search

mitre-attack / attack-stix-data

STIX data representing MITRE ATT&CK
https://attack.mitre.org/
Other
348 stars 87 forks source link

found registry hive typo in enterprise-mitre v11.3 json #26

Closed irinhwng closed 2 years ago

irinhwng commented 2 years ago

I'm pretty sure HKLU from HKLU\\Software\\Microsoft/Windows\\CurrentVersion\\RunOnce doesn't exist. Text is inside the description key

{
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "id": "relationship--e1cf08cf-e483-44a1-bdfe-cdfa424d69e5",
            "type": "relationship",
            "created": "2021-06-10T15:48:43.867Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "external_references": [
                {
                    "source_name": "Malwarebytes Kimsuky June 2021",
                    "url": "https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/",
                    "description": "Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021."
                }
            ],
            "modified": "2021-06-10T15:48:43.867Z",
            "description": "[AppleSeed](https://attack.mitre.org/software/S0622) has the ability to create the Registry key name <code>EstsoftAutoUpdate</code> at <code>HKLU\\Software\\Microsoft/Windows\\CurrentVersion\\RunOnce</code> to establish persistence.(Citation: Malwarebytes Kimsuky June 2021)",
            "relationship_type": "uses",
            "source_ref": "malware--295721d2-ee20-4fa3-ade3-37f4146b4570",
            "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
            "x_mitre_version": "1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "spec_version": "2.1",
            "x_mitre_attack_spec_version": "2.1.0",
            "x_mitre_domains": [
                "enterprise-attack"
            ]
        }
jondricek commented 2 years ago

If you head over to https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/ (the external_reference URL) it mentions that this malware - AppleSeed - creates the registry key, including HKLU.

jondricek commented 2 years ago

That said, it may be a typo from malwarebytes where it should have meant HKCU. If that is the case we'd want to get that in writing from them in order to update their reporting.

irinhwng commented 2 years ago

I think this is a typo. If you see the screenshot below, it refers to HKEY_CURRENT_USER (outlined in red).

Screen Shot 2022-09-20 at 9 54 00 AM
jondricek commented 2 years ago

We've updated it internally and it will be fixed in the upcoming release next month. Thanks for you help!