Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

several Techniques in other matrices such as MOBILE are missing the 'x_mitre_is_subtechnique' key #131

Open
Cyb3rWard0g opened this issue Dec 3, 2020 · 4 comments
Open

several Techniques in other matrices such as MOBILE are missing the 'x_mitre_is_subtechnique' key #131

Cyb3rWard0g opened this issue Dec 3, 2020 · 4 comments
Labels
bug

Comments

@Cyb3rWard0g
Copy link

Hello CTI team,

I was looking at enhancing a few functions in a library I created named attackcti. I wanted to enable a new parameter/argument that would allow me to retrieve attack-pattern objects and filter them at query time (STIX Filter) with the filter Filter('x_mitre_is_subtechnique', '=', False) or Filter('x_mitre_is_subtechnique', '=', True).

I noticed this piece of code in your USAGE docs: https://github.com/mitre/cti/blob/master/USAGE.md#getting-techniques-or-sub-techniques

I tested it with other matrices besides ENTERPRISE, and it seems that some techniques are missing the x_mitre_is_subtechnique. This is of course not helping the stix filters I showed above. For example, I have a basic function that retrieves all techniques from MOBILE. If I check the keys of each stix object, I can see that several of them do not have it as shown before:

>>> t = lift.get_mobile_techniques()
>>> t = lift.remove_revoked(t)
>>> 
>>> for x in t:
...     if 'x_mitre_is_subtechnique' not in x.keys():
...             print(x['name'], '-', x['id'])
... 
Data from Local System - attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a
Data Encrypted - attack-pattern--e3b936a4-6321-4172-9114-038a866362ec
Evade Analysis Environment - attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b
Standard Cryptographic Protocol - attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84
Domain Generation Algorithms - attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de
Capture Camera - attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6
Uncommonly Used Port - attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5
Clipboard Modification - attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb
Network Information Discovery - attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2
Web Service - attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380
Deliver Malicious App via Other Means - attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7
Deliver Malicious App via Authorized App Store - attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a
Exploit via Radio Interfaces - attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5
Install Insecure or Malicious Configuration - attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2
Process Discovery - attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19
System Network Connections Discovery - attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb
Standard Application Layer Protocol - attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673
Obfuscated Files or Information - attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a
Modify OS Kernel or Boot Partition - attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5
Modify System Partition - attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0
Abuse Device Administrator Access to Prevent Removal - attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483
Exploit OS Vulnerability - attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172
Modify Cached Executable Code - attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6
Application Discovery - attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2
Alternate Network Mediums - attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a
Network Service Scanning - attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790
Eavesdrop on Insecure Network Communication - attack-pattern--393e8c12-a416-4575-ba90-19cc85656796
Jamming or Denial of Service - attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d
Manipulate Device Communication - attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63
Lockscreen Bypass - attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd
Exploit via Charging Station or PC - attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d
Exploit TEE Vulnerability - attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884
Rogue Cellular Base Station - attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed
File and Directory Discovery - attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848
Downgrade to Insecure Protocols - attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34
Rogue Wi-Fi Access Points - attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3
Remotely Track Device Without Authorization - attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a
Access Calendar Entries - attack-pattern--62adb627-f647-498e-b4cc-41499361bacb
SIM Card Swap - attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5
Capture Clipboard Data - attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692
Generate Fraudulent Advertising Revenue - attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf
Modify Trusted Execution Environment - attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468
Obtain Device Cloud Backups - attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d
Device Lockout - attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1
Access Sensitive Data in Device Logs - attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3
Commonly Used Port - attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad
Capture SMS Messages - attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060
Access Stored Application Data - attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160
Network Traffic Capture or Redirection - attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9
Download New Code at Runtime - attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6
Disguise Root/Jailbreak Indicators - attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6
Attack PC via USB Connection - attack-pattern--a0464539-e1b7-4455-a355-12495987c300
Exploit Enterprise Resources - attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d
Capture Audio - attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760
Location Tracking - attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4
Access Contact List - attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce
Access Call Log - attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44
Data Encrypted for Impact - attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4
Exploit SS7 to Track Device Location - attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5
Remotely Wipe Data Without Authorization - attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067
Manipulate App Store Rankings or Ratings - attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69
Drive-by Compromise - attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57
Exploit SS7 to Redirect Phone Calls/SMS - attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d

This affects when I try to do something similar to what was done here: https://github.com/mitre/cti/blob/master/USAGE.md#getting-techniques-or-sub-techniques

This is what it looks like:

>>> t = lift.get_mobile_techniques()
>>> len(t)
104
>>> t = lift.remove_revoked(t)
>>> len(t)
87
>>> t = lift.get_mobile_techniques(level='techniques')
>>> len(t)
24
>>> t = lift.remove_revoked(t)
>>> len(t)
24
>>> t = lift.get_mobile_techniques(level='subtechniques')
>>> len(t)
0
>>>

That means that 24 out of the 87 technique objects have the x_mitre_is_subtechnique property/key. The others do not. I do not know if it is supposed to be like that by design. For example, we have one technique in ENTERPRISE and MOBILE but only one has the x_mitre_is_subtechnique key

ENTERPRISE: https://github.com/mitre/cti/blob/master/enterprise-attack/attack-pattern/attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5.json

MOBILE: https://github.com/mitre/cti/blob/253622f36393e4aa012725f0ce428dcd275f5d20/mobile-attack/attack-pattern/attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a.json

Thank you in advance!

Roberto Rodriguez
@isaisabel
Copy link
Member

Hi @Cyb3rWard0g,

Mobile and ICS ATT&CK don't include sub-techniques at all, so the x_mitre_is_subtechnique field isn't currently part of their data model. As noted in the USAGE document, that's an enterprise-only field. If/when sub-techniques are added to those domains x_mitre_is_subtechnique will be added as well.

In the case of Data from Local System, the enterprise and mobile instances are actually different techniques. They share a name, but their STIX IDs and ATT&CK IDs, description, etc are different. They also follow the data model for Enterprise and Mobile respectively, e.g the mobile instance includes x_mitre_tactic_type (an mobile-only field) and the enterprise instance includes x_mitre_system_requirements (an enterprise-only field).

For techniques, "cross-domain" objects like Data from Local System aren't truly cross domain. The instances are simply duplicated due to data model and scope differences. However, other types of objects such as groups don't have the same design, for instance Dark Caracal is the same object (same STIX ID and ATT&CK ID) for both domains [1, 2]. Another way to look at it is that there are two pages for Data from Local System on attack.mitre.org [1, 2], but only 1 for Dark Caracal [1].

All that is to say, since Mobile and ICS don't have sub-techniques, you shouldn't need to filter based on the presence of an x_mitre_is_subtechnique field. If/when those domains get sub-techniques we'll certainly make plenty of noise to alert the community beforehand, similar to our (Enterprise) sub-techniques beta this past April.

@isaisabel
Copy link
Member

Anyway, with regards to the mobile techniques which do have the x_mitre_is_subtechnique property... my guess is they're techniques which were created after we changed the enterprise data model? I'll look more into this later, that field shouldn't be there according to my understanding of our internal infrastructure.

@isaisabel
Copy link
Member

isaisabel commented Dec 4, 2020
edited
Loading

Techniques with x_mitre_is_subtechnique

name created modified STIX ID
SMS Control 2020-09-11 15:14:33.730000+00:00 2020-10-22 17:04:15.578000+00:00 attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b
Geofencing 2020-09-11 15:04:14.532000+00:00 2020-10-01 12:43:41.494000+00:00 attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31
Keychain 2020-06-24 17:33:49.778000+00:00 2020-06-24 19:02:46.237000+00:00 attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38
Compromise Application Executable 2020-05-07 15:24:49.068000+00:00 2020-05-27 13:23:34.159000+00:00 attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c
Uninstall Malicious Application 2020-05-04 13:49:34.706000+00:00 2020-05-26 18:05:37.393000+00:00 attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5
Native Code 2020-04-28 14:35:37.309000+00:00 2020-04-28 18:34:15.373000+00:00 attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb
Remote File Copy 2020-01-21 15:27:30.182000+00:00 2020-01-21 15:27:30.182000+00:00 attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8
Foreground Persistence 2019-11-19 17:32:20.373000+00:00 2019-12-26 16:14:33.302000+00:00 attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e
Code Injection 2019-10-30 15:37:55.029000+00:00 2020-03-29 04:07:06.663000+00:00 attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa
Input Injection 2019-09-15 15:26:22.356000+00:00 2020-06-24 15:02:13.323000+00:00 attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62
Access Notifications 2019-09-15 15:26:08.183000+00:00 2020-07-09 14:07:02.217000+00:00 attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2
Screen Capture 2019-08-08 18:34:14.178000+00:00 2020-06-24 15:03:25.857000+00:00 attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e
Suppress Application Icon 2019-07-11 18:09:42.039000+00:00 2019-11-14 18:03:26.460000+00:00 attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2
Supply Chain Compromise 2018-10-17 00:14:20.652000+00:00 2020-10-19 18:06:09.010000+00:00 attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad
Masquerade as Legitimate Application 2017-10-25 14:48:35.247000+00:00 2020-04-08 15:19:56.147000+00:00 attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f
Input Prompt 2017-10-25 14:48:34.407000+00:00 2020-06-24 15:04:20.321000+00:00 attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2
System Network Configuration Discovery 2017-10-25 14:48:32.740000+00:00 2020-06-02 14:35:01.479000+00:00 attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd
URI Hijacking 2017-10-25 14:48:32.008000+00:00 2020-10-01 12:42:21.628000+00:00 attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58
Delete Device Data 2017-10-25 14:48:31.694000+00:00 2020-10-01 12:52:58.150000+00:00 attack-pattern--8e27551a-5080-4148-a584-c64348212e4f
Broadcast Receivers 2017-10-25 14:48:30.127000+00:00 2020-03-27 15:28:03.858000+00:00 attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69
Input Capture 2017-10-25 14:48:27.660000+00:00 2020-06-24 15:09:12.483000+00:00 attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad
System Information Discovery 2017-10-25 14:48:19.265000+00:00 2019-11-20 19:56:49.109000+00:00 attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77
Carrier Billing Fraud 2017-10-25 14:48:09.082000+00:00 2020-05-04 15:40:20.943000+00:00 attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274
Abuse Accessibility Features 2017-10-25 14:48:08.613000+00:00 2020-03-30 14:03:43.761000+00:00 attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a

These techniques were likely all modified after we implemented the sub-techniques data model internally (I'd have to dig up the exact date for the deployment, but it looks about right).

Techniques without x_mitre_is_subtechnique

name created modified STIX ID
Data from Local System 2019-10-10 15:12:42.790000+00:00 2019-10-11 14:53:38.987000+00:00 attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a
Data Encrypted 2019-10-10 15:00:44.181000+00:00 2019-10-10 15:00:44.181000+00:00 attack-pattern--e3b936a4-6321-4172-9114-038a866362ec
Evade Analysis Environment 2019-10-02 14:46:43.632000+00:00 2019-10-11 14:48:50.525000+00:00 attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b
Standard Cryptographic Protocol 2019-10-01 14:18:47.762000+00:00 2019-10-01 14:18:47.762000+00:00 attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84
Domain Generation Algorithms 2019-09-23 13:11:43.694000+00:00 2019-09-23 14:53:42.654000+00:00 attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de
Capture Camera 2019-08-09 16:14:58.254000+00:00 2019-09-12 18:33:15.023000+00:00 attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6
Uncommonly Used Port 2019-08-01 13:44:09.368000+00:00 2019-09-11 13:27:50.344000+00:00 attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5
Clipboard Modification 2019-07-26 14:15:31.451000+00:00 2019-10-28 18:36:26.261000+00:00 attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb
Network Information Discovery 2019-07-10 15:18:16.753000+00:00 2019-07-10 15:18:16.753000+00:00 attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2
Web Service 2019-02-01 17:29:43.503000+00:00 2019-02-01 17:29:43.503000+00:00 attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380
Deliver Malicious App via Other Means 2018-10-17 00:14:20.652000+00:00 2019-10-28 18:33:12.646000+00:00 attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7
Deliver Malicious App via Authorized App Store 2018-10-17 00:14:20.652000+00:00 2019-10-14 17:42:49.817000+00:00 attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a
Exploit via Radio Interfaces 2018-10-17 00:14:20.652000+00:00 2019-02-03 15:19:22.439000+00:00 attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5
Install Insecure or Malicious Configuration 2018-10-17 00:14:20.652000+00:00 2018-10-17 00:14:20.652000+00:00 attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2
Remotely Install Application 2017-10-25 14:48:34.830000+00:00 2018-10-17 01:05:10.701000+00:00 attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16
Process Discovery 2017-10-25 14:48:33.926000+00:00 2018-10-17 00:14:20.652000+00:00 attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19
System Network Connections Discovery 2017-10-25 14:48:33.574000+00:00 2019-02-01 19:34:17.460000+00:00 attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb
Standard Application Layer Protocol 2017-10-25 14:48:33.158000+00:00 2019-02-03 14:52:45.266000+00:00 attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673
Obfuscated Files or Information 2017-10-25 14:48:32.328000+00:00 2019-09-23 13:26:01.263000+00:00 attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a
Modify OS Kernel or Boot Partition 2017-10-25 14:48:31.294000+00:00 2018-10-17 00:14:20.652000+00:00 attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5
Modify System Partition 2017-10-25 14:48:30.890000+00:00 2019-09-04 13:35:57.549000+00:00 attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0
Insecure Third-Party Libraries 2017-10-25 14:48:30.462000+00:00 2018-10-17 01:05:10.699000+00:00 attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799
Abuse Device Administrator Access to Prevent Removal 2017-10-25 14:48:29.774000+00:00 2019-02-03 16:56:41.200000+00:00 attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483
Exploit OS Vulnerability 2017-10-25 14:48:29.405000+00:00 2018-10-17 00:14:20.652000+00:00 attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172
Modify Cached Executable Code 2017-10-25 14:48:29.092000+00:00 2019-10-09 19:39:32.872000+00:00 attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6
Fake Developer Accounts 2017-10-25 14:48:28.786000+00:00 2018-10-17 01:05:10.701000+00:00 attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9
Device Type Discovery 2017-10-25 14:48:28.456000+00:00 2019-10-16 13:24:48.936000+00:00 attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05
Application Discovery 2017-10-25 14:48:28.067000+00:00 2018-10-17 00:14:20.652000+00:00 attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2
Alternate Network Mediums 2017-10-25 14:48:27.307000+00:00 2018-10-17 00:14:20.652000+00:00 attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a
Network Service Scanning 2017-10-25 14:48:26.890000+00:00 2018-10-17 00:14:20.652000+00:00 attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790
Detect App Analysis Environment 2017-10-25 14:48:26.473000+00:00 2018-10-17 01:05:10.700000+00:00 attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b
Eavesdrop on Insecure Network Communication 2017-10-25 14:48:26.104000+00:00 2019-02-03 14:54:29.631000+00:00 attack-pattern--393e8c12-a416-4575-ba90-19cc85656796
Jamming or Denial of Service 2017-10-25 14:48:25.740000+00:00 2019-02-03 14:15:21.946000+00:00 attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d
Manipulate Device Communication 2017-10-25 14:48:25.322000+00:00 2018-10-17 00:14:20.652000+00:00 attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63
Malicious Software Development Tools 2017-10-25 14:48:24.905000+00:00 2018-10-17 01:05:10.704000+00:00 attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc
Lockscreen Bypass 2017-10-25 14:48:24.488000+00:00 2019-02-03 17:08:07.111000+00:00 attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd
Biometric Spoofing 2017-10-25 14:48:24.069000+00:00 2018-10-17 01:05:10.703000+00:00 attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09
Device Unlock Code Guessing or Brute Force 2017-10-25 14:48:23.652000+00:00 2018-10-17 01:05:10.703000+00:00 attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a
Exploit via Charging Station or PC 2017-10-25 14:48:23.233000+00:00 2019-02-03 15:10:41.460000+00:00 attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d
Exploit TEE Vulnerability 2017-10-25 14:48:22.716000+00:00 2018-10-17 00:14:20.652000+00:00 attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884
Rogue Cellular Base Station 2017-10-25 14:48:22.296000+00:00 2019-02-03 15:17:11.346000+00:00 attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed
File and Directory Discovery 2017-10-25 14:48:21.965000+00:00 2018-10-17 00:14:20.652000+00:00 attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848
Downgrade to Insecure Protocols 2017-10-25 14:48:21.667000+00:00 2019-02-03 15:16:13.386000+00:00 attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34
Rogue Wi-Fi Access Points 2017-10-25 14:48:21.354000+00:00 2019-02-03 15:15:18.023000+00:00 attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3
Remotely Track Device Without Authorization 2017-10-25 14:48:21.023000+00:00 2019-02-03 14:16:59.424000+00:00 attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a
Access Calendar Entries 2017-10-25 14:48:20.727000+00:00 2018-10-17 00:14:20.652000+00:00 attack-pattern--62adb627-f647-498e-b4cc-41499361bacb
SIM Card Swap 2017-10-25 14:48:20.329000+00:00 2019-02-03 14:13:24.168000+00:00 attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5
Capture Clipboard Data 2017-10-25 14:48:19.996000+00:00 2019-09-13 20:46:26.223000+00:00 attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692
Malicious Media Content 2017-10-25 14:48:19.682000+00:00 2018-10-17 01:05:10.703000+00:00 attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431
Generate Fraudulent Advertising Revenue 2017-10-25 14:48:18.937000+00:00 2019-07-03 20:21:22.168000+00:00 attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf
Modify Trusted Execution Environment 2017-10-25 14:48:18.583000+00:00 2019-02-03 14:23:10.576000+00:00 attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468
Obtain Device Cloud Backups 2017-10-25 14:48:18.237000+00:00 2018-10-17 00:14:20.652000+00:00 attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d
Device Lockout 2017-10-25 14:48:17.886000+00:00 2019-10-09 14:39:38.930000+00:00 attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1
URL Scheme Hijacking 2017-10-25 14:48:17.533000+00:00 2020-10-23 15:05:40.674000+00:00 attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e
Access Sensitive Data in Device Logs 2017-10-25 14:48:17.176000+00:00 2018-10-17 00:14:20.652000+00:00 attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3
Commonly Used Port 2017-10-25 14:48:16.650000+00:00 2019-06-19 19:25:33.180000+00:00 attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad
Abuse of iOS Enterprise App Signing Key 2017-10-25 14:48:16.288000+00:00 2018-10-17 01:05:10.701000+00:00 attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac
Capture SMS Messages 2017-10-25 14:48:15.920000+00:00 2019-09-18 18:28:50.898000+00:00 attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060
Access Stored Application Data 2017-10-25 14:48:15.402000+00:00 2019-10-10 14:17:48.920000+00:00 attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160
Network Traffic Capture or Redirection 2017-10-25 14:48:14.982000+00:00 2018-10-17 00:14:20.652000+00:00 attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9
Download New Code at Runtime 2017-10-25 14:48:14.460000+00:00 2019-10-09 19:40:52.090000+00:00 attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6
Disguise Root/Jailbreak Indicators 2017-10-25 14:48:14.003000+00:00 2019-02-03 14:34:59.071000+00:00 attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6
Attack PC via USB Connection 2017-10-25 14:48:13.625000+00:00 2019-02-03 14:51:19.932000+00:00 attack-pattern--a0464539-e1b7-4455-a355-12495987c300
Exploit Enterprise Resources 2017-10-25 14:48:13.259000+00:00 2018-10-17 00:14:20.652000+00:00 attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d
Capture Audio 2017-10-25 14:48:12.913000+00:00 2019-09-20 17:59:11.041000+00:00 attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760
Location Tracking 2017-10-25 14:48:12.267000+00:00 2019-10-15 20:01:06.186000+00:00 attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4
App Delivered via Web Download 2017-10-25 14:48:11.861000+00:00 2018-10-17 01:05:10.699000+00:00 attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2
Access Contact List 2017-10-25 14:48:11.535000+00:00 2018-10-17 00:14:20.652000+00:00 attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce
Access Call Log 2017-10-25 14:48:11.116000+00:00 2019-09-18 18:17:43.466000+00:00 attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44
App Delivered via Email Attachment 2017-10-25 14:48:10.699000+00:00 2018-10-17 01:05:10.699000+00:00 attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2
Data Encrypted for Impact 2017-10-25 14:48:10.285000+00:00 2019-10-01 13:51:22.001000+00:00 attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4
Exploit SS7 to Track Device Location 2017-10-25 14:48:09.864000+00:00 2019-02-03 15:06:10.014000+00:00 attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5
Malicious or Vulnerable Built-in Device Functionality 2017-10-25 14:48:09.446000+00:00 2018-10-17 01:05:10.704000+00:00 attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df
Malicious SMS Message 2017-10-25 14:48:08.155000+00:00 2019-04-29 19:35:30.985000+00:00 attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d
Remotely Wipe Data Without Authorization 2017-10-25 14:48:07.827000+00:00 2018-10-17 00:14:20.652000+00:00 attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067
Manipulate App Store Rankings or Ratings 2017-10-25 14:48:07.460000+00:00 2019-07-03 20:25:59.845000+00:00 attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69
Exploit Baseband Vulnerability 2017-10-25 14:48:07.149000+00:00 2018-10-17 01:05:10.702000+00:00 attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f
Drive-by Compromise 2017-10-25 14:48:06.822000+00:00 2018-10-17 00:14:20.652000+00:00 attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57
Exploit SS7 to Redirect Phone Calls/SMS 2017-10-25 14:48:06.524000+00:00 2019-02-03 16:28:52.821000+00:00 attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d
Stolen Developer Credentials or Signing Keys 2017-10-25 14:48:05.928000+00:00 2018-10-17 01:05:10.700000+00:00 attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881

These were all modified most recently in 2019, likely before we implemented the data model change. So my suspicion is that saving a technique in our internal editor will cause mobile techniques to gain the x_mitre_is_subtechnique field even though it isn't technically part of their data model. ICS doesn't use the same editing application so it isn't vulnerable to the same bug.

@isaisabel isaisabel added bug and removed question labels Dec 4, 2020
@Cyb3rWard0g
Copy link
Author

Thank you so much for all the details! It also helps me to improve my troubleshooting skills 😉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Cyb3rWard0g @isaisabel