Add MITRE Fight Fraud Framework (F3 v1.1) mappings to fraud-relevant skills

- Add mitre_f3 frontmatter block to 94 fraud-relevant skills (phishing,
  account takeover, banking malware, BEC, identity/KYC, payment/card fraud,
  money-mule/cash-out, ransomware extortion, DFIR, threat intel)
- Map each skill to F3 v1.1 tactics + precise technique IDs, including the
  two F3-specific tactics ATT&CK lacks: Positioning (FA0001) and
  Monetization (FA0002)
- All 123 F3 v1.1 technique IDs validated against the upstream STIX bundle
  (github.com/center-for-threat-informed-defense/fight-fraud-framework):
  0 invalid IDs, 0 invalid tactics, 0 name mismatches, no placeholder IDs
- mitre_f3 kept as a separate block from mitre_attack (F3 redefines several
  ATT&CK tactics for the fraud context)
- Add docs/mitre-f3-mapping.md schema reference
- Update README: F3 as the 6th framework, dedicated F3 section + badge
This commit is contained in:
mukul975
2026-06-20 16:04:49 +02:00
parent 04450304b1
commit 886658219f
96 changed files with 2625 additions and 7 deletions
@@ -30,6 +30,33 @@ mitre_attack:
- T1566.002
- T1608.005
- T1596.003
mitre_f3:
version: '1.1'
tactics:
- resource-development
- reconnaissance
- initial-access
techniques:
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1593
name: Search Open Websites/Domains
tactic: reconnaissance
source: attack
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
---
# Analyzing Certificate Transparency for Phishing
@@ -26,6 +26,38 @@ mitre_attack:
- T1566.001
- T1566.002
- T1598.003
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- initial-access
- stealth
- resource-development
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
---
# Analyzing Email Headers for Phishing Investigation
@@ -34,6 +34,29 @@ mitre_attack:
- T1105
- T1041
- T1567
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
- initial-access
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
---
# Analyzing Indicators of Compromise
@@ -29,6 +29,29 @@ mitre_attack:
- T1059.004
- T1620
- T1574.006
mitre_f3:
version: '1.1'
tactics:
- positioning
- monetization
- reconnaissance
techniques:
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
- id: T1555
name: Credentials from Password Stores
tactic: reconnaissance
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
---
# Analyzing Linux ELF Malware
@@ -28,6 +28,24 @@ mitre_attack:
- T1573.001
- T1573.002
- T1027
mitre_f3:
version: '1.1'
tactics:
- monetization
- positioning
techniques:
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
---
# Analyzing Ransomware Encryption Mechanisms
@@ -27,6 +27,28 @@ mitre_attack:
- T1486
- T1567.002
- T1591
mitre_f3:
version: '1.1'
tactics:
- monetization
- reconnaissance
techniques:
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1029
name: Gather Customer Information
tactic: reconnaissance
source: f3
- id: T1593
name: Search Open Websites/Domains
tactic: reconnaissance
source: attack
- id: F1025.003
name: 'Electronic Funds Transfer: Wire Transfer'
tactic: monetization
source: f3
---
# Analyzing Ransomware Leak Site Intelligence
@@ -33,6 +33,24 @@ mitre_attack:
- T1048
- T1567.002
- T1486
mitre_f3:
version: '1.1'
tactics:
- positioning
- monetization
techniques:
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
---
# Analyzing Ransomware Network Indicators
@@ -28,6 +28,32 @@ nist_csf:
mitre_attack:
- T1657
- T1486
mitre_f3:
version: '1.1'
tactics:
- monetization
- stealth
techniques:
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1017
name: Conversion to Physical Monetary Instruments
tactic: monetization
source: f3
- id: F1017.001
name: 'Conversion to Physical Monetary Instruments: Cash'
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
- id: F1045
name: Structuring
tactic: stealth
source: f3
---
# Analyzing Ransomware Payment Wallets
@@ -31,6 +31,33 @@ mitre_attack:
- T1566.002
- T1598.003
- T1583.006
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
- initial-access
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1593
name: Search Open Websites/Domains
tactic: reconnaissance
source: attack
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1660
name: Phishing
tactic: initial-access
source: attack
---
# Analyzing TLS Certificate Transparency Logs
@@ -30,6 +30,33 @@ mitre_attack:
- T1566.002
- T1598.003
- T1583.006
mitre_f3:
version: '1.1'
tactics:
- resource-development
- reconnaissance
- initial-access
techniques:
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1593
name: Search Open Websites/Domains
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
---
# Analyzing Typosquatting Domains with DNSTwist
@@ -29,6 +29,29 @@ mitre_attack:
- T1611
- T1613
- T1078.004
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- defense-impairment
techniques:
- id: F1033
name: Insider Access Abuse
tactic: initial-access
source: f3
- id: F1005
name: Account Manipulation
tactic: positioning
source: f3
- id: F1005.002
name: 'Account Manipulation: Add Authorized User'
tactic: positioning
source: f3
- id: T1531
name: Account Access Removal
tactic: positioning
source: attack
---
# Auditing Kubernetes Cluster RBAC
@@ -28,6 +28,32 @@ mitre_attack:
- T1484.002
- T1078.004
- T1110.003
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
techniques:
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
- id: T1110.003
name: 'Brute Force: Password Spraying'
tactic: initial-access
source: attack
- id: T1550
name: Use Alternate Authentication Material
tactic: initial-access
source: attack
- id: F1004
name: Access with Stolen Session Cookie
tactic: initial-access
source: f3
---
# Building Identity Federation with SAML Azure AD
@@ -34,6 +34,33 @@ mitre_attack:
- T1078
- T1531
- T1087
mitre_f3:
version: '1.1'
tactics:
- positioning
- defense-impairment
- initial-access
techniques:
- id: F1005
name: Account Manipulation
tactic: positioning
source: f3
- id: F1005.002
name: 'Account Manipulation: Add Authorized User'
tactic: positioning
source: f3
- id: F1033
name: Insider Access Abuse
tactic: initial-access
source: f3
- id: F1042
name: Reactivate Account
tactic: positioning
source: f3
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
---
# Building Identity Governance Lifecycle Process
@@ -19,6 +19,30 @@ mitre_attack:
- T1598.003
- T1204.001
- T1534
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
- initial-access
- stealth
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
version: '1.0'
author: mahipal
license: Apache-2.0
@@ -30,6 +30,28 @@ mitre_attack:
- T1489
- T1078
- T1021.002
mitre_f3:
version: '1.1'
tactics:
- initial-access
- monetization
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1110
name: Brute Force
tactic: initial-access
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
---
# Building Ransomware Playbook with CISA Framework
@@ -23,6 +23,28 @@ mitre_attack:
- T1489
- T1566
- T1059.001
mitre_f3:
version: '1.1'
tactics:
- initial-access
- monetization
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1110
name: Brute Force
tactic: initial-access
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
version: '1.0'
author: mahipal
license: Apache-2.0
@@ -23,6 +23,38 @@ mitre_attack:
- T1204.001
- T1114
- T1056.003
mitre_f3:
version: '1.1'
tactics:
- initial-access
- reconnaissance
- resource-development
- positioning
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1557
name: Adversary-in-the-Middle
tactic: positioning
source: attack
- id: F1004
name: Access with Stolen Session Cookie
tactic: initial-access
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
version: 1.0.0
author: mahipal
license: Apache-2.0
@@ -35,6 +35,37 @@ mitre_attack:
- T1566.004
- T1204.001
- T1589
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- initial-access
- resource-development
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: F1029
name: Gather Customer Information
tactic: reconnaissance
source: f3
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
- id: T1557
name: Adversary-in-the-Middle
tactic: initial-access
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
---
# Conducting Social Engineering Penetration Test
@@ -38,6 +38,37 @@ mitre_attack:
- T1589
- T1591
- T1598
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- initial-access
- stealth
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: F1034
name: Interactive Voice Response Mapping
tactic: reconnaissance
source: f3
- id: F1029
name: Gather Customer Information
tactic: reconnaissance
source: f3
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
- id: F1040
name: Phone Number Spoofing
tactic: stealth
source: f3
- id: F1040.002
name: 'Phone Number Spoofing: Official Phone Number Spoofing'
tactic: stealth
source: f3
---
# Conducting Social Engineering Pretext Call
@@ -33,6 +33,37 @@ mitre_attack:
- T1598.002
- T1204.002
- T1204.001
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
- initial-access
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1585
name: Establish Accounts
tactic: resource-development
source: attack
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
---
# Conducting Spearphishing Simulation Campaign
@@ -28,6 +28,28 @@ mitre_attack:
- T1078.004
- T1133
- T1021.007
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
techniques:
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: F1004
name: Access with Stolen Session Cookie
tactic: initial-access
source: f3
- id: T1550.001
name: 'Use Alternate Authentication Material: Application Access Token'
tactic: initial-access
source: attack
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
---
# Configuring Identity-Aware Proxy with Google IAP
@@ -26,6 +26,28 @@ mitre_attack:
- T1557.001
- T1040
- T1078.002
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
techniques:
- id: T1110.003
name: 'Brute Force: Password Spraying'
tactic: initial-access
source: attack
- id: T1110
name: Brute Force
tactic: initial-access
source: attack
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: T1557
name: Adversary-in-the-Middle
tactic: positioning
source: attack
---
# Configuring LDAP Security Hardening
@@ -28,6 +28,28 @@ mitre_attack:
- T1539
- T1606.001
- T1212
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
techniques:
- id: T1550.001
name: 'Use Alternate Authentication Material: Application Access Token'
tactic: initial-access
source: attack
- id: F1004
name: Access with Stolen Session Cookie
tactic: initial-access
source: f3
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
---
# Configuring OAuth 2.0 Authorization Flow
@@ -30,6 +30,29 @@ mitre_attack:
- T1083
- T1490
- T1485
mitre_f3:
version: '1.1'
tactics:
- monetization
- positioning
- stealth
techniques:
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1017.001
name: 'Conversion to Physical Monetary Instruments: Cash'
tactic: monetization
source: f3
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
- id: T1070
name: Indicator Removal
tactic: stealth
source: attack
---
# Deploying Decoy Files for Ransomware Detection
@@ -32,6 +32,23 @@ mitre_attack:
- T1083
- T1490
- T1485
mitre_f3:
version: '1.1'
tactics:
- monetization
techniques:
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1017
name: Conversion to Physical Monetary Instruments
tactic: monetization
source: f3
- id: F1025.003
name: 'Electronic Funds Transfer: Wire Transfer'
tactic: monetization
source: f3
---
# Deploying Ransomware Canary Files
@@ -37,6 +37,32 @@ mitre_attack:
- T1110.004
- T1078
- T1021
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
techniques:
- id: T1110.004
name: 'Brute Force: Credential Stuffing'
tactic: initial-access
source: attack
- id: T1110.003
name: 'Brute Force: Password Spraying'
tactic: initial-access
source: attack
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
---
# Detecting Anomalous Authentication Patterns
@@ -26,6 +26,33 @@ mitre_attack:
- T1538
- T1098.001
- T1526
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- defense-impairment
techniques:
- id: F1006.001
name: 'Account Takeover: Exposed API Key'
tactic: initial-access
source: f3
- id: T1586.003
name: 'Compromise Accounts: Cloud Accounts'
tactic: resource-development
source: attack
- id: F1005
name: Account Manipulation
tactic: positioning
source: f3
- id: F1005.002
name: 'Account Manipulation: Add Authorized User'
tactic: positioning
source: f3
- id: F1005.001
name: 'Account Manipulation: Account Linking'
tactic: defense-impairment
source: f3
---
# Detecting AWS CloudTrail Anomalies
@@ -27,6 +27,32 @@ mitre_attack:
- T1552
- T1078.004
- T1589.001
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- initial-access
techniques:
- id: T1593
name: Search Open Websites/Domains
tactic: reconnaissance
source: attack
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: F1006.001
name: 'Account Takeover: Exposed API Key'
tactic: initial-access
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
- id: T1550.001
name: 'Use Alternate Authentication Material: Application Access Token'
tactic: initial-access
source: attack
---
# Detecting AWS Credential Exposure with TruffleHog
@@ -44,6 +44,38 @@ mitre_attack:
- T1114.002
- T1657
- T1078.004
mitre_f3:
version: '1.1'
tactics:
- initial-access
- stealth
- positioning
- monetization
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
- id: F1005.006
name: 'Account Manipulation: Change of Payment Details'
tactic: positioning
source: f3
- id: F1022
name: Delete Relevant Emails
tactic: stealth
source: f3
- id: F1025.003
name: 'Electronic Funds Transfer: Wire Transfer'
tactic: monetization
source: f3
---
# Detecting Business Email Compromise with AI
@@ -39,6 +39,38 @@ mitre_attack:
- T1114.002
- T1657
- T1078.004
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- monetization
- stealth
techniques:
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
- id: F1036
name: New Vendor Setup
tactic: positioning
source: f3
- id: F1005.006
name: 'Account Manipulation: Change of Payment Details'
tactic: positioning
source: f3
- id: F1025.003
name: 'Electronic Funds Transfer: Wire Transfer'
tactic: monetization
source: f3
- id: F1022
name: Delete Relevant Emails
tactic: stealth
source: f3
---
# Detecting Business Email Compromise
@@ -29,6 +29,33 @@ mitre_attack:
- T1537
- T1580
- T1003
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- defense-impairment
techniques:
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
- id: F1006.001
name: 'Account Takeover: Exposed API Key'
tactic: initial-access
source: f3
- id: T1110.004
name: 'Brute Force: Credential Stuffing'
tactic: initial-access
source: attack
- id: T1586.003
name: 'Compromise Accounts: Cloud Accounts'
tactic: resource-development
source: attack
- id: F1005
name: Account Manipulation
tactic: defense-impairment
source: f3
---
# Detecting Compromised Cloud Credentials
@@ -32,6 +32,33 @@ mitre_attack:
- T1059
- T1003
- T1110
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- positioning
- initial-access
techniques:
- id: T1555
name: Credentials from Password Stores
tactic: reconnaissance
source: attack
- id: T1555.003
name: 'Credentials from Password Stores: Credentials from Web Browsers'
tactic: reconnaissance
source: attack
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
- id: T1110.002
name: 'Brute Force: Password Cracking'
tactic: initial-access
source: attack
---
# Detecting Credential Dumping Techniques
@@ -29,6 +29,29 @@ mitre_attack:
- T1537
- T1580
- T1071
mitre_f3:
version: '1.1'
tactics:
- initial-access
- resource-development
- monetization
techniques:
- id: F1006.001
name: 'Account Takeover: Exposed API Key'
tactic: initial-access
source: f3
- id: T1586.003
name: 'Compromise Accounts: Cloud Accounts'
tactic: resource-development
source: attack
- id: T1583.003
name: 'Acquire Infrastructure: Virtual Private Network or Server'
tactic: resource-development
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
---
# Detecting Cryptomining in Cloud
@@ -47,6 +47,34 @@ mitre_attack:
- T1059
- T1566
- T1598
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- initial-access
- stealth
- monetization
techniques:
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
- id: F1031
name: Impersonate Account Holder
tactic: initial-access
source: f3
- id: F1040
name: Phone Number Spoofing
tactic: stealth
source: f3
- id: F1034
name: Interactive Voice Response Mapping
tactic: reconnaissance
source: f3
- id: F1025.003
name: 'Electronic Funds Transfer: Wire Transfer'
tactic: monetization
source: f3
---
# Detecting Deepfake Audio in Vishing Attacks
@@ -31,6 +31,33 @@ mitre_attack:
- T1036
- T1078
- T1003
mitre_f3:
version: '1.1'
tactics:
- positioning
- execution
- initial-access
techniques:
- id: T1453
name: Abuse Accessibility Features
tactic: positioning
source: attack
- id: F1003
name: Abuse SMS verification
tactic: execution
source: f3
- id: T1113
name: Screen Capture
tactic: positioning
source: attack
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
- id: F1002.001
name: 'Abuse of Public-Facing API: Mobile API Abuse'
tactic: positioning
source: f3
---
# Detecting Mobile Malware Behavior
@@ -32,6 +32,36 @@ mitre_attack:
- T1530
- T1537
- T1580
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
techniques:
- id: F1004
name: Access with Stolen Session Cookie
tactic: initial-access
source: f3
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
- id: T1557
name: Adversary-in-the-Middle
tactic: initial-access
source: attack
- id: T1550.001
name: 'Use Alternate Authentication Material: Application Access Token'
tactic: initial-access
source: attack
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: T1185
name: Browser Session Hijacking
tactic: positioning
source: attack
---
# Detecting OAuth Token Theft
@@ -33,6 +33,33 @@ mitre_attack:
- T1534
- T1036
- T1027
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
- initial-access
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
---
# Detecting QR Code Phishing with Email Security
@@ -31,6 +31,29 @@ mitre_attack:
- T1059
- T1486
- T1490
mitre_f3:
version: '1.1'
tactics:
- monetization
- positioning
- stealth
techniques:
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1017.001
name: 'Conversion to Physical Monetary Instruments: Cash'
tactic: monetization
source: f3
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
- id: T1070
name: Indicator Removal
tactic: stealth
source: attack
---
# Detecting Ransomware Encryption Behavior
@@ -32,6 +32,29 @@ mitre_attack:
- T1059
- T1003
- T1110
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- monetization
techniques:
- id: T1110
name: Brute Force
tactic: initial-access
source: attack
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
- id: T1650
name: Acquire Access
tactic: resource-development
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
---
# Detecting Ransomware Precursors in Network Traffic
@@ -26,6 +26,38 @@ mitre_attack:
- T1566.002
- T1204.001
- T1204.002
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- initial-access
- stealth
- resource-development
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
- id: F1031
name: Impersonate Account Holder
tactic: initial-access
source: f3
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
---
# Detecting Spearphishing with Email Gateway
@@ -33,6 +33,33 @@ mitre_attack:
- T1003.002
- T1003.003
- T1003.006
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- positioning
- initial-access
techniques:
- id: T1555
name: Credentials from Password Stores
tactic: reconnaissance
source: attack
- id: T1555.003
name: 'Credentials from Password Stores: Credentials from Web Browsers'
tactic: reconnaissance
source: attack
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
---
# Detecting T1003 Credential Dumping with EDR
@@ -31,6 +31,38 @@ mitre_attack:
- T1059
- T1078
- T1003
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
- initial-access
- positioning
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: T1557
name: Adversary-in-the-Middle
tactic: initial-access
source: attack
- id: F1004
name: Access with Stolen Session Cookie
tactic: initial-access
source: f3
---
# Executing Phishing Simulation Campaign
@@ -18,6 +18,37 @@ mitre_attack:
- T1119
- T1070
- T1003
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- positioning
- initial-access
techniques:
- id: T1555
name: Credentials from Password Stores
tactic: reconnaissance
source: attack
- id: T1555.003
name: 'Credentials from Password Stores: Credentials from Web Browsers'
tactic: reconnaissance
source: attack
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
- id: F1006.001
name: 'Account Takeover: Exposed API Key'
tactic: initial-access
source: f3
version: '1.0'
author: mahipal
license: Apache-2.0
@@ -30,6 +30,28 @@ mitre_attack:
- T1059
- T1003
- T1110
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
techniques:
- id: T1110.004
name: 'Brute Force: Credential Stuffing'
tactic: initial-access
source: attack
- id: T1110.003
name: 'Brute Force: Password Spraying'
tactic: initial-access
source: attack
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
---
# Hunting Credential Stuffing Attacks
@@ -32,6 +32,33 @@ mitre_attack:
- T1082
- T1083
- T1566
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- initial-access
- resource-development
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1593
name: Search Open Websites/Domains
tactic: reconnaissance
source: attack
- id: F1031
name: Impersonate Account Holder
tactic: initial-access
source: f3
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
---
# Hunting For Spearphishing Indicators
@@ -26,6 +26,33 @@ mitre_attack:
- T1598
- T1534
- T1036
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- initial-access
- stealth
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
- id: F1031
name: Impersonate Account Holder
tactic: initial-access
source: f3
---
# Implementing Anti-Phishing Training Program
@@ -31,6 +31,29 @@ mitre_attack:
- T1059
- T1486
- T1490
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- monetization
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
- id: T1531
name: Account Access Removal
tactic: positioning
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
---
# Implementing Anti-Ransomware Group Policy
@@ -26,6 +26,29 @@ mitre_attack:
- T1110
- T1556
- T1098
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- defense-impairment
techniques:
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: T1110.003
name: 'Brute Force: Password Spraying'
tactic: initial-access
source: attack
- id: F1005
name: Account Manipulation
tactic: positioning
source: f3
- id: F1005.002
name: 'Account Manipulation: Add Authorized User'
tactic: defense-impairment
source: f3
---
# Implementing Azure AD Privileged Identity Management
@@ -33,6 +33,37 @@ mitre_attack:
- T1557
- T1071
- T1003
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- execution
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1557
name: Adversary-in-the-Middle
tactic: positioning
source: attack
- id: T1185
name: Browser Session Hijacking
tactic: positioning
source: attack
- id: F1007
name: Adversary-in-the-Browser
tactic: positioning
source: f3
- id: F1007.002
name: 'Adversary-in-the-Browser: Malicious Browser Extension'
tactic: positioning
source: f3
- id: F1007.003
name: 'Adversary-in-the-Browser: Malicious JavaScript Injection'
tactic: execution
source: f3
---
# Implementing Browser Isolation for Zero Trust
@@ -30,6 +30,33 @@ mitre_attack:
- T1556
- T1098
- T1003
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- initial-access
- positioning
techniques:
- id: T1555.005
name: 'Credentials from Password Stores: Password Managers'
tactic: reconnaissance
source: attack
- id: T1110
name: Brute Force
tactic: initial-access
source: attack
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
- id: F1005
name: Account Manipulation
tactic: positioning
source: f3
---
# Implementing Delinea Secret Server for PAM
@@ -31,6 +31,33 @@ mitre_attack:
- T1556
- T1098
- T1566
mitre_f3:
version: '1.1'
tactics:
- initial-access
- stealth
- positioning
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
- id: T1550.001
name: 'Use Alternate Authentication Material: Application Access Token'
tactic: initial-access
source: attack
- id: F1005
name: Account Manipulation
tactic: positioning
source: f3
---
# Implementing Google Workspace Admin Security
@@ -27,6 +27,38 @@ mitre_attack:
- T1534
- T1036
- T1027
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
- initial-access
- stealth
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
- id: F1031
name: Impersonate Account Holder
tactic: initial-access
source: f3
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
---
# Implementing Google Workspace Phishing Protection
@@ -25,6 +25,32 @@ mitre_attack:
- T1110
- T1556
- T1098
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
techniques:
- id: T1110
name: Brute Force
tactic: initial-access
source: attack
- id: T1110.004
name: 'Brute Force: Credential Stuffing'
tactic: initial-access
source: attack
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
- id: F1004
name: Access with Stolen Session Cookie
tactic: initial-access
source: f3
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
---
# Implementing Google Workspace SSO Configuration
@@ -30,6 +30,38 @@ mitre_attack:
- T1556
- T1098
- T1003
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- stealth
- resource-development
techniques:
- id: F1006.001
name: 'Account Takeover: Exposed API Key'
tactic: initial-access
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
- id: T1586
name: Compromise Accounts
tactic: resource-development
source: attack
- id: T1555
name: Credentials from Password Stores
tactic: reconnaissance
source: attack
- id: F1005.004
name: 'Account Manipulation: Change Account Details'
tactic: positioning
source: f3
- id: F1033
name: Insider Access Abuse
tactic: initial-access
source: f3
---
# Implementing HashiCorp Vault Dynamic Secrets
@@ -38,6 +38,34 @@ mitre_attack:
- T1059
- T1486
- T1490
mitre_f3:
version: '1.1'
tactics:
- positioning
- initial-access
- monetization
- resource-development
techniques:
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
- id: T1586
name: Compromise Accounts
tactic: resource-development
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
- id: F1033
name: Insider Access Abuse
tactic: initial-access
source: f3
---
# Implementing Honeypot for Ransomware Detection
@@ -26,6 +26,33 @@ mitre_attack:
- T1110
- T1556
- T1098
mitre_f3:
version: '1.1'
tactics:
- positioning
- initial-access
- defense-impairment
techniques:
- id: F1005
name: Account Manipulation
tactic: positioning
source: f3
- id: F1005.002
name: 'Account Manipulation: Add Authorized User'
tactic: positioning
source: f3
- id: F1033
name: Insider Access Abuse
tactic: initial-access
source: f3
- id: F1042
name: Reactivate Account
tactic: positioning
source: f3
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
---
# Implementing Identity Governance with SailPoint
@@ -31,6 +31,37 @@ mitre_attack:
- T1059
- T1566
- T1598
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- reconnaissance
techniques:
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: T1110.004
name: 'Brute Force: Credential Stuffing'
tactic: initial-access
source: attack
- id: T1111
name: Multi-Factor Authentication Interception
tactic: initial-access
source: attack
- id: T1557
name: Adversary-in-the-Middle
tactic: initial-access
source: attack
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
---
# Implementing Identity Verification for Zero Trust
@@ -26,6 +26,34 @@ mitre_attack:
- T1598
- T1534
- T1036
mitre_f3:
version: '1.1'
tactics:
- initial-access
- reconnaissance
- stealth
- resource-development
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
---
# Implementing Mimecast Targeted Attack Protection
@@ -27,6 +27,33 @@ mitre_attack:
- T1556
- T1098
- T1003
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- resource-development
techniques:
- id: T1586
name: Compromise Accounts
tactic: resource-development
source: attack
- id: T1110
name: Brute Force
tactic: initial-access
source: attack
- id: F1033
name: Insider Access Abuse
tactic: initial-access
source: f3
- id: F1005.004
name: 'Account Manipulation: Change Account Details'
tactic: positioning
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
---
# Implementing PAM for Database Access
@@ -30,6 +30,35 @@ mitre_attack:
- T1556
- T1098
- T1566
mitre_f3:
version: '1.1'
tactics:
- initial-access
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1557
name: Adversary-in-the-Middle
tactic: initial-access
source: attack
- id: T1110.004
name: 'Brute Force: Credential Stuffing'
tactic: initial-access
source: attack
- id: T1111
name: Multi-Factor Authentication Interception
tactic: initial-access
source: attack
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: F1004
name: Access with Stolen Session Cookie
tactic: initial-access
source: f3
---
# Implementing Passwordless Auth with Microsoft Entra
@@ -26,6 +26,33 @@ mitre_attack:
- T1556
- T1098
- T1003
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- resource-development
techniques:
- id: T1586
name: Compromise Accounts
tactic: resource-development
source: attack
- id: T1110
name: Brute Force
tactic: initial-access
source: attack
- id: F1033
name: Insider Access Abuse
tactic: initial-access
source: f3
- id: F1005.002
name: 'Account Manipulation: Add Authorized User'
tactic: positioning
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
---
# Implementing Privileged Access Management with CyberArk
@@ -28,6 +28,38 @@ mitre_attack:
- T1534
- T1036
- T1027
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- initial-access
- stealth
- positioning
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
- id: F1029
name: Gather Customer Information
tactic: reconnaissance
source: f3
- id: F1005.006
name: 'Account Manipulation: Change of Payment Details'
tactic: positioning
source: f3
---
# Implementing Proofpoint Email Security Gateway
@@ -42,6 +42,28 @@ mitre_attack:
- T1059
- T1003
- T1110
mitre_f3:
version: '1.1'
tactics:
- positioning
- monetization
techniques:
- id: T1531
name: Account Access Removal
tactic: positioning
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
- id: F1017.001
name: 'Conversion to Physical Monetary Instruments: Cash'
tactic: monetization
source: f3
---
# Implementing Ransomware Backup Strategy
@@ -31,6 +31,28 @@ mitre_attack:
- T1059
- T1486
- T1490
mitre_f3:
version: '1.1'
tactics:
- positioning
- monetization
techniques:
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1017
name: Conversion to Physical Monetary Instruments
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
---
# Implementing Ransomware Kill Switch Detection
@@ -27,6 +27,33 @@ mitre_attack:
- T1556
- T1098
- T1553
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- resource-development
techniques:
- id: T1586
name: Compromise Accounts
tactic: resource-development
source: attack
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
- id: F1004
name: Access with Stolen Session Cookie
tactic: initial-access
source: f3
- id: T1550.001
name: 'Use Alternate Authentication Material: Application Access Token'
tactic: initial-access
source: attack
- id: F1006.003
name: 'Account Takeover: Password Reset'
tactic: initial-access
source: f3
---
# Implementing SAML SSO with Okta
@@ -25,6 +25,33 @@ mitre_attack:
- T1110
- T1556
- T1098
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- resource-development
techniques:
- id: T1586
name: Compromise Accounts
tactic: resource-development
source: attack
- id: F1005.002
name: 'Account Manipulation: Add Authorized User'
tactic: positioning
source: f3
- id: F1005.004
name: 'Account Manipulation: Change Account Details'
tactic: positioning
source: f3
- id: F1042
name: Reactivate Account
tactic: positioning
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
---
# Implementing SCIM Provisioning with Okta
@@ -36,6 +36,33 @@ mitre_attack:
- T1059
- T1610
- T1611
mitre_f3:
version: '1.1'
tactics:
- resource-development
- initial-access
- stealth
techniques:
- id: T1195
name: Supply Chain Compromise
tactic: initial-access
source: attack
- id: T1608
name: Stage Capabilities
tactic: resource-development
source: attack
- id: T1608.006
name: 'Stage Capabilities: SEO Poisoning'
tactic: resource-development
source: attack
- id: T1586
name: Compromise Accounts
tactic: resource-development
source: attack
- id: T1070
name: Indicator Removal
tactic: stealth
source: attack
---
# Implementing Sigstore for Software Signing
@@ -23,6 +23,34 @@ mitre_attack:
- T1059
- T1566
- T1598
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
- initial-access
- stealth
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
---
@@ -28,6 +28,33 @@ mitre_attack:
- T1059
- T1003
- T1110
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- resource-development
techniques:
- id: T1586
name: Compromise Accounts
tactic: resource-development
source: attack
- id: T1110
name: Brute Force
tactic: initial-access
source: attack
- id: T1110.004
name: 'Brute Force: Credential Stuffing'
tactic: initial-access
source: attack
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
- id: F1033
name: Insider Access Abuse
tactic: initial-access
source: f3
---
# Implementing Zero Trust with HashiCorp Boundary
@@ -23,6 +23,39 @@ mitre_attack:
- T1685.005
- T1566
- T1598
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
- initial-access
- stealth
- positioning
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
version: '1.0'
author: mahipal
license: Apache-2.0
@@ -25,6 +25,33 @@ mitre_attack:
- T1119
- T1070
- T1486
mitre_f3:
version: '1.1'
tactics:
- initial-access
- stealth
- monetization
techniques:
- id: T1110
name: Brute Force
tactic: initial-access
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1070
name: Indicator Removal
tactic: stealth
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1017.001
name: 'Conversion to Physical Monetary Instruments: Cash'
tactic: monetization
source: f3
---
# Investigating Ransomware Attack Artifacts
@@ -29,6 +29,36 @@ mitre_attack:
- T1537
- T1580
- T1566
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
techniques:
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
- id: T1110.004
name: 'Brute Force: Credential Stuffing'
tactic: initial-access
source: attack
- id: T1110.003
name: 'Brute Force: Password Spraying'
tactic: initial-access
source: attack
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
- id: T1550.001
name: 'Use Alternate Authentication Material: Application Access Token'
tactic: initial-access
source: attack
---
# Managing Cloud Identity with Okta
@@ -41,6 +41,33 @@ mitre_attack:
- T1593
- T1589
- T1003
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
- initial-access
techniques:
- id: T1593
name: Search Open Websites/Domains
tactic: reconnaissance
source: attack
- id: T1650
name: Acquire Access
tactic: resource-development
source: attack
- id: T1555.003
name: 'Credentials from Password Stores: Credentials from Web Browsers'
tactic: reconnaissance
source: attack
- id: F1029
name: Gather Customer Information
tactic: reconnaissance
source: f3
- id: T1110.004
name: 'Brute Force: Credential Stuffing'
tactic: initial-access
source: attack
---
# Monitoring Dark Web Sources
@@ -26,6 +26,34 @@ mitre_attack:
- T1556
- T1098
- T1071
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- defense-impairment
- resource-development
techniques:
- id: T1586
name: Compromise Accounts
tactic: resource-development
source: attack
- id: F1033
name: Insider Access Abuse
tactic: initial-access
source: f3
- id: F1005
name: Account Manipulation
tactic: positioning
source: f3
- id: F1005.002
name: 'Account Manipulation: Add Authorized User'
tactic: positioning
source: f3
- id: F1005.007
name: 'Account Manipulation: Enable Account Features'
tactic: defense-impairment
source: f3
---
# Performing Access Recertification with Saviynt
@@ -28,6 +28,36 @@ mitre_attack:
- T1534
- T1036
- T1003
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
techniques:
- id: T1557
name: Adversary-in-the-Middle
tactic: initial-access
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: F1004
name: Access with Stolen Session Cookie
tactic: initial-access
source: f3
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
- id: T1185
name: Browser Session Hijacking
tactic: positioning
source: attack
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
---
# Performing Adversary-in-the-Middle Phishing Detection
@@ -27,6 +27,38 @@ mitre_attack:
- T1593
- T1589
- T1566
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
- initial-access
- stealth
techniques:
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: T1583.008
name: 'Acquire Infrastructure: Malvertising'
tactic: resource-development
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1593
name: Search Open Websites/Domains
tactic: reconnaissance
source: attack
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
---
# Performing Brand Monitoring for Impersonation
@@ -32,6 +32,37 @@ mitre_attack:
- T1059
- T1078
- T1021
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- positioning
- initial-access
techniques:
- id: T1555
name: Credentials from Password Stores
tactic: reconnaissance
source: attack
- id: T1555.003
name: 'Credentials from Password Stores: Credentials from Web Browsers'
tactic: reconnaissance
source: attack
- id: T1555.005
name: 'Credentials from Password Stores: Password Managers'
tactic: reconnaissance
source: attack
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
---
# Performing Credential Access with LaZagne
@@ -22,6 +22,29 @@ mitre_attack:
- T1600
- T1573
- T1553
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- initial-access
- positioning
techniques:
- id: T1557
name: Adversary-in-the-Middle
tactic: positioning
source: attack
- id: T1555
name: Credentials from Password Stores
tactic: reconnaissance
source: attack
- id: F1006.001
name: 'Account Takeover: Exposed API Key'
tactic: initial-access
source: f3
- id: F1004
name: Access with Stolen Session Cookie
tactic: initial-access
source: f3
---
# Performing Cryptographic Audit of Application
@@ -29,6 +29,34 @@ mitre_attack:
- T1110
- T1556
- T1098
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- defense-impairment
- resource-development
techniques:
- id: T1586
name: Compromise Accounts
tactic: resource-development
source: attack
- id: F1033
name: Insider Access Abuse
tactic: initial-access
source: f3
- id: F1005
name: Account Manipulation
tactic: positioning
source: f3
- id: F1005.002
name: 'Account Manipulation: Add Authorized User'
tactic: positioning
source: f3
- id: F1005.007
name: 'Account Manipulation: Enable Account Features'
tactic: defense-impairment
source: f3
---
# Performing Entitlement Review with SailPoint IdentityIQ
@@ -31,6 +31,32 @@ mitre_attack:
- T1059
- T1003
- T1110
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- initial-access
techniques:
- id: T1555
name: Credentials from Password Stores
tactic: reconnaissance
source: attack
- id: F1029
name: Gather Customer Information
tactic: reconnaissance
source: f3
- id: T1110.001
name: 'Brute Force: Password Guessing'
tactic: initial-access
source: attack
- id: F1006.001
name: 'Account Takeover: Exposed API Key'
tactic: initial-access
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
---
# Performing Firmware Extraction with Binwalk
@@ -32,6 +32,41 @@ mitre_attack:
- T1059
- T1078
- T1003
mitre_f3:
version: '1.1'
tactics:
- resource-development
- initial-access
- positioning
techniques:
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1557
name: Adversary-in-the-Middle
tactic: initial-access
source: attack
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
- id: T1111
name: Multi-Factor Authentication Interception
tactic: initial-access
source: attack
- id: F1004
name: Access with Stolen Session Cookie
tactic: initial-access
source: f3
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
---
# Performing Initial Access with EvilGinx3
@@ -29,6 +29,37 @@ mitre_attack:
- T1110
- T1556
- T1098
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- stealth
techniques:
- id: T1550.001
name: 'Use Alternate Authentication Material: Application Access Token'
tactic: initial-access
source: attack
- id: F1006.001
name: 'Account Takeover: Exposed API Key'
tactic: initial-access
source: f3
- id: F1004
name: Access with Stolen Session Cookie
tactic: initial-access
source: f3
- id: F1005.001
name: 'Account Manipulation: Account Linking'
tactic: positioning
source: f3
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
- id: F1023
name: Device Fingerprint Spoofing
tactic: stealth
source: f3
---
# Performing OAuth Scope Minimization Review
@@ -27,6 +27,37 @@ mitre_attack:
- T1593
- T1589
- T1003
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
- initial-access
techniques:
- id: T1593
name: Search Open Websites/Domains
tactic: reconnaissance
source: attack
- id: T1593.002
name: 'Search Open Websites/Domains: Search Engines'
tactic: reconnaissance
source: attack
- id: T1650
name: Acquire Access
tactic: resource-development
source: attack
- id: T1555.003
name: 'Credentials from Password Stores: Credentials from Web Browsers'
tactic: reconnaissance
source: attack
- id: T1110.004
name: 'Brute Force: Credential Stuffing'
tactic: initial-access
source: attack
- id: F1029
name: Gather Customer Information
tactic: reconnaissance
source: f3
---
# Performing Paste Site Monitoring for Credentials
@@ -26,6 +26,37 @@ mitre_attack:
- T1598
- T1534
- T1036
mitre_f3:
version: '1.1'
tactics:
- resource-development
- initial-access
- reconnaissance
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: T1557
name: Adversary-in-the-Middle
tactic: initial-access
source: attack
- id: F1031
name: Impersonate Account Holder
tactic: initial-access
source: f3
---
# Performing Phishing Simulation with GoPhish
@@ -22,6 +22,33 @@ mitre_attack:
- T1070
- T1078
- T1489
mitre_f3:
version: '1.1'
tactics:
- monetization
- stealth
- initial-access
techniques:
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1017
name: Conversion to Physical Monetary Instruments
tactic: monetization
source: f3
- id: F1025.003
name: 'Electronic Funds Transfer: Wire Transfer'
tactic: monetization
source: f3
- id: T1070
name: Indicator Removal
tactic: stealth
source: attack
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
version: 1.0.0
author: mahipal
license: Apache-2.0
@@ -31,6 +31,28 @@ mitre_attack:
- T1059
- T1486
- T1490
mitre_f3:
version: '1.1'
tactics:
- positioning
- monetization
techniques:
- id: T1531
name: Account Access Removal
tactic: positioning
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
- id: F1017.001
name: 'Conversion to Physical Monetary Instruments: Cash'
tactic: monetization
source: f3
---
# Performing Ransomware Tabletop Exercise
@@ -28,6 +28,33 @@ mitre_attack:
- T1059
- T1003
- T1110
mitre_f3:
version: '1.1'
tactics:
- resource-development
- reconnaissance
- initial-access
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
---
@@ -26,6 +26,33 @@ mitre_attack:
- T1556
- T1098
- T1003
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- stealth
techniques:
- id: F1006.001
name: 'Account Takeover: Exposed API Key'
tactic: initial-access
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
- id: T1110
name: Brute Force
tactic: initial-access
source: attack
- id: F1005
name: Account Manipulation
tactic: positioning
source: f3
- id: F1023
name: Device Fingerprint Spoofing
tactic: stealth
source: f3
---
# Performing Service Account Credential Rotation
@@ -31,6 +31,29 @@ mitre_attack:
- T1059
- T1003
- T1110
mitre_f3:
version: '1.1'
tactics:
- positioning
- monetization
- defense-impairment
techniques:
- id: T1531
name: Account Access Removal
tactic: positioning
source: attack
- id: F1005
name: Account Manipulation
tactic: defense-impairment
source: f3
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
---
# Recovering from Ransomware Attack
@@ -34,6 +34,24 @@ mitre_attack:
- T1140
- T1497
- T1486
mitre_f3:
version: '1.1'
tactics:
- monetization
- positioning
techniques:
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
---
# Reverse Engineering Ransomware Encryption Routine
@@ -28,6 +28,32 @@ mitre_attack:
- T1537
- T1580
- T1003
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
techniques:
- id: F1006.001
name: 'Account Takeover: Exposed API Key'
tactic: initial-access
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
- id: T1550.001
name: 'Use Alternate Authentication Material: Application Access Token'
tactic: initial-access
source: attack
- id: T1110.003
name: 'Brute Force: Password Spraying'
tactic: initial-access
source: attack
- id: F1005.004
name: 'Account Manipulation: Change Account Details'
tactic: positioning
source: f3
---
# Securing AWS IAM Permissions
@@ -27,6 +27,28 @@ mitre_attack:
- T1070
- T1078
- T1489
mitre_f3:
version: '1.1'
tactics:
- positioning
- monetization
techniques:
- id: T1531
name: Account Access Removal
tactic: positioning
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
- id: F1017.001
name: 'Conversion to Physical Monetary Instruments: Cash'
tactic: monetization
source: f3
---
# Testing Ransomware Recovery Procedures
@@ -29,6 +29,36 @@ mitre_attack:
- T1593
- T1589
- T1566
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
techniques:
- id: T1593
name: Search Open Websites/Domains
tactic: reconnaissance
source: attack
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: T1583.008
name: 'Acquire Infrastructure: Malvertising'
tactic: resource-development
source: attack
- id: T1583.003
name: 'Acquire Infrastructure: Virtual Private Network or Server'
tactic: resource-development
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1608.006
name: 'Stage Capabilities: SEO Poisoning'
tactic: resource-development
source: attack
---
# Tracking Threat Actor Infrastructure
@@ -26,6 +26,28 @@ mitre_attack:
- T1070
- T1078
- T1489
mitre_f3:
version: '1.1'
tactics:
- positioning
- monetization
techniques:
- id: T1531
name: Account Access Removal
tactic: positioning
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
- id: F1017.001
name: 'Conversion to Physical Monetary Instruments: Cash'
tactic: monetization
source: f3
---
# Validating Backup Integrity for Recovery