diff --git a/src/ontology/d3fend-protege.ttl b/src/ontology/d3fend-protege.ttl index 55e15b5..1be1956 100644 --- a/src/ontology/d3fend-protege.ttl +++ b/src/ontology/d3fend-protege.ttl @@ -343,6 +343,11 @@ Moving forward different distinctions of kinds of has-part (contains) relationsh rdfs:subPropertyOf :reads ; :definition "definition \"x enumerates y: The subject x takes the action of reading from a digital source y to acquire data and create a list of its contents." . +:erases a owl:ObjectProperty ; + rdfs:label "erases" ; + rdfs:subPropertyOf :associated-with ; + :description "x erases y: A technique x removes recorded data from storage device y creating space for new data." . + :evaluated-by a owl:ObjectProperty ; rdfs:label "evaluated-by" ; rdfs:subPropertyOf :associated-with ; @@ -4046,7 +4051,7 @@ Effective implementation requires identifying any location that could end up con owl:someValuesFrom :Evict ] ; :d3fend-id "D3-CE" ; :definition "Credential Eviction techniques disable or remove compromised credentials from a computer network." ; - :enables :Evict . + :kb-reference :Reference-AccountMonitoring_ForescoutTechnologies . :CredentialHardening a :CredentialHardening, owl:Class, @@ -4066,10 +4071,10 @@ Effective implementation requires identifying any location that could end up con rdfs:isDefinedBy ; :definition "Credential Management, also referred to as a Credential Management System (CMS), is an established form of software that is used for issuing and managing credentials as part of public key infrastructure (PKI)." . -:CredentialRevoking a :CredentialRevoking, +:CredentialRevocation a :CredentialRevocation, owl:Class, owl:NamedIndividual ; - rdfs:label "Credential Revoking" ; + rdfs:label "Credential Revocation" ; rdfs:subClassOf :CredentialEviction, [ a owl:Restriction ; owl:onProperty :deletes ; @@ -9915,6 +9920,51 @@ Wikipedia. (n.d.). Multivariate statistics. [Link](https://en.wikipedia.org/wiki :definition "Encrypting a hard disk partition to prevent cleartext access to a file system." ; :kb-reference :Reference-LUKS1On-DiskFormatSpecificationVersion1.2.3 . +:DiskErasure a :DiskErasure, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Disk Erasure" ; + rdfs:subClassOf :DiskFormatting, + [ a owl:Restriction ; + owl:onProperty :erases ; + owl:someValuesFrom :SecondaryStorage ] ; + :d3fend-id "D3-DKE" ; + :definition "Disk Erasure is the process of securely deleting all data on a disk to ensure that it cannot be recovered by any means." ; + :kb-article """### How it works + +Disk Erasure involves overwriting the existing data with random or specific patterns multiple times. Disk erasure is crucial for data sanitization, ensuring that sensitive information is completely removed from storage devices before they are repurposed, disposed of, or transferred to another party.""" ; + :kb-reference . + +:DiskFormatting a :DiskFormatting, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Disk Formatting" ; + rdfs:subClassOf :ObjectEviction, + [ a owl:Restriction ; + owl:onProperty :modifies ; + owl:someValuesFrom :SecondaryStorage ] ; + :d3fend-id "D3-DKF" ; + :definition "Disk Formatting is the process of preparing a data storage device, such as a hard drive, solid-state drive, or USB flash drive, for initial use." ; + :kb-article """### How it works + +This process involves setting up an empty file system on the disk, which includes creating a directory structure and initializing metadata structures. In cybersecurity, disk formatting can be used to remove all existing data on a disk, making it a clean slate for new data storage or to prevent unauthorized access to previously stored data.""" ; + :kb-reference . + +:DiskPartitioning a :DiskPartitioning, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Disk Partitioning" ; + rdfs:subClassOf :DiskFormatting, + [ a owl:Restriction ; + owl:onProperty :creates ; + owl:someValuesFrom :PartitionTable ] ; + :d3fend-id "D3-DKP" ; + :definition "Disk Partitioning is the process of dividing a disk into multiple distinct sections, known as partitions." ; + :kb-article """### How it works + +Each partition can be managed separately and can have its own file system. Disk partitioning can be used to segregate sensitive data from less critical data, improve system performance, and enhance data management and recovery processes. It can also help in isolating different operating systems or environments on the same physical disk.""" ; + :kb-reference . + :DisplayAdapter a owl:Class ; rdfs:label "Display Adapter" ; skos:altLabel "Display Card", @@ -9989,6 +10039,24 @@ OpenReview. (n.d.). Unsupervised Clustering using Pseudo Ensemble Models. [Link] :kb-reference :Reference-DNSWhitelist-DNSWL-EmailAuthenticationMethodExtension ; :synonym "DNS Whitelisting" . +:DNSCacheEviction a :DNSCacheEviction, + owl:Class, + owl:NamedIndividual ; + rdfs:label "DNS Cache Eviction" ; + rdfs:subClassOf :ObjectEviction, + [ a owl:Restriction ; + owl:onProperty :deletes ; + owl:someValuesFrom :DNSRecord ] ; + :d3fend-id "D3-DNSCE" ; + :definition "Flushing DNS to clear any IP addresses or other DNS records from the cache." ; + :kb-article """# How it works + +Flushing the DNS Cache will clear the IP addresses of websites you have visited recently. This can help remediate DNS Cache Poisoning attacks, which is a type of cyber attack where corrupted DNS data is inserted into the cache, causing redirects to malicious websites. + +On windows, the DNS cache can be wiped by issuing the command `ipconfig /flushdns`.""" ; + :kb-reference ; + :synonym "Flush DNS Cache" . + :DNSDenylisting a :DNSDenylisting, owl:Class, owl:NamedIndividual ; @@ -10139,6 +10207,35 @@ This technique does not check for content hosted at the domain. rdfs:seeAlso , . +:DomainRegistrationTakedown a :DomainRegistrationTakedown, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Domain Registration Takedown" ; + rdfs:subClassOf :ObjectEviction, + [ a owl:Restriction ; + owl:onProperty :deletes ; + owl:someValuesFrom :DomainRegistration ] ; + :d3fend-id "D3-DRT" ; + :definition "The process of performing a takedown of the attacker's domain registration infrastructure." ; + :kb-article """## How it works + +Most nameserver hosts and domain name registrars comply with internationally recognised standards and supply their services based on terms and conditions that provide users and organisations protection from abuse and trademark infringement. Performing a WHOIS query on the attacker's domain will provide a contact that can be notified in the case of abuse. Formal takedown processes should be initiated to suspend or disable the normal function of the domain name. + +## Considerations + +- Takedown notifications should clearly demonstrate (with evidence) that the nameserver or registrars Terms and Conditions have been breached. +- Takedown processes are notoriously slow and sometimes unsuccessful. +- Many government organisations will have takedown processes that should also be followed. They may use this for intelligence to assist other organisations suffering an attack. +- Top level domain registrars will have takedown processes that can be followed, as an escalation path, when the nameserver host and/or registrar have not responded or complied timeously or inline with the TLD expectations. + +## Examples of Domain Registration Abuse + +Attackers will create infrastructure from which to carry out their operations and this may include registering domain names to be used in the various attacks. Known misuse cases include: + +- Registering domain names that are similar to the victim's. This is known as typosquatting or URL hijacking. Legitimate looking mails or URLs could be sent using this domain in phishing campaigns. +- Registring domain names that are used in C2 beacons.""" ; + :kb-reference :Reference-UnderstandingtheDomainRegistrationBehaviorofSpammers . + :DomainTrustPolicy a :DomainTrustPolicy, owl:Class, owl:NamedIndividual ; @@ -10281,7 +10378,7 @@ This technique is distinct from d3f:EmailDeletion because it prevents an email f owl:Class, owl:NamedIndividual ; rdfs:label "Email Removal" ; - rdfs:subClassOf :FileRemoval, + rdfs:subClassOf :FileEviction, [ a owl:Restriction ; owl:onProperty :deletes ; owl:someValuesFrom :Email ], @@ -10886,12 +10983,24 @@ Asymmetric encryption is typically accomplished using public and private key cer owl:Class, owl:NamedIndividual ; rdfs:label "File Eviction" ; - rdfs:subClassOf :DefensiveTechnique, + rdfs:subClassOf :ObjectEviction, [ a owl:Restriction ; - owl:onProperty :enables ; - owl:someValuesFrom :Evict ] ; + owl:onProperty :deletes ; + owl:someValuesFrom :File ] ; :d3fend-id "D3-FEV" ; - :definition "File eviction techniques evict files from system storage." . + :definition "File eviction techniques delete files from system storage." ; + :kb-article """## How it works + +Adversaries may place files or programs into a computer's file system to perform malicious actions. As part of the eviction process, these files and programs should be removed to prevent further compromise or reinfection. Examples of malicious types of files are malware which is directly harmful and content files with the intent to deceive users (e.g., phishing.) + +On Windows systems, antivirus (AV) software should be used to safely and permanently remove malicious files. AV software may first quarantine a suspected malicious file, which is the process of moving a file from its original location to a new location and makes changes so that it cannot be executed. Users can then verify that the file is not benign and then permanently delete it. + +## Considerations + +When it is determined that a file should be removed for security purposes, the organization--or systems implementing an organization's policies--may determine that the file should not simply be deleted from the enterprise's mission systems, but be quarantined to a secure system by an approved mechanism, so as to allow follow-up investigation by security staff. + +On Windows systems, deleting a file in File Explorer does not permanently delete a file - it sends it to the Recycle Bin instead. The Recycle Bin must be emptied, or alternative steps must be performed to remove files completely. Even then, in some cases the data may persist in disk, so data shredder tools may be needed to completely wipe a file. Thus, AV tools are recommended.""" ; + :kb-reference :Reference-HowDoesAntivirusQuarantineWork-SafetyDetectives . :FileHash a owl:Class ; rdfs:label "File Hash" ; @@ -10959,33 +11068,6 @@ Files can change constantly due to the non-static nature of a computer system. F owl:someValuesFrom :OpenFile ] ; :definition "Has an input of a file path, and opens a file handle for reading or writing." . -:FileRemoval a :FileRemoval, - owl:Class, - owl:NamedIndividual ; - rdfs:label "File Removal" ; - rdfs:subClassOf :FileEviction, - [ a owl:Restriction ; - owl:onProperty :deletes ; - owl:someValuesFrom :File ], - [ a owl:Restriction ; - owl:onProperty :may-access ; - owl:someValuesFrom :FileServer ] ; - :d3fend-id "D3-FR" ; - :definition "The file removal technique deletes malicious artifacts or programs from a computer system." ; - :kb-article """## How it works - -Adversaries may place files or programs into a computer's file system to perform malicious actions. As part of the eviction process, these files and programs should be removed to prevent further compromise or reinfection. Examples of malicious types of files are malware which is directly harmful and content files with the intent to deceive users (e.g., phishing.) - -On Windows systems, antivirus (AV) software should be used to safely and permanently remove malicious files. AV software may first quarantine a suspected malicious file, which is the process of moving a file from its original location to a new location and makes changes so that it cannot be executed. Users can then verify that the file is not benign and then permanently delete it. - -## Considerations - -When it is determined that a file should be removed for security purposes, the organization--or systems implementing an organization's policies--may determine that the file should not simply be deleted from the enterprise's mission systems, but be quarantined to a secure system by an approved mechanism, so as to allow follow-up investigation by security staff. - -On Windows systems, deleting a file in File Explorer does not permanently delete a file - it sends it to the Recycle Bin instead. The Recycle Bin must be emptied, or alternative steps must be performed to remove files completely. Even then, in some cases the data may persist in disk, so data shredder tools may be needed to completely wipe a file. Thus, AV tools are recommended.""" ; - :kb-reference :Reference-HowDoesAntivirusQuarantineWork-SafetyDetectives ; - :synonym "File Deletion" . - :FileSection a owl:Class ; rdfs:label "File Section" ; skos:altLabel "File Part" ; @@ -12815,6 +12897,16 @@ Unlike other algorithms that explicitly model the problem, such as linear regres :definition "A ticket granting ticket issued by a Kerberos system; that is, a ticket that grants a user domain admin access." ; rdfs:seeAlso . +:KerberosTicketGrantingTicketAccount a owl:Class ; + rdfs:label "Kerberos Ticket Granting Ticket Account" ; + rdfs:subClassOf :ServiceAccount, + [ a owl:Restriction ; + owl:onProperty :creates ; + owl:someValuesFrom :KerberosTicketGrantingTicket ] ; + :definition "KRBTGT is an account used by Key Distribution Center (KDC) service to issue Ticket Granting Tickets (TGTs) as part of the Kerberos authentication protocol." ; + rdfs:seeAlso "https://blog.quest.com/what-is-krbtgt-and-why-should-you-change-the-password/" ; + :synonym "krbtgt" . + :Kernel a owl:Class ; rdfs:label "Kernel" ; rdfs:subClassOf :SystemSoftware, @@ -14547,6 +14639,18 @@ Wikipedia. (n.d.). Nonlinear regression. [Link](https://en.wikipedia.org/wiki/No :d3fend-id "D3A-NPM" ; :definition "Numeric pattern matching uses a pattern specification and sees if the numeric value matches that pattern--simple forms include exact matching and range matching." . +:ObjectEviction a :ObjectEviction, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Object Eviction" ; + rdfs:subClassOf :DefensiveTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :Evict ] ; + :d3fend-id "D3-OE" ; + :definition "Terminate or remove an object from a host machine. This is the broadest class for object eviction." ; + :enables :Evict . + :ObjectFile a owl:Class ; rdfs:label "Object File" ; rdfs:subClassOf :File ; @@ -15318,7 +15422,10 @@ Newcastle University. (n.d.). Parametric Hypothesis Tests. [Link](https://www.nc rdfs:subClassOf :DigitalInformationBearer, [ a owl:Restriction ; owl:onProperty :addresses ; - owl:someValuesFrom :Partition ] ; + owl:someValuesFrom :Partition ], + [ a owl:Restriction ; + owl:onProperty :may-contain ; + owl:someValuesFrom :BootRecord ] ; rdfs:isDefinedBy ; :definition "A partition is a fixed-size subset of a storage device which is treated as a unit by the operating system. A partition table is a table maintained on the storage device by the operating system describing the partitions on that device. The terms partition table and partition map are most commonly associated with the MBR partition table of a Master Boot Record (MBR) in IBM PC compatibles, but it may be used generically to refer to other \"formats\" that divide a disk drive into partitions, such as: GUID Partition Table (GPT), Apple partition map (APM), or BSD disklabel." . @@ -15987,7 +16094,7 @@ False negatives can occur via alteration of the verification logic or source of owl:someValuesFrom :Evict ] ; :d3fend-id "D3-PE" ; :definition "Process eviction techniques terminate or remove running process." ; - :enables :Evict . + :kb-reference :Reference-MalwareDetectionUsingLocalComputationalModels_CrowdstrikeInc . :ProcessImage a owl:Class ; rdfs:label "Process Image" ; @@ -16631,6 +16738,18 @@ A regular expression (shortened as regex or regexp) is a sequence of characters :synonym "Regex", "Regexp" . +:RegistryKeyDeletion a owl:Class, + owl:NamedIndividual, + :RegistryKeyDeletion ; + rdfs:label "Registry Key Deletion" ; + rdfs:subClassOf :ObjectEviction, + [ a owl:Restriction ; + owl:onProperty :deletes ; + owl:someValuesFrom :WindowsRegistryKey ] ; + :d3fend-id "D3-RKD" ; + :definition "Delete a registry key." ; + :kb-reference :Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks . + :RegressionAnalysis a owl:Class, owl:NamedIndividual ; rdfs:label "Regression Analysis" ; @@ -16662,7 +16781,7 @@ Reinforcement learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Reinfor owl:NamedIndividual, :ReissueCredential ; rdfs:label "Reissue Credential" ; - rdfs:subClassOf :RestoreObject, + rdfs:subClassOf :RestoreAccess, [ a owl:Restriction ; owl:onProperty :restores ; owl:someValuesFrom :Credential ] ; @@ -17485,6 +17604,12 @@ Yu, L., Zhang, W., Wang, J., & Yu, Y. (2017). SeqGAN: Sequence Generative Advers rdfs:label "Service" ; rdfs:subClassOf :CapabilityImplementation . +:ServiceAccount a owl:Class ; + rdfs:label "Service Account" ; + rdfs:subClassOf :UserAccount ; + :definition "A service account is a type of account used by an application or service to interact with the operating system." ; + :synonym "System Account" . + :ServiceApplication a owl:Class ; rdfs:label "Service Application" ; rdfs:subClassOf :Application ; @@ -17589,6 +17714,19 @@ Detecting unauthorized user sessions by comparing the duration of a user logon s :kb-reference , :Reference-MethodAndApparatusForNetworkFraudDetectionAndRemediationThroughAnalytics_IdaptiveLLC . +:SessionTermination a owl:Class, + owl:NamedIndividual, + :SessionTermination ; + rdfs:label "Session Termination" ; + rdfs:subClassOf :ProcessEviction, + [ a owl:Restriction ; + owl:onProperty :deletes ; + owl:someValuesFrom :Session ] ; + :definition "Forcefully end all active sessions associated with compromised accounts or devices." ; + :has-link "D3-ST" ; + :kb-article "Defined in NIST 800-53 as AC-12." ; + :kb-reference :Reference-NIST-Special-Publication-800-53A-Revision-5 . + :SetRegisters a owl:Class ; rdfs:label "Set Registers" ; rdfs:subClassOf :SystemCall, @@ -26911,7 +27049,9 @@ In order to convince the potential attacker that the deception environment is th rdfs:label "Reference - Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise - CISA" ; :has-link "https://www.cisa.gov/news-events/analysis-reports/ar21-134a"^^xsd:anyURI ; :kb-organization "CISA" ; - :kb-reference-of :CredentialRotation ; + :kb-reference-of :CredentialRotation, + :DNSCacheEviction, + :MFATokenRevocation ; :kb-reference-title "Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise" . a owl:NamedIndividual, @@ -26926,6 +27066,16 @@ In order to convince the potential attacker that the deception environment is th :kb-reference-title "Isolation of applications within a virtual machine" ; :todo "MITRE Analysis was not found" . + a :AcademicPaperReference, + owl:NamedIndividual ; + rdfs:label "Reference - Remembrance of data passed: A study of disk sanitization practices" ; + :has-link "https://www.researchgate.net/profile/Simson-Garfinkel/publication/3437324_Remembrance_of_data_passed_A_study_of_disk_sanitization_practices/links/550de6d40cf2128741677d9f/Remembrance-of-data-passed-A-study-of-disk-sanitization-practices.pdf" ; + :kb-author "Simson L Garfinkel, Abhi Shelat" ; + :kb-reference-of :DiskErasure, + :DiskFormatting, + :DiskPartitioning ; + :kb-reference-title "Remembrance of Data Passed: A Study of Disk Sanitization Practices" . + a owl:NamedIndividual, :PatentReference ; rdfs:label "Reference - Supply chain cyber-deception - Cymmetria, Inc." ; @@ -28349,6 +28499,8 @@ This requires filesystem data to determine whether files have been created.""" ; :kb-author "Cybersecurity and Infrastructure Security Agency" ; :kb-mitre-analysis " " ; :kb-organization "Cybersecurity and Infrastructure Security Agency" ; + :kb-reference-of :RegistryKeyDeletion, + :UserAccountDeletion ; :kb-reference-title "Cybersecurity Incident & Vulnerability Response Playbooks" . :Reference-CyberVaccineAndPredictiveMalwareDefensiveMethodsAndSystems a owl:NamedIndividual, @@ -29088,7 +29240,6 @@ The user interaction and the code process executed during the user session are m :has-link "https://www.safetydetectives.com/blog/how-does-antivirus-quarantine-work/"^^xsd:anyURI ; :kb-abstract "Your antivirus has just finished a regular scan and it’s asking whether you want to quarantine the virus it’s found. You click ‘yes’ without putting much thought into what’s actually happening. But what does quarantining actually mean, what does it do and is it safe for your computer? It’s important to understand the details so that you know what’s happening when you send infected files into quarantine." ; :kb-author "Katarina Glamoslija" ; - :kb-reference-of :FileRemoval ; :kb-reference-title "How Does Antivirus Quarantine Work?" . :Reference-HowToChangeRegistryValuesOrPermissionsFromACommandLineOrAScript a :InternetArticleReference, @@ -30095,6 +30246,13 @@ This identifier is present three times during the RPC request phase. Any sensor :kb-reference-title "CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks" ; :todo "MITRE Analysis was not found" . +:Reference-RemotelyTriggeredBlackHoleFiltering-Cisco a :AcademicPaperReference, + owl:NamedIndividual ; + rdfs:label "Reference - Remotely Triggered Black Hole FIltering - Cisco" ; + :has-link "https://www.cisco.com/c/dam/en_us/about/security/intelligence/blackhole.pdf" ; + :kb-organization "Cisco" ; + :kb-reference-title "Remotely Triggered Black Hole Filtering - Destination Based and Source Based" . + :Reference-RemoteRegistry_MITRE a :ExternalKnowledgeBase, owl:NamedIndividual ; rdfs:label "Reference - CAR-2014-11-005: Remote Registry - MITRE" ; @@ -30129,7 +30287,7 @@ All of these behaviors call into the Windows API, which uses the NamedPipe WINRE :has-link "https://learn.microsoft.com/en-us/azure/active-directory/verifiable-credentials/how-to-issuer-revoke"^^xsd:anyURI ; :kb-author "Barclay Neira, Christer Ljung, Juan Camilo Ruiz, John Flores" ; :kb-organization "Microsoft" ; - :kb-reference-of :CredentialRevoking ; + :kb-reference-of :CredentialRevocation ; :kb-reference-title "Revoke a previously issued verifiable credential" . :Reference-RFC2289-AOne-TimePasswordSystem a owl:NamedIndividual, @@ -31035,6 +31193,15 @@ This specification defines the Trusted Platform Module (TPM) a device that enabl :kb-reference-of :BootloaderAuthentication ; :kb-reference-title "UEFI Platform Initialization (PI) Specification" . +:Reference-UnderstandingtheDomainRegistrationBehaviorofSpammers a :AcademicPaperReference, + owl:NamedIndividual ; + rdfs:label "Reference - Understanding the Domain Registration Behavior of Spammers" ; + :has-link "https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=bf4d34a6f9d0168bb07433e84c1567bbe1ba8188" ; + :kb-abstract "Spammers register a tremendous number of domains to evade blacklisting and takedown efforts. Current techniques to detect such domains rely on crawling spam URLs or monitoring lookup traffic. Such detection techniques are only effective after the spammers have already launched their campaigns, and thus these countermeasures may only come into play after the spammer has already reaped significant benefits from the dissemination of large volumes of spam. In this paper we examine the registration process of such domains, with a particular eye towards features that might indicate that a given domain likely has a malicious purpose at registration time, before it is ever used for an attack. Our assessment includes exploring the characteristics of registrars, domain life cycles, registration bursts, and naming patterns. By investigating zone changes from the .com TLD over a 5-month period, we discover that spammers employ bulk registration, that they often re-use domains previously registered by others, and that they tend to register and host their domains over a small set of registrars. Our findings suggest steps that registries or registrars could use to frustrate the efforts of miscreants to acquire domains in bulk, ultimately reducing their agility for mounting large-scale attacks." ; + :kb-author "Hao S, Thomas M, Paxson V, Feamster N, Kreibich C, Grier C, Hollenbeck S" ; + :kb-reference-of :DomainRegistrationTakedown ; + :kb-reference-title "Understanding the Domain Registration Behavior of Spammers" . + :Reference-UnifiedArchitectureFrameworkUAF a owl:NamedIndividual, :SpecificationReference ; rdfs:label "Reference - Unified Architecture Framework (UAF)" ;