Skip to content
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Commit 8b5d1c8

Browse files
MaineK00nMaineK00n
authoredNov 1, 2022
feat(cwe, cti): update dictionary (future-architect#1553)
* feat(cwe): update CWE dictionary * feat(cti): update CTI dictionary * fix(cwe): fix typo
1 parent dea80f8 commit 8b5d1c8

File tree

3 files changed

+1869
-762
lines changed

3 files changed

+1869
-762
lines changed
 

‎cti/cti.go

+119-20
Original file line numberDiff line numberDiff line change
@@ -660,7 +660,7 @@ var TechniqueDict = map[string]Technique{
660660
Name: "CAPEC-35: Leverage Executable Code in Non-Executable Files",
661661
},
662662
"CAPEC-36": {
663-
Name: "CAPEC-36: Using Unpublished Interfaces",
663+
Name: "CAPEC-36: Using Unpublished Interfaces or Functionality",
664664
},
665665
"CAPEC-37": {
666666
Name: "CAPEC-37: Retrieve Embedded Sensitive Data",
@@ -831,7 +831,7 @@ var TechniqueDict = map[string]Technique{
831831
Name: "CAPEC-442: Infected Software",
832832
},
833833
"CAPEC-443": {
834-
Name: "CAPEC-443: Malicious Logic Inserted Into Product Software by Authorized Developer",
834+
Name: "CAPEC-443: Malicious Logic Inserted Into Product by Authorized Developer",
835835
},
836836
"CAPEC-444": {
837837
Name: "CAPEC-444: Development Alteration",
@@ -840,7 +840,7 @@ var TechniqueDict = map[string]Technique{
840840
Name: "CAPEC-445: Malicious Logic Insertion into Product Software via Configuration Management Manipulation",
841841
},
842842
"CAPEC-446": {
843-
Name: "CAPEC-446: Malicious Logic Insertion into Product Software via Inclusion of 3rd Party Component Dependency",
843+
Name: "CAPEC-446: Malicious Logic Insertion into Product via Inclusion of Third-Party Component",
844844
},
845845
"CAPEC-447": {
846846
Name: "CAPEC-447: Design Alteration",
@@ -1382,9 +1382,6 @@ var TechniqueDict = map[string]Technique{
13821382
"CAPEC-628": {
13831383
Name: "CAPEC-628: Carry-Off GPS Attack",
13841384
},
1385-
"CAPEC-629": {
1386-
Name: "CAPEC-629: Unauthorized Use of Device Resources",
1387-
},
13881385
"CAPEC-63": {
13891386
Name: "CAPEC-63: Cross-Site Scripting (XSS)",
13901387
},
@@ -1464,7 +1461,7 @@ var TechniqueDict = map[string]Technique{
14641461
Name: "CAPEC-652: Use of Known Kerberos Credentials",
14651462
},
14661463
"CAPEC-653": {
1467-
Name: "CAPEC-653: Use of Known Windows Credentials",
1464+
Name: "CAPEC-653: Use of Known Operating System Credentials",
14681465
},
14691466
"CAPEC-654": {
14701467
Name: "CAPEC-654: Credential Prompt Impersonation",
@@ -1553,9 +1550,39 @@ var TechniqueDict = map[string]Technique{
15531550
"CAPEC-681": {
15541551
Name: "CAPEC-681: Exploitation of Improperly Controlled Hardware Security Identifiers",
15551552
},
1553+
"CAPEC-682": {
1554+
Name: "CAPEC-682: Exploitation of Firmware or ROM Code with Unpatchable Vulnerabilities",
1555+
},
15561556
"CAPEC-69": {
15571557
Name: "CAPEC-69: Target Programs with Elevated Privileges",
15581558
},
1559+
"CAPEC-690": {
1560+
Name: "CAPEC-690: Metadata Spoofing",
1561+
},
1562+
"CAPEC-691": {
1563+
Name: "CAPEC-691: Spoof Open-Source Software Metadata",
1564+
},
1565+
"CAPEC-692": {
1566+
Name: "CAPEC-692: Spoof Version Control System Commit Metadata",
1567+
},
1568+
"CAPEC-693": {
1569+
Name: "CAPEC-693: StarJacking",
1570+
},
1571+
"CAPEC-694": {
1572+
Name: "CAPEC-694: System Location Discovery",
1573+
},
1574+
"CAPEC-695": {
1575+
Name: "CAPEC-695: Repo Jacking",
1576+
},
1577+
"CAPEC-696": {
1578+
Name: "CAPEC-696: Load Value Injection",
1579+
},
1580+
"CAPEC-697": {
1581+
Name: "CAPEC-697: DHCP Spoofing",
1582+
},
1583+
"CAPEC-698": {
1584+
Name: "CAPEC-698: Install Malicious Extension",
1585+
},
15591586
"CAPEC-7": {
15601587
Name: "CAPEC-7: Blind SQL Injection",
15611588
},
@@ -1596,7 +1623,7 @@ var TechniqueDict = map[string]Technique{
15961623
Name: "CAPEC-80: Using UTF-8 Encoding to Bypass Validation Logic",
15971624
},
15981625
"CAPEC-81": {
1599-
Name: "CAPEC-81: Web Logs Tampering",
1626+
Name: "CAPEC-81: Web Server Logs Tampering",
16001627
},
16011628
"CAPEC-83": {
16021629
Name: "CAPEC-83: XPath Injection",
@@ -1814,6 +1841,18 @@ var TechniqueDict = map[string]Technique{
18141841
Name: "TA0005: Defense Evasion => T1027.006: HTML Smuggling",
18151842
Platforms: []string{"Linux", "Windows", "macOS"},
18161843
},
1844+
"T1027.007": {
1845+
Name: "TA0005: Defense Evasion => T1027.007: Dynamic API Resolution",
1846+
Platforms: []string{"Windows"},
1847+
},
1848+
"T1027.008": {
1849+
Name: "TA0005: Defense Evasion => T1027.008: Stripped Payloads",
1850+
Platforms: []string{"Linux", "Windows", "macOS"},
1851+
},
1852+
"T1027.009": {
1853+
Name: "TA0005: Defense Evasion => T1027.009: Embedded Payloads",
1854+
Platforms: []string{"Linux", "Windows", "macOS"},
1855+
},
18171856
"T1029": {
18181857
Name: "TA0010: Exfiltration => T1029: Scheduled Transfer",
18191858
Platforms: []string{"Linux", "Windows", "macOS"},
@@ -2087,8 +2126,8 @@ var TechniqueDict = map[string]Technique{
20872126
Platforms: []string{"Azure AD", "Google Workspace", "IaaS", "Office 365", "SaaS"},
20882127
},
20892128
"T1070": {
2090-
Name: "TA0005: Defense Evasion => T1070: Indicator Removal on Host",
2091-
Platforms: []string{"Containers", "Linux", "Network", "Windows", "macOS"},
2129+
Name: "TA0005: Defense Evasion => T1070: Indicator Removal",
2130+
Platforms: []string{"Containers", "Google Workspace", "Linux", "Network", "Office 365", "Windows", "macOS"},
20922131
},
20932132
"T1070.001": {
20942133
Name: "TA0005: Defense Evasion => T1070.001: Clear Windows Event Logs",
@@ -2114,6 +2153,18 @@ var TechniqueDict = map[string]Technique{
21142153
Name: "TA0005: Defense Evasion => T1070.006: Timestomp",
21152154
Platforms: []string{"Linux", "Windows", "macOS"},
21162155
},
2156+
"T1070.007": {
2157+
Name: "TA0005: Defense Evasion => T1070.007: Clear Network Connection History and Configurations",
2158+
Platforms: []string{"Linux", "Network", "Windows", "macOS"},
2159+
},
2160+
"T1070.008": {
2161+
Name: "TA0005: Defense Evasion => T1070.008: Clear Mailbox Data",
2162+
Platforms: []string{"Google Workspace", "Linux", "Office 365", "Windows", "macOS"},
2163+
},
2164+
"T1070.009": {
2165+
Name: "TA0005: Defense Evasion => T1070.009: Clear Persistence",
2166+
Platforms: []string{"Linux", "Windows", "macOS"},
2167+
},
21172168
"T1071": {
21182169
Name: "TA0011: Command and Control => T1071: Application Layer Protocol",
21192170
Platforms: []string{"Linux", "Windows", "macOS"},
@@ -2152,7 +2203,7 @@ var TechniqueDict = map[string]Technique{
21522203
},
21532204
"T1078": {
21542205
Name: "TA0001: Initial Access, TA0003: Persistence, TA0004: Privilege Escalation, TA0005: Defense Evasion => T1078: Valid Accounts",
2155-
Platforms: []string{"Azure AD", "Containers", "Google Workspace", "IaaS", "Linux", "Office 365", "SaaS", "Windows", "macOS"},
2206+
Platforms: []string{"Azure AD", "Containers", "Google Workspace", "IaaS", "Linux", "Network", "Office 365", "SaaS", "Windows", "macOS"},
21562207
},
21572208
"T1078.001": {
21582209
Name: "TA0001: Initial Access, TA0003: Persistence, TA0004: Privilege Escalation, TA0005: Defense Evasion => T1078.001: Default Accounts",
@@ -2504,7 +2555,7 @@ var TechniqueDict = map[string]Technique{
25042555
},
25052556
"T1199": {
25062557
Name: "TA0001: Initial Access => T1199: Trusted Relationship",
2507-
Platforms: []string{"IaaS", "Linux", "SaaS", "Windows", "macOS"},
2558+
Platforms: []string{"IaaS", "Linux", "Office 365", "SaaS", "Windows", "macOS"},
25082559
},
25092560
"T1200": {
25102561
Name: "TA0001: Initial Access => T1200: Hardware Additions",
@@ -2546,6 +2597,10 @@ var TechniqueDict = map[string]Technique{
25462597
Name: "TA0003: Persistence, TA0005: Defense Evasion, TA0011: Command and Control => T1205.001: Port Knocking",
25472598
Platforms: []string{"Linux", "Network", "Windows", "macOS"},
25482599
},
2600+
"T1205.002": {
2601+
Name: "TA0003: Persistence, TA0005: Defense Evasion, TA0011: Command and Control => T1205.002: Socket Filters",
2602+
Platforms: []string{"Linux", "Windows", "macOS"},
2603+
},
25492604
"T1207": {
25502605
Name: "TA0005: Defense Evasion => T1207: Rogue Domain Controller",
25512606
Platforms: []string{"Windows"},
@@ -2780,7 +2835,7 @@ var TechniqueDict = map[string]Technique{
27802835
},
27812836
"T1505": {
27822837
Name: "TA0003: Persistence => T1505: Server Software Component",
2783-
Platforms: []string{"Linux", "Windows", "macOS"},
2838+
Platforms: []string{"Linux", "Network", "Windows", "macOS"},
27842839
},
27852840
"T1505.001": {
27862841
Name: "TA0003: Persistence => T1505.001: SQL Stored Procedures",
@@ -2792,7 +2847,7 @@ var TechniqueDict = map[string]Technique{
27922847
},
27932848
"T1505.003": {
27942849
Name: "TA0003: Persistence => T1505.003: Web Shell",
2795-
Platforms: []string{"Linux", "Windows", "macOS"},
2850+
Platforms: []string{"Linux", "Network", "Windows", "macOS"},
27962851
},
27972852
"T1505.004": {
27982853
Name: "TA0003: Persistence => T1505.004: IIS Components",
@@ -2827,8 +2882,8 @@ var TechniqueDict = map[string]Technique{
28272882
Platforms: []string{"Linux", "Network", "Windows", "macOS"},
28282883
},
28292884
"T1530": {
2830-
Name: "TA0009: Collection => T1530: Data from Cloud Storage Object",
2831-
Platforms: []string{"IaaS"},
2885+
Name: "TA0009: Collection => T1530: Data from Cloud Storage",
2886+
Platforms: []string{"IaaS", "SaaS"},
28322887
},
28332888
"T1531": {
28342889
Name: "TA0040: Impact => T1531: Account Access Removal",
@@ -2900,7 +2955,7 @@ var TechniqueDict = map[string]Technique{
29002955
},
29012956
"T1546": {
29022957
Name: "TA0003: Persistence, TA0004: Privilege Escalation => T1546: Event Triggered Execution",
2903-
Platforms: []string{"Linux", "Windows", "macOS"},
2958+
Platforms: []string{"IaaS", "Linux", "Office 365", "SaaS", "Windows", "macOS"},
29042959
},
29052960
"T1546.001": {
29062961
Name: "TA0003: Persistence, TA0004: Privilege Escalation => T1546.001: Change Default File Association",
@@ -2962,6 +3017,10 @@ var TechniqueDict = map[string]Technique{
29623017
Name: "TA0003: Persistence, TA0004: Privilege Escalation => T1546.015: Component Object Model Hijacking",
29633018
Platforms: []string{"Windows"},
29643019
},
3020+
"T1546.016": {
3021+
Name: "TA0003: Persistence, TA0004: Privilege Escalation => T1546.016: Installer Packages",
3022+
Platforms: []string{"Linux", "Windows", "macOS"},
3023+
},
29653024
"T1547": {
29663025
Name: "TA0003: Persistence, TA0004: Privilege Escalation => T1547: Boot or Logon Autostart Execution",
29673026
Platforms: []string{"Linux", "Windows", "macOS"},
@@ -3048,7 +3107,7 @@ var TechniqueDict = map[string]Technique{
30483107
},
30493108
"T1550.001": {
30503109
Name: "TA0005: Defense Evasion, TA0008: Lateral Movement => T1550.001: Application Access Token",
3051-
Platforms: []string{"Containers", "Google Workspace", "Office 365", "SaaS"},
3110+
Platforms: []string{"Azure AD", "Containers", "Google Workspace", "IaaS", "Office 365", "SaaS"},
30523111
},
30533112
"T1550.002": {
30543113
Name: "TA0005: Defense Evasion, TA0008: Lateral Movement => T1550.002: Pass the Hash",
@@ -3152,7 +3211,7 @@ var TechniqueDict = map[string]Technique{
31523211
},
31533212
"T1556": {
31543213
Name: "TA0003: Persistence, TA0005: Defense Evasion, TA0006: Credential Access => T1556: Modify Authentication Process",
3155-
Platforms: []string{"Linux", "Network", "Windows", "macOS"},
3214+
Platforms: []string{"Azure AD", "Google Workspace", "IaaS", "Linux", "Network", "Office 365", "SaaS", "Windows", "macOS"},
31563215
},
31573216
"T1556.001": {
31583217
Name: "TA0003: Persistence, TA0005: Defense Evasion, TA0006: Credential Access => T1556.001: Domain Controller Authentication",
@@ -3174,9 +3233,17 @@ var TechniqueDict = map[string]Technique{
31743233
Name: "TA0003: Persistence, TA0005: Defense Evasion, TA0006: Credential Access => T1556.005: Reversible Encryption",
31753234
Platforms: []string{"Windows"},
31763235
},
3236+
"T1556.006": {
3237+
Name: "TA0003: Persistence, TA0005: Defense Evasion, TA0006: Credential Access => T1556.006: Multi-Factor Authentication",
3238+
Platforms: []string{"Azure AD", "Google Workspace", "IaaS", "Linux", "Office 365", "SaaS", "Windows", "macOS"},
3239+
},
3240+
"T1556.007": {
3241+
Name: "TA0003: Persistence, TA0005: Defense Evasion, TA0006: Credential Access => T1556.007: Hybrid Identity",
3242+
Platforms: []string{"Azure AD", "Google Workspace", "IaaS", "Office 365", "SaaS", "Windows"},
3243+
},
31773244
"T1557": {
31783245
Name: "TA0006: Credential Access, TA0009: Collection => T1557: Adversary-in-the-Middle",
3179-
Platforms: []string{"Linux", "Windows", "macOS"},
3246+
Platforms: []string{"Linux", "Network", "Windows", "macOS"},
31803247
},
31813248
"T1557.001": {
31823249
Name: "TA0006: Credential Access, TA0009: Collection => T1557.001: LLMNR/NBT-NS Poisoning and SMB Relay",
@@ -3550,6 +3617,10 @@ var TechniqueDict = map[string]Technique{
35503617
Name: "TA0042: Resource Development => T1583.006: Web Services",
35513618
Platforms: []string{"PRE"},
35523619
},
3620+
"T1583.007": {
3621+
Name: "TA0042: Resource Development => T1583.007: Serverless",
3622+
Platforms: []string{"PRE"},
3623+
},
35533624
"T1584": {
35543625
Name: "TA0042: Resource Development => T1584: Compromise Infrastructure",
35553626
Platforms: []string{"PRE"},
@@ -3578,6 +3649,10 @@ var TechniqueDict = map[string]Technique{
35783649
Name: "TA0042: Resource Development => T1584.006: Web Services",
35793650
Platforms: []string{"PRE"},
35803651
},
3652+
"T1584.007": {
3653+
Name: "TA0042: Resource Development => T1584.007: Serverless",
3654+
Platforms: []string{"PRE"},
3655+
},
35813656
"T1585": {
35823657
Name: "TA0042: Resource Development => T1585: Establish Accounts",
35833658
Platforms: []string{"PRE"},
@@ -3590,6 +3665,10 @@ var TechniqueDict = map[string]Technique{
35903665
Name: "TA0042: Resource Development => T1585.002: Email Accounts",
35913666
Platforms: []string{"PRE"},
35923667
},
3668+
"T1585.003": {
3669+
Name: "TA0042: Resource Development => T1585.003: Cloud Accounts",
3670+
Platforms: []string{"PRE"},
3671+
},
35933672
"T1586": {
35943673
Name: "TA0042: Resource Development => T1586: Compromise Accounts",
35953674
Platforms: []string{"PRE"},
@@ -3602,6 +3681,10 @@ var TechniqueDict = map[string]Technique{
36023681
Name: "TA0042: Resource Development => T1586.002: Email Accounts",
36033682
Platforms: []string{"PRE"},
36043683
},
3684+
"T1586.003": {
3685+
Name: "TA0042: Resource Development => T1586.003: Cloud Accounts",
3686+
Platforms: []string{"PRE"},
3687+
},
36053688
"T1587": {
36063689
Name: "TA0042: Resource Development => T1587: Develop Capabilities",
36073690
Platforms: []string{"PRE"},
@@ -3746,6 +3829,10 @@ var TechniqueDict = map[string]Technique{
37463829
Name: "TA0043: Reconnaissance => T1593.002: Search Engines",
37473830
Platforms: []string{"PRE"},
37483831
},
3832+
"T1593.003": {
3833+
Name: "TA0043: Reconnaissance => T1593.003: Code Repositories",
3834+
Platforms: []string{"PRE"},
3835+
},
37493836
"T1594": {
37503837
Name: "TA0043: Reconnaissance => T1594: Search Victim-Owned Websites",
37513838
Platforms: []string{"PRE"},
@@ -3898,6 +3985,10 @@ var TechniqueDict = map[string]Technique{
38983985
Name: "TA0042: Resource Development => T1608.005: Link Target",
38993986
Platforms: []string{"PRE"},
39003987
},
3988+
"T1608.006": {
3989+
Name: "TA0042: Resource Development => T1608.006: SEO Poisoning",
3990+
Platforms: []string{"PRE"},
3991+
},
39013992
"T1609": {
39023993
Name: "TA0002: Execution => T1609: Container Administration Command",
39033994
Platforms: []string{"Containers"},
@@ -3950,4 +4041,12 @@ var TechniqueDict = map[string]Technique{
39504041
Name: "TA0005: Defense Evasion => T1647: Plist File Modification",
39514042
Platforms: []string{"macOS"},
39524043
},
4044+
"T1648": {
4045+
Name: "TA0002: Execution => T1648: Serverless Execution",
4046+
Platforms: []string{"IaaS", "Office 365", "SaaS"},
4047+
},
4048+
"T1649": {
4049+
Name: "TA0006: Credential Access => T1649: Steal or Forge Authentication Certificates",
4050+
Platforms: []string{"Azure AD", "Linux", "Windows", "macOS"},
4051+
},
39534052
}
There was a problem loading the remainder of the diff.

0 commit comments

Comments
 (0)
Please sign in to comment.