Mitre alert packs T1600-1699
- Borja Moro Moreno
T1606Forge Web Credentials | ||
PurposeAdversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services often use session cookies, tokens, or other materials to authenticate and authorize user access. This differs from Steal Web Session Cookie, Steal Application Access Token, and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials often requires secret values, such as passwords, Private Keys, or other cryptographic seed values, acquired for temporal access by taking advantage of features such as the Once forged, adversaries may use these web credentials to access resources (Use Alternate Authentication Material), which may bypass multi-factor and other authentication protection mechanisms. | Included alerts
| PrerequisitesDATA SOURCES
LOOKUPS |
T1608Stage Capabilities | ||
PurposeAdversaries may upload, install, or otherwise set up capabilities that can be used during targeting by staging them on an infrastructure under their control. These capabilities might be developed (Develop Capabilities) or obtained (Obtain Capabilities) and might be staged on infrastructure that was previously purchased/rented by the adversary (Acquire Infrastructure) or was otherwise compromised by them (Compromise Infrastructure). Capabilities may also be staged on web services, such as GitHub or Pastebin, or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision applications. | Included alerts
| PrerequisitesDATA SOURCES
LOOKUPS |
T1614System Location Discovery | ||
PurposeAdversaries may gather information in an attempt to calculate the geographical location of a victim host, which might be used it during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. They may use various system checks, such as time zone, keyboard layout, and/or language settings. Windows API functions such as Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services. | Included alerts
| PrerequisitesDATA SOURCES
LOOKUPS |
T1619Cloud Storage Object Discovery | ||
PurposeAdversaries may enumerate objects in cloud storage infrastructure and use it during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to File and Directory Discovery on a local host, after identifying available storage services (Cloud Infrastructure Discovery) adversaries may access the contents/objects stored in cloud infrastructure. Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS and List Blobs in Azure. | Included alerts
| PrerequisitesDATA SOURCES
LOOKUPS |
T1628Hide Artifacts | ||
PurposeAdversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection. Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology. | Included alerts
| PrerequisitesDATA SOURCES
LOOKUPS |