updated contributors for T1036 and T1497

isaisabel · isaisabel · commit b2205dff907e · 2019-12-02T11:35:38.000-05:00
diff --git a/enterprise-attack/attack-pattern/attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0.json b/enterprise-attack/attack-pattern/attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0.json
@@ -26,7 +26,7 @@
             "x_mitre_detection": "Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.\n\nIf file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Endgame Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)\n\nFor RTLO, detection methods should include looking for common formats of RTLO characters within filenames such as \"\\u202E\", \"[U+202E]\", and \"%E2%80%AE\". Defenders should also check their analysis tools to ensure they do not interpret the RTLO character and instead print the true name of the a file containing it.",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_contributors": [
-                "Oleg Kolesnikov",
+                "Oleg Kolesnikov, Securonix",
                 "Nick Carr, FireEye",
                 "David Lu, Tripwire",
                 "Felipe Esp\u00f3sito, @Pr0teus",
diff --git a/enterprise-attack/attack-pattern/attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d.json b/enterprise-attack/attack-pattern/attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d.json
@@ -24,6 +24,7 @@
             "x_mitre_detection": "Virtualization, sandbox, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007), especially in a short period of time, may aid in detection.\n",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_contributors": [
+                "Deloitte Threat Library Team",
                 "Sunny Neo"
             ],
             "created": "2019-04-17T22:22:24.505Z",
diff --git a/enterprise-attack/enterprise-attack.json b/enterprise-attack/enterprise-attack.json
@@ -8885,7 +8885,7 @@
             "x_mitre_detection": "Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.\n\nIf file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Endgame Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)\n\nFor RTLO, detection methods should include looking for common formats of RTLO characters within filenames such as \"\\u202E\", \"[U+202E]\", and \"%E2%80%AE\". Defenders should also check their analysis tools to ensure they do not interpret the RTLO character and instead print the true name of the a file containing it.",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_contributors": [
-                "Oleg Kolesnikov",
+                "Oleg Kolesnikov, Securonix",
                 "Nick Carr, FireEye",
                 "David Lu, Tripwire",
                 "Felipe Esp\u00f3sito, @Pr0teus",
@@ -16277,6 +16277,7 @@
             "x_mitre_detection": "Virtualization, sandbox, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007), especially in a short period of time, may aid in detection.\n",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_contributors": [
+                "Deloitte Threat Library Team",
                 "Sunny Neo"
             ],
             "created": "2019-04-17T22:22:24.505Z",
