Mitre alert packs T1400-1499
T1482Domain Trust Discovery | ||
PurposeAdversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. This way, users of the trusted domain can access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. Domain trusts can be enumerated using the Win32 API call | Included alerts
| PrerequisitesDATA SOURCES
LOOKUPS |
T1484Domain Policy Modification | ||
PurposeAdversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide centralized means to manage how computer resources can act and interact on a network. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts. These settings control many of the interactions within the Active Directory (AD) environment, which can lead to a great number of potential attacks (modifying GPOs to push a malicious Scheduled Task, modifying domain trusts to include an adversary controlled domain and be subsequently accepted by victim domain resources, or implement a Rogue Domain Controller. Adversaries may temporarily modify domain policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators. | Included alerts
| PrerequisitesDATA SOURCES
LOOKUPS |
T1485Data Destruction | ||
PurposeThis alert pack will help you to protect against data being deleted outside of normal procedures. When that happens the SOC can launch an investigation and quickly remove any potential threats within the system and restore whatever damage has been done. Data destroyed can not only cause disruptions to the business, or to its users but can also cause fees or taxes from the government regulations and compliance audits. Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. Operating system file deletion commands such as | Included alerts
| PrerequisitesDATA SOURCES
LOOKUPS |
T1486Data Encrypted for Impact | ||
PurposeAdversaries may encrypt data on target systems or remote drives in a network to interrupt availability to system and network resources (sometimes even critical system files, disk partitions, and the MBR). In cloud environments, storage objects within compromised accounts may also be encrypted. This is done while withholding access to a decryption key (ransomware) to obtain monetary compensation in exchange. Adversaries may need to employ other behaviors first, such as File and Directory Permissions Modification or System Shutdown/Reboot, in order to gain access to manipulate these files. | Included alerts
| Prerequisitesdata sources
LOOKUPS |
T1489Service Stop | ||
PurposeAdversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. Adversaries may accomplish this by disabling individual services of high importance to an organization, such as Services or processes may not allow for modification of their data stores while running so they stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server. | Included alerts
| PrerequisitesDATA SOURCES
LOOKUPS |
T1490Inhibit System Recovery | ||
PurposeAdversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This may deny access to available backups and recovery options. Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Disable or delete them may augment the effects of Data Destruction and Data Encrypted for Impact, and even disable recovery notifications to be able to later corrupt backups. | Included alerts
| PrerequisitesDATA SOURCES
LOOKUPS |
T1496Resource Hijacking | ||
PurposeAdversaries may leverage the resources of co-opted systems in order to solve resource intensive problems, which may impact system and/or hosted service availability or cause them to become unresponsive. Servers and cloud-based systems are common targets because of the high potential for available resources. Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. | Included alerts
| PrerequisitesDATA SOURCES
|
Â