006", "tid": "T1548.006", "ja": "TCC操作", "en": "TCC Manipulation", "desc_en": "Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).", "desc_ja": "敵対者は、macOSのTCCを操作して権限/アクセスを得ることがある。" } ], "procedures": [ { "id": "G1048", "name": "UNC3886", "desc_en": "UNC3886 has used vSphere Installation Bundles (VIBs) that contained modified descriptor XML files with the `acceptance-level` set to `partner` which allowed for privilege escalation." }, { "id": "S1130", "name": "Raspberry Robin", "desc_en": "Raspberry Robin implements a variation of the ucmDccwCOMMethod technique abusing the Windows AutoElevate backdoor to bypass UAC while elevating privileges." } ], "mitigations": [ { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "Limit the privileges of cloud accounts to assume, create, or impersonate additional roles, policies, and permissions to only those required. Where just-in-time access is enabled, consider requiring manual approval for temporary elevation of privileges.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1022", "name": "Restrict File and Directory Permissions", "name_ja": "ファイル/ディレクトリ権限の制限", "desc_en": "The sudoers file should be strictly edited such that passwords are always required and that users can't spawn risky processes as users with higher privilege.", "desc_ja": "ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。" }, { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Remove users from the local administrator group on systems.\n\nBy requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file. Setting the timestamp_timeout to 0 will require the user to input their password every time sudo is executed.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1028", "name": "Operating System Configuration", "name_ja": "オペレーティングシステム構成", "desc_en": "Applications with known vulnerabilities or known shell escapes should not have the setuid or setgid bits set to reduce potential damage if an application is compromised. Additionally, the number of programs with setuid or setgid bits set should be minimized across a system. Ensuring that the sudo tty_tickets setting is enabled will prevent this leakage across tty sessions.", "desc_ja": "OSを安全に構成し、攻撃対象領域を縮小する。" }, { "id": "M1038", "name": "Execution Prevention", "name_ja": "実行防止", "desc_en": "System settings can prevent applications from running that haven't been downloaded from legitimate repositories which may help mitigate some of these issues. Not allowing unsigned applications from being run may also mitigate some risk.", "desc_ja": "許可されていないコードの実行を防止する。" }, { "id": "M1047", "name": "Audit", "name_ja": "監査", "desc_en": "Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate.", "desc_ja": "システムやアカウントを監査し、不正な活動を検出する。" }, { "id": "M1051", "name": "Update Software", "name_ja": "ソフトウェア更新", "desc_en": "Perform regular software updates to mitigate exploitation risk.", "desc_ja": "ソフトウェアを最新に保ち、既知の脆弱性を修正する。" }, { "id": "M1052", "name": "User Account Control", "name_ja": "ユーザーアカウント制御(UAC)", "desc_en": "Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as DLL.", "desc_ja": "UACを適切に構成し、権限昇格を防ぐ。" } ], "detections": [ { "id": "DET0345", "name": "Detection Strategy for Abuse Elevation Control Mechanism (T1548)", "name_ja": "昇格制御メカニズムの悪用の検知", "desc_en": "", "desc_ja": "昇格制御メカニズムの悪用に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1611", "ja": "ホストへのエスケープ", "en": "Escape to Host", "desc_en": "Adversaries may break out of a container or virtualized environment to gain access to the underlying host. This can allow an adversary access to other containerized or virtualized resources from the host level or to the host itself. In principle, containerized / virtualized resources should provide a clear separation of application functionality and be isolated from the host environment.", "desc_ja": "敵対者は、コンテナからホストへエスケープして権限昇格することがある。", "platforms": "Windows, Linux, Containers, ESXi", "version": "1.6", "created": "2021-03-30", "modified": "2025-10-24", "subs": [], "procedures": [ { "id": "G0139", "name": "TeamTNT", "desc_en": "TeamTNT has deployed privileged containers that mount the filesystem of victim machine." }, { "id": "S0600", "name": "Doki", "desc_en": "Doki’s container was configured to bind the host root directory." }, { "id": "S0601", "name": "Hildegard", "desc_en": "Hildegard has used the BOtB tool that can break out of containers." }, { "id": "S0623", "name": "Siloscape", "desc_en": "Siloscape maps the host’s C drive to the container by creating a global symbolic link to the host through the calling of NtSetInformationSymbolicLink." }, { "id": "S0683", "name": "Peirates", "desc_en": "Peirates can gain a reverse shell on a host node by mounting the Kubernetes hostPath." } ], "mitigations": [ { "id": "M1026", "name": "Privileged Account Management", "name_ja": "特権アカウント管理", "desc_en": "Ensure containers are not running as root by default and do not use unnecessary privileges or mounted components. In Kubernetes environments, consider defining Pod Security Standards that prevent pods from running privileged containers.", "desc_ja": "特権アカウントの利用を最小化・監視し、悪用を防ぐ。" }, { "id": "M1038", "name": "Execution Prevention", "name_ja": "実行防止", "desc_en": "Use read-only containers, read-only file systems, and minimal images when possible to prevent the running of commands. Where possible, also consider using application control and software restriction tools (such as those provided by SELinux) to restrict access to files, processes, and system calls in containers.", "desc_ja": "許可されていないコードの実行を防止する。" }, { "id": "M1042", "name": "Disable or Remove Feature or Program", "name_ja": "機能・プログラムの無効化または削除", "desc_en": "Remove unnecessary tools and software from containers.", "desc_ja": "不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。" }, { "id": "M1048", "name": "Application Isolation and Sandboxing", "name_ja": "アプリケーション分離・サンドボックス化", "desc_en": "Consider utilizing seccomp, seccomp-bpf, or a similar solution that restricts certain system calls such as mount. In Kubernetes environments, consider defining Pod Security Standards that limit container access to host process namespaces, the host network, and the host file system.", "desc_ja": "アプリを分離・サンドボックス化し、影響範囲を限定する。" }, { "id": "M1051", "name": "Update Software", "name_ja": "ソフトウェア更新", "desc_en": "Ensure that hosts are kept up-to-date with security patches.", "desc_ja": "ソフトウェアを最新に保ち、既知の脆弱性を修正する。" } ], "detections": [ { "id": "DET0219", "name": "Detection Strategy for Escape to Host", "name_ja": "ホストへのエスケープの検知", "desc_en": "", "desc_ja": "ホストへのエスケープに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] } ] }, { "tactic": "TA0005", "tactic_en": "Stealth", "tactic_ja": "ステルス", "techniques": [ { "tid": "T1006", "ja": "ボリュームへの直接アクセス", "en": "Direct Volume Access", "desc_en": "Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools.", "desc_ja": "敵対者は、ボリュームへ直接アクセスしてファイルシステムの保護を回避することがある。", "platforms": "Network Devices, Windows", "version": "3.0", "created": "2017-05-31", "modified": "2026-05-12", "subs": [], "procedures": [ { "id": "C0051", "name": "APT28 Nearest Neighbor Campaign", "desc_en": "During APT28 Nearest Neighbor Campaign, APT28 accessed volume shadow copies through executing vssadmin in order to dump the NTDS.dit file." }, { "id": "C0063", "name": "2025 Poland Wiper Attacks", "desc_en": "During the 2025 Poland Wiper Attacks, the adversaries copied volume shadow copies through executing `vssadmin` in order to dump the `NTDS.dit` file." }, { "id": "G1015", "name": "Scattered Spider", "desc_en": "Scattered Spider has created volume shadow copies of virtual domain controller disks to extract the `NTDS.dit` file." }, { "id": "G1017", "name": "Volt Typhoon", "desc_en": "Volt Typhoon has executed the Windows-native `vssadmin` command to create volume shadow copies." }, { "id": "S0404", "name": "esentutl", "desc_en": "esentutl can use the Volume Shadow Copy service to copy locked files such as `ntds.dit`." } ], "mitigations": [ { "id": "M1018", "name": "User Account Management", "name_ja": "ユーザーアカウント管理", "desc_en": "Ensure only accounts required to configure and manage backups have the privileges to do so. Monitor these accounts for unauthorized backup activity.", "desc_ja": "アカウントの作成・権限・ライフサイクルを適切に管理する。" }, { "id": "M1040", "name": "Behavior Prevention on Endpoint", "name_ja": "エンドポイントでの挙動防止", "desc_en": "Some endpoint security solutions can be configured to block some types of behaviors related to efforts by an adversary to create backups, such as command execution or preventing API calls to backup related services.", "desc_ja": "エンドポイントで悪意ある挙動を検出・防止する。" } ], "detections": [ { "id": "DET0426", "name": "Detection of Direct Volume Access for File System Evasion", "name_ja": "ボリュームへの直接アクセスの検知", "desc_en": "", "desc_ja": "ボリュームへの直接アクセスに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1014", "ja": "ルートキット", "en": "Rootkit", "desc_en": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.", "desc_ja": "敵対者は、ルートキットを用いて自身の存在を隠蔽することがある。", "platforms": "Linux, macOS, Windows", "version": "2.0", "created": "2017-05-31", "modified": "2026-05-12", "subs": [], "procedures": [ { "id": "C0046", "name": "ArcaneDoor", "desc_en": "ArcaneDoor included hooking the `processHostScanReply()` function on victim Cisco ASA devices." }, { "id": "C0056", "name": "RedPenguin", "desc_en": "During RedPenguin, UNC3886 used rootkits such as REPTILE and MEDUSA." }, { "id": "G0007", "name": "APT28", "desc_en": "APT28 has used a UEFI (Unified Extensible Firmware Interface) rootkit known as LoJax." }, { "id": "G0044", "name": "Winnti Group", "desc_en": "Winnti Group used a rootkit to modify typical server functionality." }, { "id": "G0096", "name": "APT41", "desc_en": "APT41 deployed rootkits on Linux systems." }, { "id": "G0106", "name": "Rocke", "desc_en": "Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists." }, { "id": "G0139", "name": "TeamTNT", "desc_en": "TeamTNT has used rootkits such as the open-source Diamorphine rootkit and their custom bots to hide cryptocurrency mining activities on the machine." }, { "id": "G1048", "name": "UNC3886", "desc_en": "UNC3886 has used the publicly available rootkits REPTILE and MEDUSA on targeted VMs." }, { "id": "S0009", "name": "Hikit", "desc_en": "Hikit is a Rootkit that has been used by Axiom." }, { "id": "S0012", "name": "PoisonIvy", "desc_en": "PoisonIvy starts a rootkit from a malicious file dropped to disk." }, { "id": "S0022", "name": "Uroburos", "desc_en": "Uroburos can use its kernel module to prevent its host components from being listed by the targeted system's OS and to mediate requests between user mode and concealed components." }, { "id": "S0027", "name": "Zeroaccess", "desc_en": "Zeroaccess is a kernel-mode rootkit." }, { "id": "S0040", "name": "HTRAN", "desc_en": "HTRAN can install a rootkit to hide network connections from the host OS." }, { "id": "S0047", "name": "Hacking Team UEFI Rootkit", "desc_en": "Hacking Team UEFI Rootkit is a UEFI BIOS rootkit developed by the company Hacking Team to persist remote access software on some targeted systems." }, { "id": "S0135", "name": "HIDEDRV", "desc_en": "HIDEDRV is a rootkit that hides certain operating system artifacts." }, { "id": "S0221", "name": "Umbreon", "desc_en": "Umbreon hides from defenders by hooking libc function calls, hiding artifacts that would reveal its presence, such as the user account it creates to provide access and undermining strace, a tool often used to identify malware." }, { "id": "S0377", "name": "Ebury", "desc_en": "Ebury acts as a user land rootkit using the SSH service." }, { "id": "S0394", "name": "HiddenWasp", "desc_en": "HiddenWasp uses a rootkit to hook and implement functions on the system." }, { "id": "S0397", "name": "LoJax", "desc_en": "LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems." }, { "id": "S0430", "name": "Winnti for Linux", "desc_en": "Winnti for Linux has used a modified copy of the open-source userland rootkit Azazel, named libxselinux.so, to hide the malware's operations and network activity." }, { "id": "S0458", "name": "Ramsay", "desc_en": "Ramsay has included a rootkit to evade defenses." }, { "id": "S0468", "name": "Skidmap", "desc_en": "Skidmap is a kernel-mode rootkit that has the ability to hook system calls to hide specific files and fake network and CPU-related statistics to make the CPU load of the infected machine always appear low." }, { "id": "S0484", "name": "Carberp", "desc_en": "Carberp has used user mode rootkit techniques to remain hidden on the system." }, { "id": "S0502", "name": "Drovorub", "desc_en": "Drovorub has used a kernel module rootkit to hide processes, files, executables, and network artifacts from user space view." }, { "id": "S0572", "name": "Caterpillar WebShell", "desc_en": "Caterpillar WebShell has a module to use a rootkit on a system." }, { "id": "S0601", "name": "Hildegard", "desc_en": "Hildegard has modified /etc/ld.so.preload to overwrite readdir() and readdir64()." }, { "id": "S0603", "name": "Stuxnet", "desc_en": "Stuxnet uses a Windows rootkit to mask its binaries and other relevant files." }, { "id": "S0670", "name": "WarzoneRAT", "desc_en": "WarzoneRAT can include a rootkit to hide processes, files, and startup." }, { "id": "S1105", "name": "COATHANGER", "desc_en": "COATHANGER hooks or replaces multiple legitimate processes and other functions on victim devices." }, { "id": "S1186", "name": "Line Dancer", "desc_en": "Line Dancer can hook both the crash dump process and the Autehntication, Authorization, and Accounting (AAA) functions on compromised machines to evade forensic analysis and authentication mechanisms." }, { "id": "S1219", "name": "REPTILE", "desc_en": "REPTILE has the ability to hook kernel functions and modify functions data to achieve rootkit functionality such as hiding processes and network connections." }, { "id": "S1220", "name": "MEDUSA", "desc_en": "MEDUSA is a rootkit with command execution and credential logging capabilities." } ], "mitigations": [], "detections": [ { "id": "DET0377", "name": "Detection of Kernel/User-Level Rootkit Behavior Across Platforms", "name_ja": "ルートキットの検知", "desc_en": "", "desc_ja": "ルートキットに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。" } ] }, { "tid": "T1027", "ja": "難読化されたファイル/情報", "en": "Obfuscated Files or Information", "desc_en": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.", "desc_ja": "敵対者は、ファイルや情報を難読化して検知や分析を回避することがある。", "platforms": "ESXi, Linux, macOS, Network Devices, Windows", "version": "2.0", "created": "2017-05-31", "modified": "2026-05-12", "subs": [ { "sid": ".001", "tid": "T1027.001", "ja": "バイナリパディング", "en": "Binary Padding", "desc_en": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.", "desc_ja": "敵対者は、ファイルに無意味なデータを詰めてサイズやハッシュを変え、検知を回避することがある。" }, { "sid": ".002", "tid": "T1027.002", "ja": "ソフトウェアパッキング", "en": "Software Packing", "desc_en": "Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.", "desc_ja": "敵対者は、ソフトウェアパッカーで実行ファイルを圧縮・暗号化して解析や検知を回避することがある。" }, { "sid": ".003", "tid": "T1027.003", "ja": "ステガノグラフィ", "en": "Steganography", "desc_en": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.", "desc_ja": "敵対者は、ステガノグラフィを用いて画像等にコードやデータを隠すことがある。" }, { "sid": ".004", "tid": "T1027.004", "ja": "配送後コンパイル", "en": "Compile After Delivery", "desc_en": "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe, csc.exe, or GCC/MinGW.", "desc_ja": "敵対者は、配送後に標的上でソースをコンパイルし、配送時の検知を回避することがある。" }, { "sid": ".005", "tid": "T1027.005", "ja": "ツールからの指標除去", "en": "Indicator Removal from Tools", "desc_en": "Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.", "desc_ja": "敵対者は、ツールから検知指標を除去して、シグネチャ検知を回避することがある。" }, { "sid": ".006", "tid": "T1027.006", "ja": "HTMLスマグリング", "en": "HTML Smuggling", "desc_en": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.", "desc_ja": "敵対者は、HTMLスマグリングを用いてブラウザ上で悪意あるペイロードを組み立て、配送時の検知を回避することがある。" }, { "sid": ".007", "tid": "T1027.007", "ja": "動的API解決", "en": "Dynamic API Resolution", "desc_en": "Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various Native API functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.", "desc_ja": "敵対者は、APIを実行時に動的解決して、静的解析による検知を回避することがある。" }, { "sid": ".008", "tid": "T1027.008", "ja": "ストリップ済みペイロード", "en": "Stripped Payloads", "desc_en": "Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables names and other strings that help developers document code functionality. Symbols are often created by an operating system’s `linker` when executable payloads are compiled. Reverse engineers use these symbols and strings to analyze code and to identify functionality in payloads.", "desc_ja": "敵対者は、シンボル等を除去(ストリップ)したペイロードを用いて解析を困難にすることがある。" }, { "sid": ".009", "tid": "T1027.009", "ja": "埋め込みペイロード", "en": "Embedded Payloads", "desc_en": "Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to Subvert Trust Controls by not impacting execution controls such as digital signatures and notarization tickets.", "desc_ja": "敵対者は、別ファイルにペイロードを埋め込んで隠蔽することがある。" }, { "sid": ".010", "tid": "T1027.010", "ja": "コマンド難読化", "en": "Command Obfuscation", "desc_en": "Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., Phishing and Drive-by Compromise) or interactively via Command and Scripting Interpreter.", "desc_ja": "敵対者は、コマンドラインを難読化して検知や解析を回避することがある。" }, { "sid": ".011", "tid": "T1027.011", "ja": "ファイルレスストレージ", "en": "Fileless Storage", "desc_en": "Adversaries may store data in \"fileless\" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository. Shared memory directories on Linux systems (`/dev/shm`, `/run/shm`, `/var/run`, and `/var/lock`) and volatile directories on Network Devices (`/tmp` and `/volatile`) may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk..", "desc_ja": "敵対者は、ファイルとして残さずレジストリ等にデータを保存(ファイルレス)して検知を回避することがある。" }, { "sid": ".012", "tid": "T1027.012", "ja": "LNKアイコンスマグリング", "en": "LNK Icon Smuggling", "desc_en": "Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the `IconEnvironmentDataBlock`) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory.", "desc_ja": "敵対者は、LNKファイルのアイコン参照を悪用してペイロードを密かに取得することがある。" }, { "sid": ".013", "tid": "T1027.013", "ja": "暗号化/エンコードファイル", "en": "Encrypted/Encoded File", "desc_en": "Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as Software Packing, Steganography, and Embedded Payloads, share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., Deobfuscate/Decode Files or Information) at the time of execution/use.", "desc_ja": "敵対者は、ファイルを暗号化/エンコードして検知や解析を回避することがある。" }, { "sid": ".014", "tid": "T1027.014", "ja": "ポリモーフィックコード", "en": "Polymorphic Code", "desc_en": "Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic code is a type of software capable of changing its runtime footprint during code execution. With each execution of the software, the code is mutated into a different version of itself that achieves the same purpose or objective as the original. This functionality enables the malware to evade traditional signature-based defenses, such as antivirus and antimalware tools. \nOther obfuscation techniques can be used in conjunction with polymorphic code to accomplish the intended effects, including using mutation engines to conduct actions such as Software Packing, Command Obfuscation, or Encrypted/Encoded File.", "desc_ja": "敵対者は、ポリモーフィックコードを用いて毎回異なる形態にし、シグネチャ検知を回避することがある。" }, { "sid": ".015", "tid": "T1027.015", "ja": "圧縮", "en": "Compression", "desc_en": "Adversaries may use compression to obfuscate their payloads or files. Compressed file formats such as ZIP, gzip, 7z, and RAR can compress and archive multiple files together to make it easier and faster to transfer files. In addition to compressing files, adversaries may also compress shellcode directly - for example, in order to store it in a Windows Registry key (i.e., Fileless Storage).", "desc_ja": "敵対者は、ファイルを圧縮して検知や解析を回避することがある。" }, { "sid": ".016", "tid": "T1027.016", "ja": "ジャンクコード挿入", "en": "Junk Code Insertion", "desc_en": "Adversaries may use junk code / dead code to obfuscate a malware’s functionality. Junk code is code that either does not execute, or if it does execute, does not change the functionality of the code. Junk code makes analysis more difficult and time-consuming, as the analyst steps through non-functional code instead of analyzing the main code. It also may hinder detections that rely on static code analysis due to the use of benign functionality, especially when combined with Compression or Software Packing.", "desc_ja": "敵対者は、ジャンクコードを挿入して解析やシグネチャ検知を妨げることがある。" }, { "sid": ".017", "tid": "T1027.017", "ja": "SVGスマグリング", "en": "SVG Smuggling", "desc_en": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG files. SVGs, or Scalable Vector Graphics, are vector-based image files constructed using XML. As such, they can legitimately include `