TA0042

Resource Development
攻撃態勢の確立

 

The adversary is trying to establish resources they can use to support operations.
攻撃者は攻撃の足場を確立させようとしています。

Resource Development consists of techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. Such resources include infrastructure, accounts, or capabilities. These resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using purchased domains to support Command and Control, email accounts for phishing as a part of Initial Access, or stealing code signing certificates to help with Defense Evasion.

 攻撃態勢の確立は、攻撃者が攻撃をサポートするために使用できるリソースを作成、購入、または侵害/窃盗するテクニックで構成されています。このようなリソースは、インフラ、アカウント、または能力を含みます。これらのリソースは、攻撃ライフサイクルの他の段階を支援するために攻撃者によって利用されます。例えば、コマンド&コントロールを支援するために購入したドメインを利用したり、ターゲットへ接触するフィッシングのために電子メールアカウントを利用したり、防衛回避するためにコード署名証明書を窃盗したりします。

Techniques

Techniques: 7(1/7)
ID Name Description
T1583

Acquire Infrastructure攻撃インフラの獲得

 

Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Additionally, botnets are available for rent or purchase.

攻撃者は、攻撃時に使用するインフラを購入、リース、またはレンタルすることができます。攻撃者の作戦を支援し、遂行するために、さまざまなインフラが存在します。インフラ・ソリューションには、物理サーバ、クラウドサーバ、ドメイン、サードパーティのウェブサービスなどがあります。さらに、ボットネットはレンタルや購入して利用することができます。 

  .001 Domains Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.
 攻撃者は、攻撃時に使用するドメインを取得することがあります。ドメイン名とは、1つまたは複数のIPアドレスを表すために使用される、人間が読める名前です。ドメイン名は購入することもできますし、場合によっては無料で取得することもできます。
  .002 DNS Server

Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: Application Layer Protocol). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.

攻撃者は、攻撃時に使用する独自のドメインネームシステム(DNS)サーバーをセットアップすることができます。攻撃者は、攻撃後の活動において、コマンド&コントロール(例:Application Layer Protocol)を含む様々な作業でDNSトラフィックを利用する可能性があります。攻撃者は、既存のDNSサーバーをハイジャックする代わりに、作戦を遂行するために独自のDNSサーバーを設定し、実行することを選択することがあります。

  .003 Virtual Private Server

Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.

攻撃者は、攻撃時に使用する仮想プライベートサーバ(VPS)をレンタルすることがあります。仮想マシンやコンテナをサービスとして販売するクラウドサービスプロバイダーは数多く存在します。VPSを利用することで、攻撃者は作戦を物理的に追跡することを困難にすることができます。また、クラウドインフラを利用することで、攻撃者のインフラを迅速に設置、変更、停止させることが容易になります。

  .004 Server

Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of compromising a third-party Server or renting a Virtual Private Server, adversaries may opt to configure and run their own servers in support of operations.

攻撃者は、攻撃時に使用する物理的なサーバーを購入、リース、またはレンタルすることができます。攻撃者は、サーバーを使用することで、作戦の準備、開始、実行を行うことができます。侵害後の活動において、攻撃者は、コマンド&コントロールを含む様々な作業にサーバーを利用することができます。攻撃者は、サードパーティのサーバーを侵害したり、仮想プライベート・サーバーをレンタルする代わりに、作戦を遂行するために自分自身のサーバーを設定し、実行することもあります。

  .005 Botnet

Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks. Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS).

攻撃者は、攻撃目標に使用できる感染したシステムのネットワークを購入、リース、またはレンタルすることができます。ボットネットとは、連携してタスクを実行するよう指示することができる侵害されたシステムのネットワークです。攻撃者は、ブータ/ストレッサ・サービスから既存のボットネットを利用するためのサブスクリプションを購入することができます。攻撃者は、ボットネットを自由に利用することで、大規模なフィッシングや分散型サービス妨害(DDoS)などの後続の活動を行う可能性があります

  .006 Web Services

Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service) or Exfiltration Over Web Service. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.

攻撃者は攻撃中に使用できるWebサービスに登録することがあります。攻撃者が、コマンド&コントロール(Webサービス)や盗み出し(Exfiltration Over Webサービス)など、攻撃者のライフサイクルの後期段階で悪用できるWebベースのサービスを登録するための人気のあるWebサイトがいろいろと存在します。GoogleやTwitterが提供するような一般的なサービスを利用することで、攻撃者はノイズに紛れることが容易になります。WEBサービスを利用することで、攻撃者は作戦を物理的に追跡することを難しくすることができます。

  .007 Serverless

Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.

攻撃者は、Cloudflare WorkerやAWS Lambda関数など、攻撃中に使用できるサーバーレスクラウドインフラを購入し、構築することがあります。サーバーレスインフラを利用することで、攻撃者は攻撃に使われたインフラが誰のものであるかを特定しづらくすることができます。

T1586 Compromise Accounts
アカウントの侵害
Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. Establish Accounts), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.

攻撃者は、攻撃中に使用するサービスのアカウントを侵害することがあります。ソーシャル・エンジニアリングを取り入れた作戦では、オンライン上の人物を利用することが重要である場合があります。攻撃者は、アカウントを作成し、育て上げる(例:アカウントの作成)よりも、既存のアカウントを侵害する場合があります。既存の人物を利用することで、被害者が、侵害された人物と関係があったり、その人物について知っていたりする場合、その人物に信頼を抱かせることができるかもしれません。
  .001 Social Media Accounts Adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles (i.e. Social Media Accounts), adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.

攻撃者は、攻撃中に使用するソーシャルメディアのアカウントを侵害することがあります。ソーシャル・エンジニアリングを取り入れた作戦では、オンライン上の人物を利用することが重要である場合があります。攻撃者は、ソーシャルメディア・プロファイル(ソーシャルメディア・アカウント)を作成・育成するよりも、既存のソーシャルメディア・アカウントを侵害する可能性があります。既存の人物を利用することで、被害者が、侵害された人物と関係があったり、その人物について知っていたりする場合、その人物に信頼を抱かせることができるかもしれません。
  .002 Email Accounts Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct Phishing for Information or Phishing. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: Domains).

攻撃者は、攻撃中に使用することができる電子メールアカウントを侵害する可能性があります。攻撃者は、侵害したメールアカウントを利用して、Phishing for InformationやPhishingを実施するなど、作戦を進めるために利用することができます。侵害された電子メールアカウントで既存の人物を利用することは、被害者が、侵害された人物と関係があったり、その人物について知っていたりする場合、その人物に対する信頼度を高めることができます。また、侵害されたメールアカウントは、インフラ(例:ドメイン)の取得にも利用される可能性があります。
  .003 Cloud Accounts Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for Exfiltration to Cloud Storage or to Upload Tools. Cloud accounts can also be used in the acquisition of infrastructure, such as Virtual Private Servers or Serverless infrastructure. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.

攻撃者は、攻撃目標中に使用することができるクラウドアカウントを侵害することがあります。攻撃者は、Dropbox、Microsoft OneDrive、AWS S3バケットなどのクラウドストレージサービスを利用して、Cloud Storage への抽出またはツールのアップロード用に、侵害したクラウド アカウントを使用して作戦を進めることができます。また、クラウドアカウントは、仮想プライベートサーバやサーバレスインフラなどのインフラを獲得する際にも使用されることがあります。クラウドアカウントを侵害することで、攻撃者は自身のサーバを管理することなく、高度な機能を開発することができます。
T1584 Compromise Infrastructure
インフラの侵害
Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle. Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.

攻撃者は、攻撃中に使用することができるサードパーティのインフラを侵害することがあります。インフラのソリューションには、物理サーバ、クラウドサーバ、ドメイン、サードパーティのウェブサービスやDNSサービスなどが含まれます。攻撃者は、インフラを購入、リース、またはレンタルする代わりに、インフラを侵害し、攻撃者のライフサイクルの他のフェーズでそれを使用することがあります
  .001 Domains Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant. Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.

攻撃者は、攻撃中に使用するドメインやサブドメインを乗っ取ることがあります。ドメイン登録の乗っ取りとは、オリジナルの登録者の許可なくドメイン名の登録を変更する行為です[1]。攻撃者は、ドメインの所有者として登録されている人物のメールアカウントにアクセスする場合があります。攻撃者は、ドメイン登録の変更を行うために、パスワードを忘れたと主張することができます。その他の可能性としては、ドメイン登録のヘルプデスクをソーシャルエンジニアリングしてアカウントにアクセスしたり、更新プロセスの隙をついたりすることも含まれます。
  .002 DNS Server Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: Application Layer Protocol). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.

攻撃者は、攻撃中に使用するサードパーティーのDNSサーバーを侵害する可能性があります。攻撃者は、侵害後の活動において、DNSトラフィックを、コマンド&コントロール(例:Application Layer Protocol)を含む様々なタスクのために利用することがあります。攻撃者は、独自のDNSサーバーを設置する代わりに、作戦をサポートするためにサードパーティのDNSサーバーを侵害することがあります。
  .003 Virtual Private Server Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.
  .004 Server Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a Server or Virtual Private Server, adversaries may compromise third-party servers in support of operations.
  .005 Botnet Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks. Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS).
  .006 Web Services Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service) or Exfiltration Over Web Service. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them.
  .007 Serverless Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
T1587 Develop Capabilities
武器の開発
Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.
  .001 Malware Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
  .002 Code Signing Certificates Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with. Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
  .003 Digital Certificates Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).
  .004 Exploits Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits. Adversaries may use information acquired via Vulnerabilities to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.
T1585 Establish Accounts
アカウントの作成
Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.
  .001 Social Media Accounts Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.
  .002 Email Accounts Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct Phishing for Information or Phishing. Adversaries may also take steps to cultivate a persona around the email account, such as through use of Social Media Accounts, to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: Domains).
  .003 Cloud Accounts Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, MEGA, Microsoft OneDrive, or AWS S3 buckets for Exfiltration to Cloud Storage or to Upload Tools. Cloud accounts can also be used in the acquisition of infrastructure, such as Virtual Private Servers or Serverless infrastructure. Establishing cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.
T1588 Obtain Capabilities
武器の獲得
Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.
  .001 Malware Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
  .002 Tool Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: PsExec). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as Cobalt Strike. Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.
  .003 Code Signing Certificates Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with. Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
  .004 Digital Certificates Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.
  .005 Exploits Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.
  .006 Vulnerabilities Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.
T1608 Stage Capabilities
武器の終結
Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed (Develop Capabilities) or obtained (Obtain Capabilities) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary (Acquire Infrastructure) or was otherwise compromised by them (Compromise Infrastructure). Capabilities may also be staged on web services, such as GitHub or Pastebin, or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision applications.
  .001 Upload Malware Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable Ingress Tool Transfer by placing it on an Internet accessible web server.
  .002 Upload Tool Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: PsExec). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable Ingress Tool Transfer by placing it on an Internet accessible web server.
  .003 Install Digital Certificate Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can be installed on servers to enable secure communications between systems. Digital certificates include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate securely with its owner. Certificates can be uploaded to a server, then the server can be configured to use the certificate to enable encrypted communication with it.
  .004 Drive-by Target Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in Drive-by Compromise. In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as Application Access Token. Prior to Drive-by Compromise, adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired (Acquire Infrastructure) or previously compromised (Compromise Infrastructure).
  .005 Link Target Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in Malicious Link. Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in Spearphishing Link) or a phish to gain initial access to a system (as in Spearphishing Link), an adversary must set up the resources for a link target for the spearphishing link.
  .006 SEO Poisoning Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.

 

翻訳原文:Last Modified: 30 September 2020