jburns12
commented
6 years ago Hi @Cyb3rWard0g ...we found the error in the TAXII server and have updated it as such.
Thanks so much for bringing this to our attention!
Closed Cyb3rWard0g closed 6 years ago
jburns12
commented
6 years ago Hi @Cyb3rWard0g ...we found the error in the TAXII server and have updated it as such.
Thanks so much for bringing this to our attention!
Cyb3rWard0g
commented
6 years ago It works now 👍
{
"type": "attack-pattern",
"id": "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-04-18T17:59:24.739Z",
"modified": "2018-04-18T17:59:24.739Z",
"name": "Drive-by Compromise",
"description": "A drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is targeted for exploitation. This can happen in several ways, but there are a few main components: \n\nMultiple ways of delivering exploit code to a browser exist, including:\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, cross-site scripting.\n* Malicious ads are paid for and served through legitimate ad providers.\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring. (Citation: Shadowserver Strategic Web Compromise)\n\nTypical drive-by compromise process:\n# A user visits a website that is used to host the adversary controlled content.\n# Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n#* The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n# Upon finding a vulnerable version, exploit code is delivered to the browser.\n# If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n#* In some cases a second visit to the website after the initial scan is required before exploit code is delivered.\n\nUnlike Exploit Public-Facing Application, the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.\n\nDetection: Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before.\n\nNetwork intrusion detection systems, sometimes with SSL/TLS MITM inspection, can be used to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code.\n\nDetecting compromise based on the drive-by exploit from a legitimate website may be difficult. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of browser processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.\n\nPlatforms: Linux, Windows, macOS\n\nData Sources: Packet capture, Network device logs, Process use of network, Web proxy, Network intrusion detection system, SSL/TLS inspection\n\nPermissions Required: User",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/wiki/Technique/T1189",
"external_id": "T1189"
},
{
"source_name": "Shadowserver Strategic Web Compromise",
"description": "Adair, S., Moran, N. (2012, May 15). Cyber Espionage & Strategic Web Compromises \u2013 Trusted Websites Serving Dangerous Results. Retrieved March 13, 2018.",
"url": "http://blog.shadowserver.org/2012/05/15/cyber-espionage-strategic-web-compromises-trusted-websites-serving-dangerous-results/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Packet capture",
"Network device logs",
"Process use of network",
"Web proxy",
"Network intrusion detection system",
"SSL/TLS inspection"
],
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Linux",
"Windows",
"macOS"
]
}Thank you very much . Awesome work !!! Cant Wait to share what I am working on 😄
Good afternoon,
When I pull information about T1163 from TAXII Server, I don't see the custom properties:
All I get is the following:
According to the STIX datastore documentation, the TAXIICollectionSource Class has the property "allow_custom" set to TRUE by default.
I followed the basic example provided here: https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/attck%E2%84%A2-content-available-in-stix%E2%84%A2-20-via .
I might be missing something that I cannot get those custom arguments to show up when I pull all the techniques and try to play with them.
Thank you for all your work! 😄