search

mitre-attack / attack-stix-data

STIX data representing MITRE ATT&CK
https://attack.mitre.org/
Other
308 stars 77 forks source link

found registry hive typo in enterprise-mitre v11.3 json #26

Closed irinhwng closed 1 year ago

irinhwng commented 1 year ago

I'm pretty sure HKLU from HKLU\\Software\\Microsoft/Windows\\CurrentVersion\\RunOnce doesn't exist. Text is inside the description key

{
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "id": "relationship--e1cf08cf-e483-44a1-bdfe-cdfa424d69e5",
            "type": "relationship",
            "created": "2021-06-10T15:48:43.867Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "external_references": [
                {
                    "source_name": "Malwarebytes Kimsuky June 2021",
                    "url": "https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/",
                    "description": "Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021."
                }
            ],
            "modified": "2021-06-10T15:48:43.867Z",
            "description": "[AppleSeed](https://attack.mitre.org/software/S0622) has the ability to create the Registry key name <code>EstsoftAutoUpdate</code> at <code>HKLU\\Software\\Microsoft/Windows\\CurrentVersion\\RunOnce</code> to establish persistence.(Citation: Malwarebytes Kimsuky June 2021)",
            "relationship_type": "uses",
            "source_ref": "malware--295721d2-ee20-4fa3-ade3-37f4146b4570",
            "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
            "x_mitre_version": "1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "spec_version": "2.1",
            "x_mitre_attack_spec_version": "2.1.0",
            "x_mitre_domains": [
                "enterprise-attack"
            ]
        }
jondricek commented 1 year ago

If you head over to https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/ (the external_reference URL) it mentions that this malware - AppleSeed - creates the registry key, including HKLU.

jondricek commented 1 year ago

That said, it may be a typo from malwarebytes where it should have meant HKCU. If that is the case we'd want to get that in writing from them in order to update their reporting.

irinhwng commented 1 year ago

I think this is a typo. If you see the screenshot below, it refers to HKEY_CURRENT_USER (outlined in red).

Screen Shot 2022-09-20 at 9 54 00 AM
jondricek commented 1 year ago

We've updated it internally and it will be fixed in the upcoming release next month. Thanks for you help!