MA
Uploaded byMITRE ATT&CK
PDF, PPTX151 views

MITRE ATT&CK Updates: Enterprise - Casey Knerr

The document provides updates on the MITRE ATT&CK framework, focusing on enhancements in version 16 regarding cloud platforms and identity-as-a-service solutions. It highlights upcoming content updates, particularly emphasizing support for Linux, network, and defense evasion strategies. The document also invites contributions related to cyber threat intelligence, especially concerning unconventional defense evasion behaviors.

Embed presentation

Download as PDF, PPTX
MITRE ATT&CK® Updates: Enterprise Casey Knerr, ATT&CK Enterprise Lead, MITRE © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
whoami Casey Knerr ATT&CK for Enterprise Lead and... • Cybersecurity engineer • Cloud + web security enthusiast • Collector of hobbies © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
These are the voyages… (What have we been working on for v16?) © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
Cloud Platforms Infrastructure as a Service Software as a Service Azure AD Office 365 Google Workspace © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
Cloud Platforms Infrastructure as a Service Software as a Service Azure AD Office 365 Google Workspace Infrastructure as a Service Software as a Service Identity Provider Office Suite © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
Why? • There’s more than one identity-as-service platform! • Okta • Ping Identity • JumpCloud • OneLogin • etc. • Office 365 ≈ Google Workspace © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
V15 Updates: By popular demand © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
V15 Updates: An Oldie but a Goodie © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
V15 Updates: A Breakup… © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
To Boldly Go… (What are we planning to do next?) © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
Least Spicy: Content Updates • Focus on Linux and Network • More content • More CTI • Fill in the gaps © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
Medium Spicy: Metadata Refactor Supports Remote Permissions Required Effective Permissions Defense Bypassed Impact Type Accurate? Consistently Applied? Standardized? Are these… Useful? © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
Very Spicy: Another Breakup… © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
Very Spicy: Another breakup… • Defense Evasion is very big • Could it be smaller? One of these things is not like the others… © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
Very Spicy: Another Breakup… • Defense Evasion is really big • Can we tear it apart? • Evading detections versus mitigations? © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
Unclear Spicy: What is this? Mandiant observed an unusual behavior by UNC5174 following their initial access on the compromised appliance. After backdoor accounts were configured, they attempted to self-patch the vulnerability using an F5-provided mitigation script "mitigation.sh".Mandiant assesses that this was an attempt to limit subsequent exploitation of the system by additional unrelated threat actors attempting to access the appliance. https://cloud.google.com/blog/topics/threat-intelligence/initial-access-brokers-exploit-f5-screenconnect © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
Unclear Spicy: What is this? The clean_cron function’s script makes the cron files mutable and removes all the existing cron jobs from /etc/crontab, /var/spool/cron, /etc/cron.d, and /var/spool/cron/crontabs to disrupt the existing malware functionalities, as well as the legitimate system functionalities. https://www.trendmicro.com/en_us/research/22/j/teamtnt-returns-or-does-it.html © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
Unclear Spicy: What is this? First, the threat actor creates a new user role with login capability and high privileges.…Then, the current user postgres is stripped of superuser privileges.This restricts the privileges of other threat actors who might still gain access to the system via the weak password. https://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/ © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
Unclear Spicy: What is this? • Evading other threat actors rather than victim • Patching vulnerabilities • Killing malicious processes / cron jobs • Removing privileges • Changing credentials • Closing ports • Not quite Defense Evasion as currently scoped © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
How you can help • Do you have Linux or Network CTI? • Are you using the metadata fields currently? • How do you feel about changes to Defense Evasion? • Do you have CTI for ~weird~ not-quite-defense-evasion behavior? • Do you have any other comments / complaints / questions? attack@mitre.org @MITREattack © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
https://attack.mitre.org attack@mitre.org @mitreattack Casey Knerr © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.

More Related Content

PDF
Leveraging Campaigns to Untangle the Threat Group Ship of Theseus
byAdam Pennington
 
PDF
State of the ATT&CK - ATT&CKcon Power Hour
byAdam Pennington
 
PDF
How to measure your security response readiness?
byTomasz Jakubowski
 
PDF
State of the ATT&CK May 2023
byAdam Pennington
 
PDF
State of the ATTACK
byMITRE - ATT&CKcon
 
PDF
State of the ATT&CK
byMITRE ATT&CK
 
PDF
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
byMITRE - ATT&CKcon
 
PDF
State of ATT&CK
byAdam Pennington
 
Leveraging Campaigns to Untangle the Threat Group Ship of Theseus
byAdam Pennington
 
State of the ATT&CK - ATT&CKcon Power Hour
byAdam Pennington
 
How to measure your security response readiness?
byTomasz Jakubowski
 
State of the ATT&CK May 2023
byAdam Pennington
 
State of the ATTACK
byMITRE - ATT&CKcon
 
State of the ATT&CK
byMITRE ATT&CK
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
byMITRE - ATT&CKcon
 
State of ATT&CK
byAdam Pennington
 

Similar to MITRE ATT&CK Updates: Enterprise - Casey Knerr

PDF
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
byMITRE ATT&CK
 
PPTX
Automation: Embracing the Future of SecOps
byIBM Security
 
PDF
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
byNGINX, Inc.
 
PPTX
Building Cyber Resilience: No Safe Harbor
byAdvanced Technology Consulting (ATC)
 
PDF
Picking Up the Pieces: How Campaigns Can Help Us Better Track Groups
byAdam Pennington
 
PDF
Upgrade your attack model: finding and stopping fileless attacks with MITRE A...
byFaithWestdorp
 
PDF
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
byJames Anderson
 
PDF
FireEye - Breaches are inevitable, but the outcome is not
byMarketingArrowECS_CZ
 
PPTX
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
byAdam Pennington
 
PPTX
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
byShakacon
 
PDF
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
byAdam Pennington
 
PPTX
Intersect
byFotios Lindiakos
 
PDF
MITRE ATT&CK Updates: Software
byMITRE ATT&CK
 
PDF
Отчет Executive penetration RAPID 7
bySergey Yrievich
 
PDF
5 howtomitigate
byricharddxd
 
PPTX
Enterprise-MITRE-ATTandCK-Threat-Hunting _ Updated.pptx
byBheemeshChowdary2
 
PDF
Cyber Threat hunting workshop
byArpan Raval
 
PDF
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
byKatie Nickels
 
PDF
Automation: The Wonderful Wizard of CTI (or is it?)
byMITRE ATT&CK
 
PPTX
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
byMITRE ATT&CK
 
Automation: Embracing the Future of SecOps
byIBM Security
 
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
byNGINX, Inc.
 
Building Cyber Resilience: No Safe Harbor
byAdvanced Technology Consulting (ATC)
 
Picking Up the Pieces: How Campaigns Can Help Us Better Track Groups
byAdam Pennington
 
Upgrade your attack model: finding and stopping fileless attacks with MITRE A...
byFaithWestdorp
 
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
byJames Anderson
 
FireEye - Breaches are inevitable, but the outcome is not
byMarketingArrowECS_CZ
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
byAdam Pennington
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
byShakacon
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
byAdam Pennington
 
Intersect
byFotios Lindiakos
 
MITRE ATT&CK Updates: Software
byMITRE ATT&CK
 
Отчет Executive penetration RAPID 7
bySergey Yrievich
 
5 howtomitigate
byricharddxd
 
Enterprise-MITRE-ATTandCK-Threat-Hunting _ Updated.pptx
byBheemeshChowdary2
 
Cyber Threat hunting workshop
byArpan Raval
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
byKatie Nickels
 
Automation: The Wonderful Wizard of CTI (or is it?)
byMITRE ATT&CK
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 

More from MITRE ATT&CK

PDF
Next-Gen Threat-Informed Defense: Human-Assisted Intelligent Agents - Rajesh ...
byMITRE ATT&CK
 
PDF
Birds of a Feather: The Evolution of Threat Actor Prioritization, Gap Analysi...
byMITRE ATT&CK
 
PDF
Using ATT&CK and MITRE CTID’s StP Frameworks to Assess Threat Detection Resil...
byMITRE ATT&CK
 
PDF
Bridging the Gap: Enhancing Detection Coverage with Atomic Red Team, Sigma, a...
byMITRE ATT&CK
 
PDF
SaaSy ATT&CK – Practical ATT&CK usage for SaaS-based Telemetry - Aaron Shelmire
byMITRE ATT&CK
 
PDF
I'll take ATT&CK techniques that can be done for $1000, Alex. - Ben Langrill
byMITRE ATT&CK
 
PDF
Practical Application of MITRE ATT&CK: Real World Usage in a Corporate Enviro...
byMITRE ATT&CK
 
PDF
This is why we don’t shout “Bingo”: Analyzing ATT&CK Integration in Endpoint ...
byMITRE ATT&CK
 
PDF
Every Cloud Has a Purple Lining - Arun Seelagan
byMITRE ATT&CK
 
PDF
Confession: 3 Things I Wish I Knew About MITRE ATT&CK When I Was an FBI Profi...
byMITRE ATT&CK
 
PDF
ATT&CKcon 5.0 Keynote - From Ticket Closers to Practitioners- How Great Secu...
byMITRE ATT&CK
 
PDF
ATT&CKcon 5.0 Lightning Talks - Various Speakers
byMITRE ATT&CK
 
PDF
MITRE ATT&CK Updates: Defensive ATT&CK - Lex Crumpton
byMITRE ATT&CK
 
PDF
MITRE ATT&CK Updates: CTI - Path Forward - Joe Slowik
byMITRE ATT&CK
 
PDF
MITRE ATT&CK Updates: Software - Jared Ondricek
byMITRE ATT&CK
 
PDF
State of the ATT&CK 2024 - Adam Pennington
byMITRE ATT&CK
 
PDF
Sources of ATT&CK: A Bibliographic Journey through Enterprise ATT&CK - Robert...
byMITRE ATT&CK
 
PDF
Updates from The Center for Threat Informed Defense - Jon Baker
byMITRE ATT&CK
 
PDF
Go Go Ransom Rangers: Diving into Akira’s Linux Variant with ATT&CK - Nicole ...
byMITRE ATT&CK
 
PDF
ATT&CK From Basic Principles - Tareq AlKhatib
byMITRE ATT&CK
 
Next-Gen Threat-Informed Defense: Human-Assisted Intelligent Agents - Rajesh ...
byMITRE ATT&CK
 
Birds of a Feather: The Evolution of Threat Actor Prioritization, Gap Analysi...
byMITRE ATT&CK
 
Using ATT&CK and MITRE CTID’s StP Frameworks to Assess Threat Detection Resil...
byMITRE ATT&CK
 
Bridging the Gap: Enhancing Detection Coverage with Atomic Red Team, Sigma, a...
byMITRE ATT&CK
 
SaaSy ATT&CK – Practical ATT&CK usage for SaaS-based Telemetry - Aaron Shelmire
byMITRE ATT&CK
 
I'll take ATT&CK techniques that can be done for $1000, Alex. - Ben Langrill
byMITRE ATT&CK
 
Practical Application of MITRE ATT&CK: Real World Usage in a Corporate Enviro...
byMITRE ATT&CK
 
This is why we don’t shout “Bingo”: Analyzing ATT&CK Integration in Endpoint ...
byMITRE ATT&CK
 
Every Cloud Has a Purple Lining - Arun Seelagan
byMITRE ATT&CK
 
Confession: 3 Things I Wish I Knew About MITRE ATT&CK When I Was an FBI Profi...
byMITRE ATT&CK
 
ATT&CKcon 5.0 Keynote - From Ticket Closers to Practitioners- How Great Secu...
byMITRE ATT&CK
 
ATT&CKcon 5.0 Lightning Talks - Various Speakers
byMITRE ATT&CK
 
MITRE ATT&CK Updates: Defensive ATT&CK - Lex Crumpton
byMITRE ATT&CK
 
MITRE ATT&CK Updates: CTI - Path Forward - Joe Slowik
byMITRE ATT&CK
 
MITRE ATT&CK Updates: Software - Jared Ondricek
byMITRE ATT&CK
 
State of the ATT&CK 2024 - Adam Pennington
byMITRE ATT&CK
 
Sources of ATT&CK: A Bibliographic Journey through Enterprise ATT&CK - Robert...
byMITRE ATT&CK
 
Updates from The Center for Threat Informed Defense - Jon Baker
byMITRE ATT&CK
 
Go Go Ransom Rangers: Diving into Akira’s Linux Variant with ATT&CK - Nicole ...
byMITRE ATT&CK
 
ATT&CK From Basic Principles - Tareq AlKhatib
byMITRE ATT&CK
 

Recently uploaded

PDF
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PDF
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PDF
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
PPTX
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
PDF
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
PDF
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
PDF
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
PDF
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
PDF
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PPTX
Authority After Search: How AI Systems Reconstruct Trust, Expertise, and Legi...
byJeff Howell
 
PPTX
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
Designing a Blog Using Wordpress
bymarkzubi50
 
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
Authority After Search: How AI Systems Reconstruct Trust, Expertise, and Legi...
byJeff Howell
 
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 

MITRE ATT&CK Updates: Enterprise - Casey Knerr

  • 1.
    MITRE ATT&CK® Updates: Enterprise CaseyKnerr, ATT&CK Enterprise Lead, MITRE © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
  • 2.
    whoami Casey Knerr ATT&CK forEnterprise Lead and... • Cybersecurity engineer • Cloud + web security enthusiast • Collector of hobbies © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
  • 3.
    These are thevoyages… (What have we been working on for v16?) © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
  • 4.
    Cloud Platforms Infrastructure asa Service Software as a Service Azure AD Office 365 Google Workspace © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
  • 5.
    Cloud Platforms Infrastructure asa Service Software as a Service Azure AD Office 365 Google Workspace Infrastructure as a Service Software as a Service Identity Provider Office Suite © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
  • 6.
    Why? • There’s morethan one identity-as-service platform! • Okta • Ping Identity • JumpCloud • OneLogin • etc. • Office 365 ≈ Google Workspace © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
  • 7.
    V15 Updates: Bypopular demand © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
  • 8.
    V15 Updates: AnOldie but a Goodie © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
  • 9.
    V15 Updates: ABreakup… © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
  • 10.
    To Boldly Go… (Whatare we planning to do next?) © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
  • 11.
    Least Spicy: ContentUpdates • Focus on Linux and Network • More content • More CTI • Fill in the gaps © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
  • 12.
    Medium Spicy: MetadataRefactor Supports Remote Permissions Required Effective Permissions Defense Bypassed Impact Type Accurate? Consistently Applied? Standardized? Are these… Useful? © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
  • 13.
    Very Spicy: AnotherBreakup… © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
  • 14.
    Very Spicy: Anotherbreakup… • Defense Evasion is very big • Could it be smaller? One of these things is not like the others… © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
  • 15.
    Very Spicy: AnotherBreakup… • Defense Evasion is really big • Can we tear it apart? • Evading detections versus mitigations? © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
  • 16.
    Unclear Spicy: Whatis this? Mandiant observed an unusual behavior by UNC5174 following their initial access on the compromised appliance. After backdoor accounts were configured, they attempted to self-patch the vulnerability using an F5-provided mitigation script "mitigation.sh".Mandiant assesses that this was an attempt to limit subsequent exploitation of the system by additional unrelated threat actors attempting to access the appliance. https://cloud.google.com/blog/topics/threat-intelligence/initial-access-brokers-exploit-f5-screenconnect © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
  • 17.
    Unclear Spicy: Whatis this? The clean_cron function’s script makes the cron files mutable and removes all the existing cron jobs from /etc/crontab, /var/spool/cron, /etc/cron.d, and /var/spool/cron/crontabs to disrupt the existing malware functionalities, as well as the legitimate system functionalities. https://www.trendmicro.com/en_us/research/22/j/teamtnt-returns-or-does-it.html © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
  • 18.
    Unclear Spicy: Whatis this? First, the threat actor creates a new user role with login capability and high privileges.…Then, the current user postgres is stripped of superuser privileges.This restricts the privileges of other threat actors who might still gain access to the system via the weak password. https://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/ © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
  • 19.
    Unclear Spicy: Whatis this? • Evading other threat actors rather than victim • Patching vulnerabilities • Killing malicious processes / cron jobs • Removing privileges • Changing credentials • Closing ports • Not quite Defense Evasion as currently scoped © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
  • 20.
    How you canhelp • Do you have Linux or Network CTI? • Are you using the metadata fields currently? • How do you feel about changes to Defense Evasion? • Do you have CTI for ~weird~ not-quite-defense-evasion behavior? • Do you have any other comments / complaints / questions? attack@mitre.org @MITREattack © 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.
  • 21.
    https://attack.mitre.org attack@mitre.org @mitreattack Casey Knerr © 2024The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 24-00779-13.