Automatically updated using GitHub Actions

annotation_mitre_attack.csv

@@ -1675,7 +1675,7 @@ Server Client\Cache\</code>.(Citation: Moran RDPieces) Similarly, macOS and Linu
 <p>Using legitimate applications, adversaries have distributed applications with modified installer scripts to execute malicious content. When a user installs the application, they may be required to grant administrative permissions to allow the installation. At the end of the installation process of the legitimate application, content such as macOS <code>postinstall</code> scripts can be executed with the inherited elevated permissions. Adversaries can use these scripts to execute a malicious executable or install other malicious components (such as a <a href=""https://attack.mitre.org/techniques/T1543/004"" rel=""noopener"" target=""_blank"">Launch Daemon</a>) with the elevated permissions.(Citation: Application Bundle Manipulation Brandon Dalton)(Citation: wardle evilquest parti)(Citation: Windows AppleJeus GReAT)(Citation: Debian Manual Maintainer Scripts)</p>
 <p>Depending on the distribution, Linux versions of package installer scripts are sometimes called maintainer scripts or post installation scripts. These scripts can include <code>preinst</code>, <code>postinst</code>, <code>prerm</code>, <code>postrm</code> scripts and run as root when executed.</p>
 <p>For Windows, the Microsoft Installer services uses <code>.msi</code> files to manage the installing, updating, and uninstalling of applications. These installation routines may also include instructions to perform additional actions that may be abused by adversaries.(Citation: Microsoft Installation Procedures)</p>","Process: Process Creation, Command: Command Execution, File: File Creation",""
-"Udev Rules","T1546.017","https://attack.mitre.org/techniques/T1546/017","Linux","Persistence","<p>Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the <code>/dev</code> directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with <code>match keys</code> to specify the conditions a hardware event must meet and <code>action keys</code> to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in <code>/etc/udev/rules.d/</code>, <code>/run/udev/rules.d/</code>, <code>/usr/lib/udev/rules.d/</code>, <code>/usr/local/lib/udev/rules.d/</code>, and <code>/lib/udev/rules.d/</code>. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)</p>
+"Udev Rules","T1546.017","https://attack.mitre.org/techniques/T1546/017","Linux","Persistence, Privilege Escalation","<p>Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the <code>/dev</code> directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with <code>match keys</code> to specify the conditions a hardware event must meet and <code>action keys</code> to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in <code>/etc/udev/rules.d/</code>, <code>/run/udev/rules.d/</code>, <code>/usr/lib/udev/rules.d/</code>, <code>/usr/local/lib/udev/rules.d/</code>, and <code>/lib/udev/rules.d/</code>. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)</p>
 <p>Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as <code>/dev/random</code>, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key <code>RUN+=</code> to detach and run the malicious content&#8217;s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)</p>","Process: Process Creation, File: File Modification","<p>Monitor file creation and modification of Udev rule files in <code>/etc/udev/rules.d/</code>, <code>/lib/udev/rules.d/</code>, and /usr/lib/udev/rules.d/, specifically the <code>RUN</code> action key commands.(Citation: Ignacio Udev research 2024) </p>"
 "Boot or Logon Autostart Execution","T1547","https://attack.mitre.org/techniques/T1547","Linux, macOS, Windows, Network","Persistence, Privilege Escalation","<p>Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.</p>
 <p>Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.</p>","Process: OS API Execution, Module: Module Load, Command: Command Execution, File: File Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification, File: File Modification, Kernel: Kernel Module Load, Process: Process Creation, Driver: Driver Load","<p>Monitor for additions or modifications of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry. Look for changes that are not correlated with known updates, patches, or other planned administrative activity. Tools such as Sysinternals Autoruns may also be used to detect system autostart configuration changes that could be attempts at persistence.(Citation: TechNet Autoruns)  Changes to some autostart configuration settings may happen under normal conditions when legitimate software is installed. </p>