Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Request for ATT&CK version to be added to objects #220

Open
himynamesdave opened this issue Aug 23, 2023 · 0 comments
Open

Request for ATT&CK version to be added to objects #220

himynamesdave opened this issue Aug 23, 2023 · 0 comments

Comments

@himynamesdave
Copy link

himynamesdave commented Aug 23, 2023

I'd love to be able to see the version ATT&CK inside an object.

Using the STIX object alone, it is not currently possible to do this.

For example; how do I know this object version is published in 13.1 (https://github.com/mitre/cti/blob/master/enterprise-attack/attack-pattern/attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298.json)?

{
    "type": "bundle",
    "id": "bundle--523a330b-0eba-42b3-93ab-f78c4e2d90b9",
    "spec_version": "2.0",
    "objects": [
        {
            "x_mitre_platforms": [
                "Windows"
            ],
            "x_mitre_domains": [
                "enterprise-attack"
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "id": "attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298",
            "type": "attack-pattern",
            "created": "2020-01-14T17:18:32.126Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "external_id": "T1055.011",
                    "url": "https://attack.mitre.org/techniques/T1055/011"
                },
                {
                    "url": "https://msdn.microsoft.com/library/windows/desktop/ms633574.aspx",
                    "description": "Microsoft. (n.d.). About Window Classes. Retrieved December 16, 2017.",
                    "source_name": "Microsoft Window Classes"
                },
                {
                    "url": "https://msdn.microsoft.com/library/windows/desktop/ms633584.aspx",
                    "description": "Microsoft. (n.d.). GetWindowLong function. Retrieved December 16, 2017.",
                    "source_name": "Microsoft GetWindowLong function"
                },
                {
                    "url": "https://msdn.microsoft.com/library/windows/desktop/ms633591.aspx",
                    "description": "Microsoft. (n.d.). SetWindowLong function. Retrieved December 16, 2017.",
                    "source_name": "Microsoft SetWindowLong function"
                },
                {
                    "url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
                    "description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.",
                    "source_name": "Elastic Process Injection July 2017"
                },
                {
                    "url": "https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html",
                    "description": "MalwareTech. (2013, August 13). PowerLoader Injection \u2013 Something truly amazing. Retrieved December 16, 2017.",
                    "source_name": "MalwareTech Power Loader Aug 2013"
                },
                {
                    "url": "https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/",
                    "description": "Matrosov, A. (2013, March 19). Gapz and Redyms droppers based on Power Loader code. Retrieved December 16, 2017.",
                    "source_name": "WeLiveSecurity Gapz and Redyms Mar 2013"
                },
                {
                    "url": "https://msdn.microsoft.com/library/windows/desktop/ms644953.aspx",
                    "description": "Microsoft. (n.d.). SendNotifyMessage function. Retrieved December 16, 2017.",
                    "source_name": "Microsoft SendNotifyMessage function"
                }
            ],
            "modified": "2020-11-10T18:29:31.004Z",
            "name": "Extra Window Memory Injection",
            "description": "Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. \n\nBefore creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).(Citation: Microsoft Window Classes) Registration of new windows classes can include a request for up to 40 bytes of EWM to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. (Citation: Microsoft GetWindowLong function) (Citation: Microsoft SetWindowLong function)\n\nAlthough small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process\u2019s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process\u2019s EWM.\n\nExecution granted through EWM injection may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as <code>WriteProcessMemory</code> and <code>CreateRemoteThread</code>.(Citation: Elastic Process Injection July 2017) More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process.  (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via EWM injection may also evade detection from security products since the execution is masked under a legitimate process. ",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "defense-evasion"
                },
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "privilege-escalation"
                }
            ],
            "x_mitre_detection": "Monitor for API calls related to enumerating and manipulating EWM such as GetWindowLong (Citation: Microsoft GetWindowLong function) and SetWindowLong (Citation: Microsoft SetWindowLong function). Malware associated with this technique have also used SendNotifyMessage (Citation: Microsoft SendNotifyMessage function) to trigger the associated window procedure and eventual malicious injection. (Citation: Elastic Process Injection July 2017)",
            "x_mitre_is_subtechnique": true,
            "x_mitre_version": "1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_data_sources": [
                "Process: OS API Execution"
            ],
            "x_mitre_defense_bypassed": [
                "Anti-virus",
                "Application control"
            ]
        }
    ]
}

The only ways I see to do this is to:

  1. compare the modified data to the ATTACK release dates (https://attack.mitre.org/resources/updates/), or
  2. use the tags in this repo https://github.com/mitre/cti/tags

Both are prone to issues.

Thus my suggestion is to add version to external_references, e.g.

                {
                    "source_name": "mitre-attack-version",
                    "external_id": "13.1",
                    "url": "https://attack.mitre.org/resources/updates/updates-april-2023/"
                }

Or as a custom property (less preferred, as not natively understood downstream)

e.g.

            "x_mitre_attck_version": 13.1,

Either will make it immediately clear what ATT&CK version the object was generated from.

Note this is slightly different to: #198 . I want to context at time of viewing the object.

@mitre mitre deleted a comment from emmanuel08081 Jul 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant