From f8d3ad856de733e9b5b785b21144f979b6c0a717 Mon Sep 17 00:00:00 2001 From: Austin Whisnant Date: Thu, 21 Jan 2021 10:34:41 -0500 Subject: [PATCH] Logging, filehandling, and packaging updates --- README.md | 16 +- cdas/__init__.py | 2 +- cdas/__main__.py | 109 +- ...-028ad431-84c5-4eb7-a364-2b797c234f88.json | 2 +- ...-03259939-0b57-482f-8eb5-87c0e0d54334.json | 3 +- ...-03da0598-ed46-4a73-bf43-0313b3522400.json | 2 +- ...-03f4a766-7a21-4b5e-9ccf-e0cf422ab983.json | 7 +- ...-0440f60f-9056-4791-a740-8eae96eb61fa.json | 5 +- ...-0458aab9-ad42-4eac-9e22-706a95bafee2.json | 26 + ...-04e93ca1-8415-4a46-8549-73b7c84f8dc3.json | 2 +- ...-0649fc36-72a0-40a0-a2f9-3fc7e3231ad6.json | 2 +- ...-0722cd65-0c83-4c89-9502-539198467ab1.json | 2 +- ...-092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc.json | 2 +- ...-09312b1a-c3c6-4b45-9844-3ccc78e5d82f.json | 26 + ...-0979abf9-4e26-43ec-9b6e-54efc4e70fca.json | 31 + ...-09a60ea3-a8d1-4ae5-976e-5783248b72a4.json | 10 +- ...-09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119.json | 9 +- ...-0a241b6c-7bb2-48f9-98f7-128145b4d27f.json | 26 + ...-0ad7bc5c-235a-4048-944b-3b286676cb74.json | 39 + ...-0bda01d5-4c1d-4062-8ee2-6872334383c3.json | 10 + ...-0c0f075b-5d69-43f2-90df-d9ad18f44624.json | 2 +- ...-0c2d00da-7742-49e7-9928-4514e5075d32.json | 9 +- ...-0c592c79-29a7-4a94-81a4-c87eae3aead6.json | 2 +- ...-0d95940f-9583-4e0f-824c-a42c1be47fad.json | 15 +- ...-0dda99f0-4701-48ca-9774-8504922e92d3.json | 36 + ...-0df05477-c572-4ed6-88a9-47c581f548f7.json | 10 + ...-0fad2267-9f46-4ebb-91b5-d543243732cb.json | 2 +- ...-0ff59227-8aa8-4c09-bf1f-925605bd07ea.json | 31 + ...-103d72e6-7e0d-4b3a-9373-c38567305c33.json | 8 +- ...-120d5519-3098-4e1c-9191-2aa61232f073.json | 2 +- ...-13ff5307-b650-405a-9664-d8076930b2bf.json | 2 +- ...-144e007b-e638-431d-a894-45d90c54ab90.json | 2 +- ...-15d5eaa4-597a-47fd-a692-f2bed434d904.json | 2 +- ...-15ef4da5-3b93-4bb1-a39a-5396661956d3.json | 2 +- ...-166de1c6-2814-4fe5-8438-4e80f76b169f.json | 26 + ...-16cdd21f-da65-4e4f-bc04-dd7d198c7b26.json | 26 + ...-16e94db9-b5b1-4cd0-b851-f38fbd0a70f2.json | 6 +- ...-17cc750b-e95b-4d7d-9dde-49e0de24148c.json | 4 +- ...-17fd695c-b88c-455a-a3d1-43b6cb728532.json | 31 + ...-18bfa01c-9fa9-409f-91f5-4a2822609d81.json | 2 +- ...-19401639-28d0-4c3c-adcc-bc2ba22f6421.json | 41 + ...-194bff4f-c218-40df-bea3-1ace715de8dd.json | 2 +- ...-197ef1b9-e764-46c3-b96c-23f77985dc81.json | 26 + ...-1a295f87-af63-4d94-b130-039d6221fb11.json | 2 +- ...-1b7b1806-7746-41a1-a35d-e48dae25ddba.json | 5 + ...-1cec9319-743b-4840-bb65-431547bce82a.json | 26 + ...-1d24cdee-9ea2-4189-b08e-af110bf2435d.json | 5 + ...-1def484d-2343-470d-8925-88f45b5f9615.json | 2 +- ...-1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf.json | 5 + ...-1f82ef59-b7da-4cd3-a41c-2e80f80f084f.json | 2 +- ...-1f9012ef-1e10-4e48-915e-e03563435fe8.json | 34 + ...-1ff8b824-5287-4583-ab6a-013bf36d4864.json | 2 +- ...-2011ffeb-8003-41ef-b962-9d1cbfa35e6d.json | 2 +- ...-20a66013-8dab-4ca3-a67d-766c842c561c.json | 2 +- ...-20fb2507-d71c-455d-9b6d-6104461cf26b.json | 4 +- ...-212306d8-efa4-44c9-8c2d-ed3d2e224aa0.json | 46 + ...-2141aea0-cf38-49aa-9e51-ac34092bc30a.json | 5 +- ...-22905430-4901-4c2a-84f6-98243cb173f8.json | 4 +- ...-2339cf19-8f1e-48f7-8a91-0262ba547b6f.json | 26 + ...-23ecb7e0-0340-43d9-80a5-8971fe866ddf.json | 2 +- ...-24286c33-d4a4-4419-85c2-1d094a896c26.json | 26 + ...-271e6d40-e191-421a-8f87-a8102452c201.json | 8 +- ...-274770e0-2612-4ccf-a678-ef8e7bad365d.json | 36 + ...-27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768.json | 2 +- ...-286cc500-4291-45c2-99a1-e760db176402.json | 2 +- ...-288b3cc3-f4da-4250-ab8c-d8b5dbed94ca.json | 2 +- ...-28abec6c-4443-4b03-8206-07f2e264a6b4.json | 58 + ...-2959d63f-73fd-46a1-abd2-109d7dcede32.json | 15 + ...-2b5aa86b-a0df-4382-848d-30abea443327.json | 26 + ...-2b742742-28c3-4e1b-bab7-8350d6300fa7.json | 2 +- ...-2b9a666e-bd59-4f67-9031-ed41b428e04a.json | 2 +- ...-2d3f5b3c-54ca-4f4d-bb1f-849346d31230.json | 41 + ...-2de47683-f398-448f-b947-9abcc3e32fad.json | 39 + ...-2e34237d-8574-43f6-aace-ae2915de8597.json | 2 +- ...-2f442206-2983-4fc2-93fd-0a828e026412.json | 2 +- ...-31225cd3-cd46-4575-b287-c2c14011c074.json | 46 + ...-3160347f-11ac-44a3-9640-a648b3c17a8f.json | 2 +- ...-31a57c70-6709-4d06-a473-c3df1f74c1d4.json | 2 +- ...-31fa5b03-1ede-4fab-8a68-ed831fcf4899.json | 2 +- ...-34450117-d1d5-417c-bb74-4359fc6551ca.json | 2 +- ...-3489cfc5-640f-4bb3-a103-9137b97de79f.json | 15 +- ...-34ab90a3-05f6-4259-8f21-621081fdaba5.json | 26 + ...-34b3f738-bd64-40e5-a112-29b0542bc8bf.json | 26 + ...-34e793de-0274-4982-9c1a-246ed1c19dee.json | 2 +- ...-357e137c-7589-4af1-895c-3fbad35ea4d2.json | 2 +- ...-359b00ad-9425-420b-bba5-6de8d600cbc0.json | 2 +- ...-36aa137f-5166-41f8-b2f0-a4cfa1b4133e.json | 26 + ...-36b2a1d7-e09e-49bf-b45e-477076c2ec01.json | 5 + ...-37b11151-1776-4f8f-b328-30939fbf2ceb.json | 12 +- ...-388f3a5c-2cdd-466c-9159-b507fa429fcd.json | 2 +- ...-38eb0c22-6caf-46ce-8869-5964bd735858.json | 15 + ...-3986e7fd-a8e9-4ecb-bfc6-55920855912b.json | 59 + ...-39cc9f64-cf74-4a48-a4d8-fe98c54a02e0.json | 26 + ...-3a40f208-a9c1-4efa-a598-4003c3681fb8.json | 34 + ...-3aef9463-9a7a-43ba-8957-a867e07c1e6a.json | 20 +- ...-3d1488a6-59e6-455a-8b80-78b53edc33fe.json | 11 +- ...-3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b.json | 26 + ...-3f157dee-74f0-41fc-801e-f837b8985b0a.json | 5 +- ...-3f18edba-28f4-4bb9-82c3-8aa60dcac5f7.json | 2 +- ...-3f886f2a-874f-4333-b794-aa6075009b1c.json | 15 +- ...-3fc01293-ef5e-41c6-86ce-61f10706b64a.json | 5 + ...-40f5caa0-4cb7-4117-89fc-d421bb493df3.json | 51 + ...-42fe883a-21ea-4cfb-b94a-78b6476dcc83.json | 2 +- ...-451a9977-d255-43c9-b431-66de80130c8c.json | 20 +- ...-45242287-2964-4a3e-9373-159fad4d8195.json | 2 +- ...-46017368-6e09-412b-a29c-385be201cc03.json | 2 +- ...-4886e3c2-468b-4e26-b7e5-2031d995d13a.json | 8 +- ...-488da8ed-2887-4ef6-a39a-5b69bc6682c6.json | 2 +- ...-4900fabf-1142-4c1f-92f5-0b590e049077.json | 2 +- ...-4cbc6a62-9e34-4f94-8a19-5c1a11392a49.json | 2 +- ...-4fad17d3-8f42-449d-ac4b-dbb4c486127d.json | 2 +- ...-4ff5d6a8-c062-4c68-a778-36fc5edd564f.json | 11 +- ...-4ffc1794-ec3b-45be-9e52-42dbcb2af2de.json | 29 + ...-51bca707-a806-49bf-91e0-03885b0ac85c.json | 2 +- ...-51e54974-a541-4fb6-a61b-0518e4c6de41.json | 26 + ...-52759bf1-fe12-4052-ace6-c5b0cf7dd7fd.json | 39 + ...-5282dd9a-d26d-4e16-88b7-7c0f4553daf4.json | 61 + ...-5436571f-2332-4b51-b7ed-0bc822fe02c2.json | 2 +- ...-54a42187-a20c-4e4e-ba31-8d15c9e1f57f.json | 2 +- ...-54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b.json | 2 +- ...-54eb2bab-125f-4d1c-b999-0c692860bafe.json | 2 +- ...-5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4.json | 26 + ...-55fc4df0-b42c-479a-b860-7a6761bcaad0.json | 56 + ...-57061a8a-d7c5-42a9-be60-f79526b95bf6.json | 2 +- ...-573ad264-1371-4ae0-8482-d2673b719dba.json | 10 + ...-57619ab3-f6a5-43c8-8dd1-b0b8a986a870.json | 2 +- ...-57a3d31a-d04f-4663-b2da-7df8ec3f8c9d.json | 56 + ...-58af3705-8740-4c68-9329-ec015a7013c2.json | 4 +- ...-59369f72-3005-4e54-9095-3d00efcece73.json | 2 +- ...-5a68c603-d7f9-4535-927e-ab56819eaa85.json | 5 +- ...-5b6ce031-bb86-407a-9984-2b9700ac4549.json | 2 +- ...-5bfccc3f-2326-4112-86cc-c1ece9d8a2b5.json | 7 +- ...-5d0d3609-d06d-49e1-b9c9-b544e0c618cb.json | 9 +- ...-6063b486-a247-499b-976a-9de16f4e83bc.json | 2 +- ...-60c4b628-4807-4b0b-bbf5-fdac8643c337.json | 26 + ...-6151cbea-819b-455a-9fa6-99a1cc58797d.json | 5 + ...-616238cb-990b-4c71-8f50-d8b10ed8ce6b.json | 2 +- ...-633a100c-b2c9-41bf-9be5-905c1b16c825.json | 10 + ...-65013dd2-bc61-43e3-afb5-a14c4fa7437a.json | 31 + ...-67073dde-d720-45ae-83da-b12d5e73ca3b.json | 31 + ...-68b45999-bb0c-4829-bbd0-75d6dac57c94.json | 2 +- ...-692074ae-bb62-4a5e-a735-02cb6bde458c.json | 5 + ...-695b1cce-57d7-49ae-a2af-820d50153f12.json | 2 +- ...-69f897fd-12a9-4c89-ad6a-46d2f3c38262.json | 31 + ...-6baf6388-d49f-4804-86a4-5837240555cd.json | 2 +- ...-6c2957f9-502a-478c-b1dd-d626c0659413.json | 26 + ...-6c79d654-6506-4f33-b48f-c80babdcc52d.json | 2 +- ...-6d4a7fb3-5a24-42be-ae61-6728a2b581f6.json | 2 +- ...-6e561441-8431-4773-a9b8-ccf28ef6a968.json | 31 + ...-6ee2dc99-91ad-4534-a7d8-a649358c331f.json | 26 + ...-6f088e84-37b2-44de-8df3-393908f2d77b.json | 2 +- ...-70857657-bd0b-4695-ad3e-b13f92cac1b4.json | 2 +- ...-70d81154-b187-45f9-8ec5-295d01255979.json | 2 +- ...-72b74d71-8169-42aa-92e0-e7b04b9f5a08.json | 5 + ...-72c8d526-1247-42d4-919c-6d7a31ca8f39.json | 2 +- ...-731f4f55-b6d0-41d1-a7a9-072a66389aea.json | 3 +- ...-7385dfaf-6886-4229-9ecd-6fd678040830.json | 3 +- ...-73e394e5-3d8a-40d1-ab8c-a1b4ea9db424.json | 2 +- ...-73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a.json | 2 +- ...-74a3288e-eee9-4f8e-973a-fbc128e033f1.json | 2 +- ...-762771c2-3675-4535-88e9-b1f891758974.json | 2 +- ...-76551c52-b111-4884-bc47-ff3e728f0156.json | 26 + ...-767dbf9e-df3f-45cb-8998-4903ab5f80c0.json | 2 +- ...-7718e92f-b011-4f88-b822-ae245a1de407.json | 2 +- ...-773950e1-090c-488b-a480-9ff236312e31.json | 2 +- ...-774a3188-6ba9-4dc4-879d-d54ee48a5ce9.json | 3 +- ...-774ad5bb-2366-4c13-a8a9-65e50b292e7c.json | 26 + ...-77532a55-c283-4cd2-bc5d-2d0b65e9d88c.json | 2 +- ...-77e30eee-fd48-40b4-99ec-73e97c158b58.json | 16 +- ...-7807d3a4-a885-4639-a786-c1ed41484970.json | 21 + ...-784ff1bc-1483-41fe-a172-4cd9ae25c06b.json | 2 +- ...-7860e21e-7514-4a3f-8a9d-56405ccfdb0c.json | 2 +- ...-7863b7f1-c18a-4aad-a6cf-4aa6d8797531.json | 2 +- ...-78ae433b-289d-4c8d-b8c1-f8de0b7f9090.json | 2 +- ...-78e41091-d10d-4001-b202-89612892b6ff.json | 2 +- ...-795c1a92-3a26-453e-b99a-6a566aa94dc6.json | 5 +- ...-79da0971-3147-4af6-a4f5-e8cd447cd795.json | 26 + ...-7a265bf0-6acc-4f43-8b22-2e58b443e62e.json | 2 +- ...-7baccb84-356c-4e89-8c5d-58e701f033fc.json | 2 +- ...-7bc57495-ea59-4380-be31-a64af124ef18.json | 10 + ...-7c46b364-8496-4234-8a56-f7e6727e21e1.json | 49 + ...-7dae871c-effc-444b-9962-4b7efefe7d40.json | 2 +- ...-7dd95ff6-712e-4056-9626-312ea4ab4c5e.json | 2 +- ...-7e3beebd-8bfe-4e7b-a892-e44ab06a75f9.json | 46 + ...-7efba77e-3bc4-4ca5-8292-d8201dcd64b5.json | 29 + ...-7f0ca133-88c4-40c6-a62f-b3083a7fbc2e.json | 3 +- ...-7f2d3da6-7e34-44a3-9e7f-905455339726.json | 2 +- ...-808e6329-ca91-4b87-ac2d-8eadc5f8f327.json | 49 + ...-81033c3b-16a4-46e4-8fed-9b030dd03c4a.json | 26 + ...-810d8072-afb6-4a56-9ee7-86379ac4a6f3.json | 36 + ...-818302b2-d640-477b-bf88-873120ce85c4.json | 35 + ...-8197f026-64da-4700-93b9-b55ba55f3b31.json | 37 + ...-82bbd209-f516-45e0-9542-4ffbbc2a8717.json | 2 +- ...-856a9371-4f0f-4ea9-946e-f3144204240f.json | 2 +- ...-87775365-2081-4b6e-99bd-48a3b8f36563.json | 2 +- ...-8868cb5b-d575-4a60-acb2-07d37389a2fd.json | 3 +- ...-88d31120-5bc7-4ce3-a9c0-7cf147be8e54.json | 21 + ...-8982a661-d84c-48c0-b4ec-1db29c6cf3bc.json | 41 + ...-89a79d91-53e0-4ef5-ba28-558cb8b01f76.json | 2 +- ...-8a2f40cf-8325-47f9-96e4-b1ca4c7389bd.json | 26 +- ...-8b57a8f1-9cbc-4b95-b162-cc2a1add94f2.json | 2 +- ...-8c4aef43-48d5-49aa-b2af-c0cd58d30c3d.json | 4 +- ...-8e211ec9-5dfc-4915-aff4-84d5908f0336.json | 2 +- ...-8e27551a-5080-4148-a584-c64348212e4f.json | 6 +- ...-8e927b19-04a6-4aaa-a42f-4f0a53411d27.json | 2 +- ...-8f104855-e5b7-4077-b1f5-bc3103b41abe.json | 17 +- ...-8f142a25-f6c3-4520-bd50-2ae3ab50ed3e.json | 46 - ...-8f504411-cb96-4dac-a537-8d2bb7679c59.json | 22 +- ...-90884cdb-31dd-431c-87db-9cc7e03191e5.json | 2 +- ...-9108e212-1c94-4f8d-be76-1aad9b4c86a4.json | 8 +- ...-91177e6d-b616-4a03-ba4b-f3b32f7dda75.json | 26 + ...-91a3735f-817a-4450-8ed4-f05a0f5c3877.json | 2 +- ...-92a78814-b191-47ca-909c-1ccfe3777414.json | 9 +- ...-937e4772-8441-4e4a-8bf0-8d447d667e23.json | 31 + ...-96eb59d1-6c46-44bb-bfcd-56be02a00d41.json | 2 +- ...-9755ecdc-deb0-40e6-af49-713cb0f8ed92.json | 5 +- ...-9a60a291-8960-4387-8a4a-2ab5c18bb50b.json | 2 +- ...-9a8c47f6-ae69-4044-917d-4b1602af64d9.json | 5 +- ...-9d234df0-2344-4db4-bc0f-8de9c6c071a7.json | 2 +- ...-9d48cab2-7929-4812-ad22-f536665f0109.json | 36 + ...-9e7452df-5144-4b6e-b04a-b66dd4016747.json | 2 +- ...-9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd.json | 4 +- ...-9efb1ea7-c37b-4595-9640-b7680cd84279.json | 12 +- ...-a0e6614a-7740-4b24-bd65-f1bde09fc365.json | 36 + ...-a16e4004-caac-4a0b-acd5-486f8fda1665.json | 2 +- ...-a1e8d61b-22e1-4983-8485-96420152ecd8.json | 2 +- ...-a2029942-0a85-4947-b23c-ca434698171d.json | 2 +- ...-a2fc93cd-e371-4755-9305-2615b6753d91.json | 2 +- ...-a2fdce72-04b2-409a-ac10-cc1695f4fce0.json | 26 + ...-a425598d-7c19-40f7-9aa3-ac20f0d5c2b2.json | 2 +- ...-a51eb150-93b1-484b-a503-e51453b127a4.json | 31 + ...-a542bac9-7bc1-4da7-9a09-96f69e23cc21.json | 58 + ...-a54a7708-8f64-45f3-ad51-1abf976986a0.json | 2 +- ...-a62a8db3-f23a-4d8f-afd6-9dbc77e7813b.json | 2 +- ...-a6557c75-798f-42e4-be70-ab4502e0a3bc.json | 38 + ...-a757670d-d600-48d9-8ae9-601d42c184a5.json | 2 +- ...-a782ebe2-daba-42c7-bc82-e8e9d923162d.json | 10 +- ...-a7c620e5-cbc9-41b2-9695-418ef560f16c.json | 2 +- ...-a7dff5d5-99f9-4a7e-ac54-a64113c28121.json | 2 +- ...-a86a21a4-6304-4df3-aa6d-08114c47d48f.json | 2 +- ...-aadaee0d-794c-4642-8293-7ec22a99fb1a.json | 5 +- ...-abd5bed1-4c12-45de-a623-ab8dc4ff862a.json | 5 +- ...-acfcbe7a-4dbc-4471-be2b-134faf479e3e.json | 2 +- ...-ad124f84-52d2-40e3-95dd-cfdd44eae6ef.json | 2 +- ...-ae797531-3219-49a4-bccf-324ad7a4c7b2.json | 26 + ...-ae7f3575-0a5e-427e-991b-fe03ad44c754.json | 34 + ...-ae85ba2f-27ea-42d9-b42a-0fe89ee19ed5.json | 2 +- ...-af358cad-eb71-4e91-a752-236edc237dae.json | 2 +- ...-b14f6692-b613-44bb-9f30-8381a5ff10d5.json | 2 +- ...-b182f29c-2505-4b32-a000-0440ef189f59.json | 2 +- ...-b1ccd744-3f78-4a0e-9bb2-2002057f7928.json | 31 + ...-b26babc7-9127-4bd5-9750-5e49748c9be3.json | 2 +- ...-b2d03cea-aec1-45ca-9744-9ee583c1e1cc.json | 5 + ...-b327a9c0-e709-495c-aa6e-00b042136e2b.json | 41 + ...-b355817c-cf63-43b4-94a4-05e9645fa910.json | 2 +- ...-b3f36317-3940-4d71-968f-e11ac1bf6a31.json | 2 +- ...-b6075259-dba3-44e9-87c7-e954f37ec0d5.json | 2 +- ...-b6301b64-ef57-4cce-bb0b-77026f14a8db.json | 17 +- ...-b79e8a3f-a109-47c2-a0e3-564955590a3d.json | 2 +- ...-b8017880-4b1e-42de-ad10-ae7ac6705166.json | 24 + ...-b85f6ce5-81e8-4f36-aff2-3df9d02a9c9d.json | 26 + ...-b9148981-152a-4a19-95c1-962803f5c9af.json | 2 +- ...-b93bd611-da4e-4c84-a40f-325b712bed67.json | 2 +- ...-baf60e1a-afe5-4d31-830f-1b1ba2351884.json | 26 + ...-bb5a00de-e086-4859-a231-fa793f6797e2.json | 3 +- ...-bbc3cba7-84ae-410d-b18b-16750731dfa2.json | 31 + ...-bbe5b322-e2af-4a5e-9625-a4e62bf84ed3.json | 26 + ...-bc76d0a4-db11-4551-9ac4-01a469cfb161.json | 61 + ...-bf96a5a3-3bce-43b7-8597-88545984c07b.json | 4 +- ...-c21d5a77-d422-4a69-acd7-2c53c1faa34b.json | 15 +- ...-c2e147a9-d1a8-4074-811a-d8789202d916.json | 5 + ...-c2f59d25-87fe-44aa-8f83-e8e59d077bf5.json | 41 + ...-c2ffd229-11bb-4fd8-9208-edbe97b14c93.json | 2 +- ...-c3c8c916-2f3c-4e71-94b2-240bdfc996f0.json | 5 + ...-c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f.json | 5 + ...-c721b235-679a-4d76-9ae9-e08921fccf84.json | 2 +- ...-c860af4a-376e-46d7-afbf-262c41012227.json | 2 +- ...-c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b.json | 56 + ...-c9ac5715-ee5c-4380-baf4-6f12e304ca93.json | 2 +- ...-c9e85b80-39e8-42df-b275-86a2afcea9e8.json | 2 +- ...-c9fb4451-729d-4771-b205-52c1829f949c.json | 2 +- ...-ca9d3402-ada3-484d-876a-d717bd6e05f2.json | 5 + ...-cabe189c-a0e3-4965-a473-dcff00f17213.json | 45 + ...-cacc40da-4c9e-462c-80d5-fd70a178b12d.json | 46 + ...-cba37adb-d6fb-4610-b069-dd04c0643384.json | 7 +- ...-cc0faf66-4df2-4328-9c9c-b0ca5de915ad.json | 2 +- ...-cc723aff-ec88-40e3-a224-5af9fd983cc4.json | 26 + ...-cca0ccb6-a068-4574-a722-b1556f86833a.json | 56 + ...-cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8.json | 36 + ...-cdfdb0cd-a839-403c-9dd6-8a85d8c5c73d.json | 2 +- ...-ce0687a0-e692-4b77-964a-0784a8e54ff1.json | 36 + ...-cf1c2504-433f-4c4e-a1f8-91de45a0318c.json | 2 +- ...-d245808a-7086-4310-984a-a84aaaa43f8f.json | 59 + ...-d28ef391-8ed4-45dc-bc4a-2f43abf54416.json | 5 +- ...-d2c4206a-a431-4494-834d-52944a79e9f4.json | 2 +- ...-d3999268-740f-467e-a075-c82e2d04be62.json | 2 +- ...-d3dca536-8bf0-4e43-97c1-44a2353c3d69.json | 2 +- ...-d40239b3-05ff-46d8-9bdd-b46d13463ef9.json | 9 +- ...-d45fe3c2-0688-43b9-ac07-7eb86f575e93.json | 2 +- ...-d4b96d2c-1032-4b22-9235-2b5b649d0605.json | 2 +- ...-d58f3996-e293-4f69-a2c8-0e1851cb8297.json | 2 +- ...-d69c3e06-8311-4093-8e3e-0a8e06b15d92.json | 2 +- ...-d778cb83-2292-4995-b006-d38f52bc1e64.json | 2 +- ...-db8f5003-3b20-48f0-9b76-123e44208120.json | 26 + ...-dc7dfc9f-be1b-4e6e-a2e6-9a9bb2400ec9.json | 2 +- ...-df42286d-dfbd-4455-bc9d-aef52ac29aa7.json | 2 +- ...-dfa4eaf4-50d9-49de-89e9-d33f579f3e05.json | 2 +- ...-dfd7cc1d-e1d8-4394-a198-97c4cab8aa67.json | 7 +- ...-dfefe2ed-4389-4318-8762-f0272b350a1b.json | 27 +- ...-e042a41b-5ecf-4f3a-8f1f-1b528c534772.json | 2 +- ...-e196b5c5-8118-4a1c-ab8a-936586ce3db5.json | 21 + ...-e2aa077d-60c9-4de5-b015-a9c382877cd9.json | 2 +- ...-e34b9ca1-8778-41a3-bba5-8edaab4076dc.json | 5 +- ...-e358d692-23c0-4a31-9eb6-ecc13a8d7735.json | 27 +- ...-e3b168bd-fcd7-439e-9382-2e6c2f63514d.json | 36 + ...-e3b6daca-e963-4a69-aee6-ed4fd653ad58.json | 7 +- ...-e51398e6-53dc-4e9f-a323-e54683d8672b.json | 2 +- ...-e5164428-03ca-4336-a9a7-4d9ea1417e59.json | 2 +- ...-e64c62cf-9cd7-4a14-94ec-cdaac43ab44b.json | 4 +- ...-e6ca2820-a564-4b74-b42a-b6bdf052e5b6.json | 2 +- ...-e754fa49-2db1-416b-92db-7f886decd099.json | 2 +- ...-e7cbc1de-1f79-48ee-abfd-da1241c65a15.json | 26 + ...-e8471f43-2742-4fd7-9af7-8ed1330ada37.json | 2 +- ...-eacadff4-164b-451c-bacc-7b29ebfd0c3f.json | 2 +- ...-eacd1efe-ee30-4b03-b58f-5b3b1adfe45d.json | 5 +- ...-ec4be82f-940c-4dcb-87fe-2bbdd17c692f.json | 26 + ...-ec739e26-d097-4804-b04a-54dd81ff11e0.json | 2 +- ...-ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1.json | 2 +- ...-ed730f20-0e44-48b9-85f8-0e2adeb76867.json | 31 + ...-edadea33-549c-4ed1-9783-8f5a5853cbdf.json | 41 + ...-ee40d054-6e83-4302-88dc-a3af98821d8d.json | 2 +- ...-ee7ff928-801c-4f34-8a99-3df965e581a5.json | 44 + ...-ef0f816a-d561-4953-84c6-2a2936c96957.json | 2 +- ...-ef6197fd-a58a-4006-bfd6-1d7765d8409d.json | 2 +- ...-f005e783-57d4-4837-88ad-dbe7faee1c51.json | 17 +- ...-f232fa7a-025c-4d43-abc7-318e81a73d65.json | 2 +- ...-f2877f7f-9a4c-4251-879f-1224e3006bee.json | 8 +- ...-f4b843c1-7e92-4701-8fed-ce82f8be2636.json | 46 + ...-f4c1826f-a322-41cd-9557-562100848c84.json | 3 +- ...-f6ad61ee-65f3-4bd0-a3f5-2f0accb36317.json | 2 +- ...-f870408c-b1cd-49c7-a5c7-0ef0fc496cc6.json | 26 + ...-f9cc4d06-775f-4ee1-b401-4e2cc0da30ba.json | 31 + ...-fa44a152-ac48-441e-a524-dd7b04b8adcd.json | 43 + ...-fb39384c-00e4-414a-88af-e80c4904e0b8.json | 5 +- ...-fc742192-19e3-466c-9eb5-964a97b29490.json | 4 +- ...-fc74ba38-dc98-461f-8611-b3dbf9978e3d.json | 29 + ...-fddd81e9-dd3d-477e-9773-4fb8ae227234.json | 2 +- ...-fe421ab9-c8f3-42f7-9ae1-5d6c324cc925.json | 2 +- ...-ffeb0780-356e-4261-b036-cfb6bd234335.json | 2 +- ...-0626c181-93cb-4860-9cb0-dff3b1c13063.json | 4 +- ...-085eb36d-697d-4d9a-bac3-96eb879fe73c.json | 4 +- ...-1cdbbcab-903a-414d-8eb0-439a97343737.json | 25 + ...-1d808f62-cf63-4063-9727-ff6132514c22.json | 10 +- ...-20945359-3b39-4542-85ef-08ecb4e1c174.json | 28 + ...-22faaa56-a8ac-4292-9be6-b571b255ee40.json | 23 + ...-2740eaf6-2db2-4a40-a63f-f5b166c7059c.json | 13 +- ...-29944858-da52-4d3d-b428-f8a6eb8dde6f.json | 23 + ...-317a2c10-d489-431e-b6b2-f0251fddc88e.json | 2 +- ...-32066e94-3112-48ca-b9eb-ba2b59d2f023.json | 2 +- ...-3271c107-92c4-442e-9506-e76d62230ee8.json | 23 + ...-35cd1d01-1ede-44d2-b073-a264d727bc04.json | 8 +- ...-3a4197ae-ec63-4162-907b-9a073d1157e4.json | 33 + ...-3aa169f8-bbf6-44bb-b57d-7f6ada5c2128.json | 30 + ...-3d57dcc4-be99-4613-9482-d5218f5ec13e.json | 23 + ...-41e3fd01-7b83-471f-835d-d2b1dc9a770c.json | 2 +- ...-47124daf-44be-4530-9c63-038bc64318dd.json | 23 + ...-47afe41c-4c08-485e-b062-c3bd209a1cce.json | 7 +- ...-4b346d12-7f91-48d2-8f06-b26ffa0d825b.json | 24 + ...-4c6d62c2-89f5-4159-8fab-0190b1f9d328.json | 23 + ...-5147ef15-1cae-4707-8ea1-bee8d98b7f1d.json | 28 + ...-52c994fa-b6c8-45a8-9586-a4275cf19307.json | 43 + ...-54a01db0-9fab-4d5f-8209-53cef8425f4a.json | 23 + ...-5e7ef1dc-7fb6-4913-ac75-e06113b59e0c.json | 4 +- ...-5f1d4579-4e8f-48e7-860e-2da773ae432e.json | 34 + ...-680f680c-eef9-4f8a-b5f5-f451bf47e403.json | 24 + ...-81c57a96-fc8c-4f91-af8e-63e24c2927c2.json | 2 +- ...-82cb34ba-02b5-432b-b2d2-07f55cbf674d.json | 28 +- ...-838f647e-8ff8-48bd-bbd5-613cee7736cb.json | 23 + ...-8393dac0-0583-456a-9372-fd81691bca20.json | 23 + ...-84c1ecc6-e5a2-4e8a-bf4b-651a618e0053.json | 28 + ...-911fe4c3-444d-4e92-83b8-cc761ac5fd3b.json | 33 + ...-959f3b19-2dc8-48d5-8942-c66813a5101a.json | 28 + ...-99164b38-1775-40bc-b77b-a2373b14540a.json | 23 + ...-9b325b06-35a1-457d-be46-a4ecc0b7ff0c.json | 3 +- ...-a04d9a4c-bb52-40bf-98ec-e350c2d6a862.json | 23 + ...a7881f21-e978-4fe4-af56-92c9416a2616.json} | 10 +- ...-ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5.json | 83 + ...-ade37ada-14af-4b44-b36c-210eec255d53.json | 7 +- ...-b136d088-a829-432c-ac26-5529c26d4c7e.json | 4 +- ...-b9704a7d-feef-4af9-8898-5280f1686326.json | 23 + ...-bbcd7a02-ef24-4171-ac94-a93540173b94.json | 33 + ...-bd7a9e13-69fa-4243-a5e5-04326a63f9f2.json | 23 + ...-c984b414-b766-44c5-814a-2fe96c913c12.json | 23 + ...-d9f7383c-95ec-4080-bbce-121c9384457b.json | 11 +- ...-dfdac962-9461-47f0-a212-36dfce2a97e6.json | 23 + ...-e33e4603-afab-402d-b2a1-248d435b5fe0.json | 28 + ...-eedc01d5-95e6-4d21-bcd4-1121b1df4586.json | 23 + ...-ef2247bf-8062-404b-894f-d65d00564817.json | 33 + ...-f1314e75-ada8-49f4-b281-b1fb8b48f2a7.json | 4 +- ...-f666e17c-b290-43b3-8947-b96bd5148fbb.json | 23 + ...-fc774af4-533b-4724-96d2-ac1026316794.json | 2 +- cdas/assets/mitre_cti/relationships.json | 10977 +++++----------- ...-1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json | 5 +- ...-2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json | 2 + ...-2e290bfe-93b5-48ce-97d6-edcd6d32b7cf.json | 20 - ...-2e5d3a83-fe00-41a5-9b60-237efc84832f.json | 20 - ...-2fd2be6a-d3a2-4a65-b499-05ea2693abee.json | 20 - ...-32bca8ff-d900-4877-aa65-d70baa041b74.json | 21 - ...-3753cc21-2dae-4dfb-8481-d004e74502cc.json | 20 - ...-381fcf73-60f6-4ab2-9991-6af3cbc35192.json | 26 - ...-38863958-a201-4ce1-9dbe-539b0b6804e0.json | 21 - ...-38fd6a28-3353-4f2b-bb2b-459fecd5c648.json | 23 - ...-44102191-3a31-45f8-acbe-34bdb441d5ad.json | 20 - ...-44e43fad-ffcb-4210-abcf-eaaed9735f80.json | 21 - ...-4a2ce82e-1a74-468a-a6fb-bbead541383c.json | 24 - ...-4ca1929c-7d64-4aab-b849-badbfc0c760d.json | 23 - ...-55033a4d-3ffe-46b2-99b4-2c1541e9ce1c.json | 22 - ...-56319646-eb6e-41fc-ae53-aadfa7adb924.json | 22 - ...-5636b7b3-d99b-4edd-aa05-ee649c1d4ef1.json | 20 - ...-59140a2e-d117-4206-9b2c-2a8662bd9d46.json | 20 - ...-5cbe0d3b-6fb1-471f-b591-4b192915116d.json | 20 - ...-5ce5392a-3a6c-4e07-9df3-9b6a9159ac45.json | 22 - ...-5e78ae92-3ffd-4b16-bf62-e798529d73f1.json | 20 - ...-62a64fd3-aaf7-4d09-a375-d6f8bb118481.json | 20 - ...-6688d679-ccdb-4f12-abf6-c7545dd767a4.json | 20 - ...-6713ab67-e25b-49cc-808d-2b36d4fbc35c.json | 26 - ...-6a2e693f-24e5-451a-9f88-b36a108e5662.json | 23 - ...-6b1b551c-d770-4f95-8cfc-3cd253c4c04e.json | 20 - ...-6b9ebeb5-20bf-48b0-afb7-988d769a2f01.json | 20 - ...-6fe8a2a1-a1b0-4af8-953d-4babd329f8f8.json | 20 - ...-7113eaa5-ba79-4fb3-b68a-398ee9cd698e.json | 23 - ...-7331c66a-5601-4d3f-acf6-ad9e3035eb40.json | 20 - ...-73a80fab-2aa3-48e0-a4d0-3a4828200aee.json | 20 - ...-76565741-3452-4069-ab08-80c0ea95bbeb.json | 20 - ...-76d59913-1d24-4992-a8ac-05a3eb093f71.json | 21 - ...-7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70.json | 20 - ...-7a19ecb1-3c65-4de3-a230-993516aed6a6.json | 25 - ...-7ecc3b4f-5cdb-457e-b55a-df376b359446.json | 20 - ...-7eda3dd8-b09b-4705-8090-c2ad9fb8c14d.json | 21 - ...-813636db-3939-4a45-bea9-6113e970c029.json | 20 - ...-85403903-15e0-4f9f-9be4-a259ecad4022.json | 20 - ...-88489675-d216-4884-a98f-49a89fcc1643.json | 20 - ...-88b7dbc2-32d3-4e31-af2f-3fc24e1582d7.json | 22 - ...-894aab42-3371-47b1-8859-a4a074c804c8.json | 20 - ...-899ce53f-13a0-479b-a0e4-67d46e241542.json | 24 - ...-8a831aaa-f3e0-47a3-bed8-a9ced744dd12.json | 20 - ...-8f5e8dc7-739d-4f5e-a8a1-a66e004d7063.json | 22 - ...-92d5b3fd-3b39-438e-af68-770e447beada.json | 20 - ...-93f52415-0fe4-4d3d-896c-fc9b8e88ab90.json | 22 - ...-9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json | 21 - ...-96e239be-ad99-49eb-b127-3007b8c1bec9.json | 20 - ...-9e729a7e-0dd6-4097-95bf-db8d64911383.json | 20 - ...-a0cb9370-e39b-44d5-9f50-ef78e412b973.json | 21 - ...-a653431d-6a5e-4600-8ad3-609b5af57064.json | 25 - ...-ae41895a-243f-4a65-b99b-d85022326c31.json | 20 - ...-afec6dc3-a18e-4b62-b1a4-5510e1a498d1.json | 21 - ...-b74f909f-8e52-4b69-b770-162bf59a1b4e.json | 20 - ...-bef4c620-0787-42a8-a96d-b7eb6e85917c.json | 31 - ...-c416b28c-103b-4df1-909e-78089a7e0e5f.json | 20 - ...-c47f937f-1022-4f42-8525-e7a4779a14cb.json | 24 - ...-c4d50cdf-87ce-407d-86d8-862883485842.json | 21 - ...-c5574ca0-d5a4-490a-b207-e4658e5fd1d7.json | 20 - ...-c5947e1c-1cbc-434c-94b8-27c7e3be0fff.json | 21 - ...-c93fccb1-e8e8-42cf-ae33-2ad1d183913a.json | 24 - ...-d0b3393b-3bec-4ba3-bda9-199d30db47b6.json | 20 - ...-d13c8a7f-740b-4efa-a232-de7d6bb05321.json | 20 - ...-d1acfbb3-647b-4723-9154-800ec119006e.json | 20 - ...-d519164e-f5fa-4b8c-a1fb-cf0172ad0983.json | 21 - ...-d69e568e-9ac8-4c08-b32c-d93b43ba9172.json | 20 - ...-d6e88e18-81e8-4709-82d8-973095da1e70.json | 20 - ...-da49b9f1-ca99-443f-9728-0a074db66850.json | 20 - ...-dc6fe6ee-04c2-49be-ba3d-f38d2463c02a.json | 22 - ...-dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a.json | 20 - ...-dd2d9ca6-505b-4860-a604-233685b802c7.json | 22 - ...-df71bb3b-813c-45eb-a8bc-f2a419837411.json | 22 - ...-ead23196-d7b6-4ce6-a124-4ab4b67d81bd.json | 22 - ...-ebb73863-fa44-4617-b4cb-b9ed3414eb87.json | 20 - ...-efed95ba-d7e8-47ff-8c53-99c42426ee7c.json | 20 - ...-f047ee18-7985-4946-8bfb-4ed754d3a0dd.json | 20 - ...-f3bdec95-3d62-42d9-a840-29630f6cdc1a.json | 20 - ...-f40eb8ce-2a74-4e56-89a1-227021410142.json | 20 - ...-f8cb7b36-62ef-4488-8a6d-a7033e3271c1.json | 20 - ...-f9c06633-dcff-48a1-8588-759e7cec5694.json | 20 - ...-f9d6633a-55e6-4adc-9263-6ae080421a13.json | 28 - ...-fb366179-766c-4a4a-afa1-52bff1fd601c.json | 26 - ...-fbd29c89-18ba-4c2d-b792-51c0adee049f.json | 22 - ...-fbe9387f-34e6-4828-ac28-3080020c597b.json | 20 - ...-fd19bd82-1b14-49a1-a176-6cdc46b8a826.json | 22 - ...-fe8796a4-2a02-41a0-9d27-7aa1e995feb6.json | 24 - ...-fe98767f-9df8-42b9-83c9-004b1dec8647.json | 20 - ...-975737f1-b10d-476f-8bda-3ec26ea57172.json | 23 + ...-9de2308e-7bed-43a3-8e58-f194b3586700.json | 2 +- ...-c4810609-7da6-48ec-8057-1b70a7814db0.json | 23 + cdas/assets/stix_vocab.json | 3 +- cdas/context.py | 26 + cdas/filestore.py | 30 +- cdas/simulator.py | 69 +- setup.py | 20 +- 498 files changed, 8470 insertions(+), 10266 deletions(-) create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--0979abf9-4e26-43ec-9b6e-54efc4e70fca.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--0a241b6c-7bb2-48f9-98f7-128145b4d27f.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--0dda99f0-4701-48ca-9774-8504922e92d3.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--166de1c6-2814-4fe5-8438-4e80f76b169f.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--17fd695c-b88c-455a-a3d1-43b6cb728532.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--197ef1b9-e764-46c3-b96c-23f77985dc81.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--1cec9319-743b-4840-bb65-431547bce82a.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--1f9012ef-1e10-4e48-915e-e03563435fe8.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--2339cf19-8f1e-48f7-8a91-0262ba547b6f.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--24286c33-d4a4-4419-85c2-1d094a896c26.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--274770e0-2612-4ccf-a678-ef8e7bad365d.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--2b5aa86b-a0df-4382-848d-30abea443327.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--2d3f5b3c-54ca-4f4d-bb1f-849346d31230.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--31225cd3-cd46-4575-b287-c2c14011c074.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--34ab90a3-05f6-4259-8f21-621081fdaba5.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--34b3f738-bd64-40e5-a112-29b0542bc8bf.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--36aa137f-5166-41f8-b2f0-a4cfa1b4133e.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--39cc9f64-cf74-4a48-a4d8-fe98c54a02e0.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--3a40f208-a9c1-4efa-a598-4003c3681fb8.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--51e54974-a541-4fb6-a61b-0518e4c6de41.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf7dd7fd.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--5282dd9a-d26d-4e16-88b7-7c0f4553daf4.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--60c4b628-4807-4b0b-bbf5-fdac8643c337.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--65013dd2-bc61-43e3-afb5-a14c4fa7437a.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--69f897fd-12a9-4c89-ad6a-46d2f3c38262.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--6c2957f9-502a-478c-b1dd-d626c0659413.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--6ee2dc99-91ad-4534-a7d8-a649358c331f.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--774ad5bb-2366-4c13-a8a9-65e50b292e7c.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--7807d3a4-a885-4639-a786-c1ed41484970.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--7efba77e-3bc4-4ca5-8292-d8201dcd64b5.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--808e6329-ca91-4b87-ac2d-8eadc5f8f327.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--81033c3b-16a4-46e4-8fed-9b030dd03c4a.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--810d8072-afb6-4a56-9ee7-86379ac4a6f3.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--818302b2-d640-477b-bf88-873120ce85c4.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc.json delete mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--91177e6d-b616-4a03-ba4b-f3b32f7dda75.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--937e4772-8441-4e4a-8bf0-8d447d667e23.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--a6557c75-798f-42e4-be70-ab4502e0a3bc.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--ae797531-3219-49a4-bccf-324ad7a4c7b2.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--b8017880-4b1e-42de-ad10-ae7ac6705166.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--b85f6ce5-81e8-4f36-aff2-3df9d02a9c9d.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--baf60e1a-afe5-4d31-830f-1b1ba2351884.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--bbc3cba7-84ae-410d-b18b-16750731dfa2.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--bbe5b322-e2af-4a5e-9625-a4e62bf84ed3.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--c2f59d25-87fe-44aa-8f83-e8e59d077bf5.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--cabe189c-a0e3-4965-a473-dcff00f17213.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--cacc40da-4c9e-462c-80d5-fd70a178b12d.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--cc723aff-ec88-40e3-a224-5af9fd983cc4.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--cca0ccb6-a068-4574-a722-b1556f86833a.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--d245808a-7086-4310-984a-a84aaaa43f8f.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--e196b5c5-8118-4a1c-ab8a-936586ce3db5.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--e3b168bd-fcd7-439e-9382-2e6c2f63514d.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--e7cbc1de-1f79-48ee-abfd-da1241c65a15.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--ec4be82f-940c-4dcb-87fe-2bbdd17c692f.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--ed730f20-0e44-48b9-85f8-0e2adeb76867.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--ee7ff928-801c-4f34-8a99-3df965e581a5.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--f4b843c1-7e92-4701-8fed-ce82f8be2636.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--f870408c-b1cd-49c7-a5c7-0ef0fc496cc6.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--f9cc4d06-775f-4ee1-b401-4e2cc0da30ba.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--fa44a152-ac48-441e-a524-dd7b04b8adcd.json create mode 100644 cdas/assets/mitre_cti/attack-patterns/attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d.json create mode 100644 cdas/assets/mitre_cti/malware/malware--1cdbbcab-903a-414d-8eb0-439a97343737.json create mode 100644 cdas/assets/mitre_cti/malware/malware--20945359-3b39-4542-85ef-08ecb4e1c174.json create mode 100644 cdas/assets/mitre_cti/malware/malware--22faaa56-a8ac-4292-9be6-b571b255ee40.json create mode 100644 cdas/assets/mitre_cti/malware/malware--29944858-da52-4d3d-b428-f8a6eb8dde6f.json create mode 100644 cdas/assets/mitre_cti/malware/malware--3271c107-92c4-442e-9506-e76d62230ee8.json create mode 100644 cdas/assets/mitre_cti/malware/malware--3a4197ae-ec63-4162-907b-9a073d1157e4.json create mode 100644 cdas/assets/mitre_cti/malware/malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128.json create mode 100644 cdas/assets/mitre_cti/malware/malware--3d57dcc4-be99-4613-9482-d5218f5ec13e.json create mode 100644 cdas/assets/mitre_cti/malware/malware--47124daf-44be-4530-9c63-038bc64318dd.json create mode 100644 cdas/assets/mitre_cti/malware/malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b.json create mode 100644 cdas/assets/mitre_cti/malware/malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328.json create mode 100644 cdas/assets/mitre_cti/malware/malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d.json create mode 100644 cdas/assets/mitre_cti/malware/malware--52c994fa-b6c8-45a8-9586-a4275cf19307.json create mode 100644 cdas/assets/mitre_cti/malware/malware--54a01db0-9fab-4d5f-8209-53cef8425f4a.json create mode 100644 cdas/assets/mitre_cti/malware/malware--5f1d4579-4e8f-48e7-860e-2da773ae432e.json create mode 100644 cdas/assets/mitre_cti/malware/malware--680f680c-eef9-4f8a-b5f5-f451bf47e403.json create mode 100644 cdas/assets/mitre_cti/malware/malware--838f647e-8ff8-48bd-bbd5-613cee7736cb.json create mode 100644 cdas/assets/mitre_cti/malware/malware--8393dac0-0583-456a-9372-fd81691bca20.json create mode 100644 cdas/assets/mitre_cti/malware/malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053.json create mode 100644 cdas/assets/mitre_cti/malware/malware--911fe4c3-444d-4e92-83b8-cc761ac5fd3b.json create mode 100644 cdas/assets/mitre_cti/malware/malware--959f3b19-2dc8-48d5-8942-c66813a5101a.json create mode 100644 cdas/assets/mitre_cti/malware/malware--99164b38-1775-40bc-b77b-a2373b14540a.json create mode 100644 cdas/assets/mitre_cti/malware/malware--a04d9a4c-bb52-40bf-98ec-e350c2d6a862.json rename cdas/assets/mitre_cti/{tools/tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39.json => malware/malware--a7881f21-e978-4fe4-af56-92c9416a2616.json} (84%) create mode 100644 cdas/assets/mitre_cti/malware/malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5.json create mode 100644 cdas/assets/mitre_cti/malware/malware--b9704a7d-feef-4af9-8898-5280f1686326.json create mode 100644 cdas/assets/mitre_cti/malware/malware--bbcd7a02-ef24-4171-ac94-a93540173b94.json create mode 100644 cdas/assets/mitre_cti/malware/malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2.json create mode 100644 cdas/assets/mitre_cti/malware/malware--c984b414-b766-44c5-814a-2fe96c913c12.json create mode 100644 cdas/assets/mitre_cti/malware/malware--dfdac962-9461-47f0-a212-36dfce2a97e6.json create mode 100644 cdas/assets/mitre_cti/malware/malware--e33e4603-afab-402d-b2a1-248d435b5fe0.json create mode 100644 cdas/assets/mitre_cti/malware/malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586.json create mode 100644 cdas/assets/mitre_cti/malware/malware--ef2247bf-8062-404b-894f-d65d00564817.json create mode 100644 cdas/assets/mitre_cti/malware/malware--f666e17c-b290-43b3-8947-b96bd5148fbb.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--2e5d3a83-fe00-41a5-9b60-237efc84832f.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--2fd2be6a-d3a2-4a65-b499-05ea2693abee.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--55033a4d-3ffe-46b2-99b4-2c1541e9ce1c.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--5636b7b3-d99b-4edd-aa05-ee649c1d4ef1.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--59140a2e-d117-4206-9b2c-2a8662bd9d46.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--5cbe0d3b-6fb1-471f-b591-4b192915116d.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--5ce5392a-3a6c-4e07-9df3-9b6a9159ac45.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--62a64fd3-aaf7-4d09-a375-d6f8bb118481.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--6688d679-ccdb-4f12-abf6-c7545dd767a4.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--6b9ebeb5-20bf-48b0-afb7-988d769a2f01.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--76565741-3452-4069-ab08-80c0ea95bbeb.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--7ecc3b4f-5cdb-457e-b55a-df376b359446.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--813636db-3939-4a45-bea9-6113e970c029.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--88489675-d216-4884-a98f-49a89fcc1643.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--88b7dbc2-32d3-4e31-af2f-3fc24e1582d7.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--92d5b3fd-3b39-438e-af68-770e447beada.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--96e239be-ad99-49eb-b127-3007b8c1bec9.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--a0cb9370-e39b-44d5-9f50-ef78e412b973.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--ae41895a-243f-4a65-b99b-d85022326c31.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--b74f909f-8e52-4b69-b770-162bf59a1b4e.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--c416b28c-103b-4df1-909e-78089a7e0e5f.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--c47f937f-1022-4f42-8525-e7a4779a14cb.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--c5574ca0-d5a4-490a-b207-e4658e5fd1d7.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--c5947e1c-1cbc-434c-94b8-27c7e3be0fff.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--d0b3393b-3bec-4ba3-bda9-199d30db47b6.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--d1acfbb3-647b-4723-9154-800ec119006e.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--d519164e-f5fa-4b8c-a1fb-cf0172ad0983.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--d69e568e-9ac8-4c08-b32c-d93b43ba9172.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--d6e88e18-81e8-4709-82d8-973095da1e70.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--da49b9f1-ca99-443f-9728-0a074db66850.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--f047ee18-7985-4946-8bfb-4ed754d3a0dd.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--f40eb8ce-2a74-4e56-89a1-227021410142.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--f9c06633-dcff-48a1-8588-759e7cec5694.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--fbe9387f-34e6-4828-ac28-3080020c597b.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6.json delete mode 100644 cdas/assets/mitre_cti/threat-actors/intrusion-set--fe98767f-9df8-42b9-83c9-004b1dec8647.json create mode 100644 cdas/assets/mitre_cti/tools/tool--975737f1-b10d-476f-8bda-3ec26ea57172.json create mode 100644 cdas/assets/mitre_cti/tools/tool--c4810609-7da6-48ec-8057-1b70a7814db0.json diff --git a/README.md b/README.md index ef327bc55..a40024cd9 100644 --- a/README.md +++ b/README.md @@ -18,14 +18,14 @@ Future versions will include fine-grained ability to control detailed aspects of ### ToDo - [ ] Output formats: HTML, SQL dump - [ ] Country relationship details -- [ ] Detailed representation of organization networks (asset improvement) +- [ ] Detailed representation of defender networks (asset improvement) - [ ] Visualization of relationships between data points - [ ] Improved world map generation - [ ] "web feeds" of intelligence/events (ex. news reports, dark web posts, etc.) ## Components -- Agents: Threat actors, organizations (companies) +- Agents: Threat actors, defenders (companies) - Friendly, enemy, and neutral players in the simulation - Assets: Cyber infrastructure - Networks, software, hardware, configurations, and vulnerabilities @@ -46,10 +46,9 @@ CDAS installs the following packages and their dependencies upon setup: numpy reportlab drawSVG +cyberdem ``` -You may also want to install ```libcairo2```. Optional, but you will receive errors when running CDAS without it. - ### Installing 1. Download CDAS and unzip the download folder @@ -62,7 +61,7 @@ $ pip3 install . 3. To test that CDAS is installed properly run ``` -$ python3 -m cdas -c sample_configs/randomize_all_small_pdf.json +$ python3 -m cdas -c sample_configs/randomize_all_small_pdf.json -v Setting up directories... Creating fake countries... Creating fake threat actors... @@ -77,13 +76,13 @@ Saving output... Done ``` -CDAS should finish with no errors (you will get warnings about libcairo2 and CairoSVG if you did not install that) and the results will be in a folder called cdas-output. Results will include +CDAS should finish with no errors and the results will be in a folder called cdas-output. Results will include - SVG map of countries - A "pdf" folder containing - 'actors' folder containing PDF files with threat actor descriptions - 'countries' folder containing PDF files with country attributes - 'reports' folder containing PDF files with event reports - - 'organizations' folder containing PDF files with organization descriptions + - 'defenders' folder containing PDF files with organization descriptions ## Configuration @@ -93,7 +92,7 @@ Additionally, there are three available command line flags: the required config- ``` $ python3 -m cdas -h -usage: __main__.py [-h] -c CONFIG_FILE [-i INPUT_DIRECTORY] [-o OUTPUT_DIRECTORY] +usage: __main__.py [-h] -c CONFIG_FILE [-i INPUT_DIRECTORY] [-o OUTPUT_DIRECTORY] [--verbose] optional arguments: -h, --help show this help message and exit @@ -103,6 +102,7 @@ optional arguments: directory for specifying custom data -o OUTPUT_DIRECTORY, --output-directory OUTPUT_DIRECTORY directory for storing results + --verbose, -v v for basic status, vv for detailed status ``` ## Data Customization diff --git a/cdas/__init__.py b/cdas/__init__.py index 0b9af6cf9..730871f84 100644 --- a/cdas/__init__.py +++ b/cdas/__init__.py @@ -1,4 +1,4 @@ # __init__.py # Version of the cdas package -__version__ = "0.0.2" \ No newline at end of file +__version__ = "0.0.5" \ No newline at end of file diff --git a/cdas/__main__.py b/cdas/__main__.py index 1ddfa7b7f..be0851c96 100644 --- a/cdas/__main__.py +++ b/cdas/__main__.py @@ -39,15 +39,17 @@ import argparse from datetime import datetime, timedelta import json +import logging import numpy as np import os import pkg_resources import shutil import sys +import cyberdem +import uuid # Import custom modules from . import context, agents, simulator, filestore - def main(): parser = argparse.ArgumentParser() @@ -60,8 +62,16 @@ def main(): parser.add_argument( "-o", "--output-directory", help="directory for storing results") + parser.add_argument('--verbose', '-v', action='count', default=0, + help="v for basic status, vv for detailed status") args = parser.parse_args() + if args.verbose == 1: + logging.basicConfig( + format='%(message)s', level=logging.INFO) + elif args.verbose == 2: + logging.basicConfig( + format='%(message)s', level=logging.DEBUG) # Load the configuration file with open(args.config_file, 'r') as f: @@ -73,12 +83,13 @@ def main(): 'defenders': '', 'threat-actors': '', 'malware': '', + 'networks': '', 'geoseed.json': '', 'tools': '', 'ttps': '' } - print("Setting up directories...") + logging.info("Setting up directories...") # Set up the Output directory if not args.output_directory: args.output_directory = config['output']['output_directory'] @@ -90,7 +101,7 @@ def main(): # Set up the temp directory if config['output']['temp_directory'] == "": raise Exception(f'No temporary directory specified') - temp_dir = filestore.FileStore( + filestore.FileStore( config['output']['temp_directory'], "temp", write=True) # Check the input folder if provided @@ -143,11 +154,11 @@ def main(): # Load or create country data if datastore['countries'] != '': # Using custom data - print("Loading custom country data...") + logging.info("Loading custom country data...") countries_fs = filestore.FileStore( datastore['countries'], context.Country) elif config['countries']['randomize'] is True: - print("Creating fake countries...") + logging.info("Creating fake countries...") countries_fs = filestore.FileStore( os.path.join(config['output']['temp_directory'], 'countries'), context.Country, write=True) @@ -175,7 +186,7 @@ def main(): countries_fs.save(country, overwrite=True) else: # Using country data files instead of random generation - print("Loading default country data...") + logging.info("Loading default country data...") countries_fs = filestore.FileStore( pkg_resources.resource_filename( __name__, 'data/cia_world_factbook/'), context.Country) @@ -185,8 +196,8 @@ def main(): path = args.output_directory + "/" + ot os.mkdir(path) os.mkdir(path + '/countries/') - for country in countries_fs.get( - [i[0] for i in countries_fs.query("SELECT id")]): + for i in countries_fs.query("SELECT id"): + country = countries_fs.get(i[0]) output_dir.output(ot+'/countries', country, ot) if ot == "html": html_src = pkg_resources.resource_filename( @@ -197,9 +208,10 @@ def main(): f = open(path+'/COUNTRY.html', 'r') c_template = f.read() f.close() + countries = [c[0] for c in countries_fs.query("SELECT name")] for country in countries: - f = open(path + '/countries/' + country.name + '.html', 'w') - f.write(c_template.replace('COUNTRY', country.name)) + f = open(path + '/countries/' + country + '.html', 'w') + f.write(c_template.replace('COUNTRY', country)) f.close() os.remove(path+'/COUNTRY.html') @@ -209,17 +221,20 @@ def main(): "assets/stix_vocab.json"), encoding='utf-8') as json_file: stix_vocab = json.load(json_file) json_file.close() - tools = tools_fs.get([name[0] for name in tools_fs.query("SELECT id")]) - malwares = malware_fs.get([n[0] for n in malware_fs.query("SELECT id")]) - ttps = ttp_fs.get([name[0] for name in ttp_fs.query("SELECT id")]) + names = tools_fs.query("SELECT id") + tools = [tools_fs.get(name[0]) for name in names] + names = malware_fs.query("SELECT id") + malwares = [malware_fs.get(name[0]) for name in names] + names = ttp_fs.query("SELECT id") + ttps = [ttp_fs.get(name[0]) for name in names] if datastore['threat-actors'] != '': - print("Loading custom threat actor data...") + logging.info("Loading custom threat actor data...") # Using custom threat actors provided by the user in the input folder threat_actor_fs = filestore.FileStore( datastore['threat-actors'], agents.ThreatActor) elif config['agents']['randomize_threat_actors'] is True: - print("Creating fake threat actors...") + logging.info("Creating fake threat actors...") threat_actor_fs = filestore.FileStore( os.path.join(config['output']['temp_directory'], 'threat-actors'), agents.ThreatActor, write=True) @@ -245,15 +260,15 @@ def main(): stix_vocab['threat-actor-sophistication']) actors += 1 else: - print("Loading default threat actor data...") + logging.info("Loading default threat actor data...") threat_actor_fs = filestore.FileStore( pkg_resources.resource_filename( __name__, 'assets/mitre_cti/threat-actors/'), agents.ThreatActor) # Output threat actor reports - actors = threat_actor_fs.get( - [name[0] for name in threat_actor_fs.query("SELECT id")]) + names = threat_actor_fs.query("SELECT id") + actors = [threat_actor_fs.get(name[0]) for name in names] for ot in config['output']['output_types']: os.mkdir(args.output_directory + "/" + ot + '/actors/') for apt in actors: @@ -262,12 +277,12 @@ def main(): # Create or load defending organizations if datastore['defenders'] != '': - print("Loading custom defender data...") + logging.info("Loading custom defender data...") # Using custom defenders provided by the user in the input folder defender_fs = filestore.FileStore( datastore['defenders'], agents.Defender) else: - print("Creating random defending organizations...") + logging.info("Creating random defending organizations...") defender_fs = filestore.FileStore( os.path.join(config['output']['temp_directory'], 'defenders'), agents.Defender, write=True) @@ -315,37 +330,55 @@ def main(): defs += 1 # Output defender info - defenders = defender_fs.get( - [name[0] for name in defender_fs.query("SELECT id")]) + names = defender_fs.query("SELECT id") + defenders = [defender_fs.get(name[0]) for name in names] for ot in config['output']['output_types']: os.mkdir(args.output_directory + "/" + ot + '/defenders/') for d in defenders: output_dir.output(ot+'/defenders', d, ot) # Create or load networks of defenders - - # Output network information - + if datastore['networks'] != '': + logging.info("Loading custom network data...") + # Using custom networks provided by the user in the input folder + network_fs = filestore.FileStore( + datastore['networks'], 'Networks') + else: + logging.info("Creating random networks of defenders...") + network_fs = filestore.FileStore( + os.path.join(config['output']['temp_directory'], 'networks'), + 'Networks', write=True) + for d in defenders: + net_name = 'network--'+str(uuid.uuid4()) + fs = cyberdem.filesystem.FileSystem(os.path.join( + config['output']['temp_directory'], 'networks', net_name)) + context.random_network(fs, 100) + relationships.append((d.id, 'owns', net_name)) # Run simulation - print('Running simulation...') + logging.info('Running simulation...') events_fs = filestore.FileStore( os.path.join(config['output']['temp_directory'], 'events'), context.Event, write=True) - # For now, we're assuming all of the attackers decide to attack the one - # defender, who is too dumb to make changes the network simulator.simulate( - actors, defenders, tools, malwares, events_fs, relationships, start) - # We don't know ahead of time how many moves will be made, so go back to - # the events and set to the desired time frame + actors, defenders, config['defenders']['allow_defense'], events_fs, + relationships, stix_vocab['threat-actor-sophistication']) + # We don't know ahead of time how many moves will be made, so once the + # simulation is done, go back to the events and set to the correct day/time + events = [events_fs.get(i[0]) for i in events_fs.query("SELECT id")] start = datetime.strptime( config["simulation"]['time_range'][0], '%Y-%m-%d') end = datetime.strptime(config["simulation"]['time_range'][1], '%Y-%m-%d') - time_increment = (end - start)/num_events - print("@TODO: Event date times...") + time_increment = (end - start)/len(events) + newlist = sorted(events, key=lambda x: x.date) + for e in newlist: + e.date = start + e.name = "Report_" + start.strftime("%Y%m%d_%H%M%S") + events_fs.save(e, overwrite=True) + start += time_increment # Create output files - print('Saving output...') + logging.info('Saving output...') # Map try: map_matrix.plot_map(args.output_directory, **country_names) @@ -353,16 +386,16 @@ def main(): pass for ot in config['output']['output_types']: - print(f' {ot}...') + logging.debug(f' {ot}...') path = args.output_directory + "/" + ot os.mkdir(path + '/reports/') - print(f'\t Events...') - for e in events_fs.get([i[0] for i in events_fs.query("SELECT id")]): + logging.debug(f'\t Events...') + for e in [events_fs.get(i[0]) for i in events_fs.query("SELECT id")]: output_dir.output(ot+'/reports', e, ot) shutil.rmtree(config['output']['temp_directory']) - print('Done') + logging.info('Done') if __name__ == "__main__": diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--028ad431-84c5-4eb7-a364-2b797c234f88.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--028ad431-84c5-4eb7-a364-2b797c234f88.json index d343e67ad..850bf10ee 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--028ad431-84c5-4eb7-a364-2b797c234f88.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--028ad431-84c5-4eb7-a364-2b797c234f88.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--028ad431-84c5-4eb7-a364-2b797c234f88", "name": "Acquire OSINT data sets and information", - "description": "Data sets can be anything from Security Exchange Commission (SEC) filings to public phone numbers. Many datasets are now either publicly available for free or can be purchased from a variety of data vendors. Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line as well as in the physical world. (Citation: SANSThreatProfile) (Citation: Infosec-osint) (Citation: isight-osint)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1277).\n\nData sets can be anything from Security Exchange Commission (SEC) filings to public phone numbers. Many datasets are now either publicly available for free or can be purchased from a variety of data vendors. Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line as well as in the physical world. (Citation: SANSThreatProfile) (Citation: Infosec-osint) (Citation: isight-osint)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334.json index a16a2a937..a6adc6429 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334.json @@ -16,7 +16,8 @@ ], "platforms": [ "macOS", - "Windows" + "Windows", + "Linux" ], "kill_chain": [ { diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--03da0598-ed46-4a73-bf43-0313b3522400.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--03da0598-ed46-4a73-bf43-0313b3522400.json index 84fe66376..efb361271 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--03da0598-ed46-4a73-bf43-0313b3522400.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--03da0598-ed46-4a73-bf43-0313b3522400.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--03da0598-ed46-4a73-bf43-0313b3522400", "name": "Submit KITs, KIQs, and intelligence requirements", - "description": "Once they have been created, intelligence requirements, Key Intelligence Topics (KITs), and Key Intelligence Questions (KIQs) are submitted into a central management system. (Citation: ICD204) (Citation: KIT-Herring)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1237).\n\nOnce they have been created, intelligence requirements, Key Intelligence Topics (KITs), and Key Intelligence Questions (KIQs) are submitted into a central management system. (Citation: ICD204) (Citation: KIT-Herring)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf422ab983.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf422ab983.json index 8bb585ab0..b00102ad6 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf422ab983.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf422ab983.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf422ab983", "name": "Acquire or compromise 3rd party signing certificates", - "description": "Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. (Citation: DiginotarCompromise)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1332).\n\nCode signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. (Citation: DiginotarCompromise)", "references": [ { "source_name": "mitre-pre-attack", @@ -9,8 +9,9 @@ "external_id": "T1332" }, { - "description": "Dennis Fisher. (2012, October 31). FINAL REPORT ON DIGINOTAR HACK SHOWS TOTAL COMPROMISE OF CA SERVERS. Retrieved March 6, 2017.", - "source_name": "DiginotarCompromise" + "description": "Fisher, D. (2012, October 31). Final Report on DigiNotar Hack Shows Total Compromise of CA Servers. Retrieved March 6, 2017.", + "source_name": "DiginotarCompromise", + "url": "https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/" } ], "kill_chain": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0440f60f-9056-4791-a740-8eae96eb61fa.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0440f60f-9056-4791-a740-8eae96eb61fa.json index 46d69990a..451fb16cd 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0440f60f-9056-4791-a740-8eae96eb61fa.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0440f60f-9056-4791-a740-8eae96eb61fa.json @@ -9,8 +9,9 @@ "url": "https://attack.mitre.org/techniques/T1386" }, { - "description": "PETER BRIGHT. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.", - "source_name": "AnonHBGary" + "source_name": "AnonHBGary", + "description": "Bright, P. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.", + "url": "https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/" } ], "kill_chain": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2.json new file mode 100644 index 000000000..d9d70a7bf --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2", + "name": "Acquire Infrastructure", + "description": "Before compromising a victim, adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.\n\nUse of these infrastructure solutions allows an adversary to stage, launch, and execute an operation. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contact to third-party web services. Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1583", + "url": "https://attack.mitre.org/techniques/T1583" + }, + { + "source_name": "TrendmicroHideoutsLease", + "description": "Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017.", + "url": "https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf" + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--04e93ca1-8415-4a46-8549-73b7c84f8dc3.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--04e93ca1-8415-4a46-8549-73b7c84f8dc3.json index 8059da057..6a83151f5 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--04e93ca1-8415-4a46-8549-73b7c84f8dc3.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--04e93ca1-8415-4a46-8549-73b7c84f8dc3.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--04e93ca1-8415-4a46-8549-73b7c84f8dc3", "name": "Identify security defensive capabilities", - "description": "Security defensive capabilities are designed to stop or limit unauthorized network traffic or other types of accesses. (Citation: OSFingerprinting2014) (Citation: NMAP WAF NSE)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1263).\n\nSecurity defensive capabilities are designed to stop or limit unauthorized network traffic or other types of accesses. (Citation: OSFingerprinting2014) (Citation: NMAP WAF NSE)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0649fc36-72a0-40a0-a2f9-3fc7e3231ad6.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0649fc36-72a0-40a0-a2f9-3fc7e3231ad6.json index 6d4af3139..cb23341cc 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0649fc36-72a0-40a0-a2f9-3fc7e3231ad6.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0649fc36-72a0-40a0-a2f9-3fc7e3231ad6.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--0649fc36-72a0-40a0-a2f9-3fc7e3231ad6", "name": "Test callback functionality", - "description": "Callbacks are malware communications seeking instructions. An adversary will test their malware to ensure the appropriate instructions are conveyed and the callback software can be reached. (Citation: LeeBeaconing)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1356).\n\nCallbacks are malware communications seeking instructions. An adversary will test their malware to ensure the appropriate instructions are conveyed and the callback software can be reached. (Citation: LeeBeaconing)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0722cd65-0c83-4c89-9502-539198467ab1.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0722cd65-0c83-4c89-9502-539198467ab1.json index b3c72d063..537ef162e 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0722cd65-0c83-4c89-9502-539198467ab1.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0722cd65-0c83-4c89-9502-539198467ab1.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--0722cd65-0c83-4c89-9502-539198467ab1", "name": "Identify job postings and needs/gaps", - "description": "Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on people within the organization which could be valuable in social engineering attempts. (Citation: JobPostingThreat)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1267).\n\nJob postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on people within the organization which could be valuable in social engineering attempts. (Citation: JobPostingThreat)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc.json index 05ee510e1..bd47ed60c 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc", "name": "Analyze organizational skillsets and deficiencies", - "description": "Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts. (Citation: FakeLinkedIn)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1289).\n\nAnalyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts. (Citation: FakeLinkedIn)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f.json new file mode 100644 index 000000000..10cbceaa0 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f", + "name": "Gather Victim Host Information", + "description": "Before compromising a victim, adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1592", + "url": "https://attack.mitre.org/techniques/T1592" + }, + { + "source_name": "ATT ScanBox", + "url": "https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks", + "description": "Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0979abf9-4e26-43ec-9b6e-54efc4e70fca.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0979abf9-4e26-43ec-9b6e-54efc4e70fca.json new file mode 100644 index 000000000..716af07b8 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0979abf9-4e26-43ec-9b6e-54efc4e70fca.json @@ -0,0 +1,31 @@ +{ + "id": "attack-pattern--0979abf9-4e26-43ec-9b6e-54efc4e70fca", + "name": "Digital Certificates", + "description": "Before compromising a victim, adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.\n\nAdversaries may search digital certificate data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about certificates.(Citation: SSLShopper Lookup) Digital certificate data may also be available from artifacts signed by the organization (ex: certificates used from encrypted web traffic are served with content).(Citation: Medium SSL Cert) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1596.003", + "url": "https://attack.mitre.org/techniques/T1596/003" + }, + { + "source_name": "SSLShopper Lookup", + "url": "https://www.sslshopper.com/ssl-checker.html", + "description": "SSL Shopper. (n.d.). SSL Checker. Retrieved October 20, 2020." + }, + { + "source_name": "Medium SSL Cert", + "url": "https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2", + "description": "Jain, M. (2019, September 16). Export & Download \u2014 SSL Certificate from Server (Site URL). Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4.json index e602d5776..1b8a10554 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4", "name": "Keylogging", - "description": "Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.\n\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\n* Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* Custom drivers.", + "description": "Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.\n\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\n* Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* Custom drivers.\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) ", "references": [ { "source_name": "mitre-attack", @@ -17,12 +17,18 @@ "url": "http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf", "description": "Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016.", "source_name": "Adventures of a Keystroke" + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." } ], "platforms": [ "Windows", "macOS", - "Linux" + "Linux", + "Network" ], "kill_chain": [ { diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119.json index 39037123e..581e4e27b 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119.json @@ -9,9 +9,14 @@ "url": "https://attack.mitre.org/techniques/T1110/001" }, { - "url": "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf", + "external_id": "CAPEC-49", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/49.html" + }, + { + "source_name": "Cylance Cleaver", "description": "Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.", - "source_name": "Cylance Cleaver" + "url": "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" }, { "source_name": "US-CERT TA18-068A 2018", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0a241b6c-7bb2-48f9-98f7-128145b4d27f.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0a241b6c-7bb2-48f9-98f7-128145b4d27f.json new file mode 100644 index 000000000..4b760c019 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0a241b6c-7bb2-48f9-98f7-128145b4d27f.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--0a241b6c-7bb2-48f9-98f7-128145b4d27f", + "name": "Purchase Technical Data", + "description": "Before compromising a victim, adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.\n\nAdversaries may purchase information about their already identified targets, or use purchased data to discover opportunities for successful breaches. Threat actors may gather various technical details from purchased data, including but not limited to employee contact information, credentials, or specifics regarding a victim\u2019s infrastructure.(Citation: ZDNET Selling Data) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1597.002", + "url": "https://attack.mitre.org/techniques/T1597/002" + }, + { + "source_name": "ZDNET Selling Data", + "url": "https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/", + "description": "Cimpanu, C. (2020, May 9). A hacker group is selling more than 73 million user records on the dark web. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74.json new file mode 100644 index 000000000..a482c5ffc --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74.json @@ -0,0 +1,39 @@ +{ + "id": "attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74", + "name": "Data from Configuration Repository", + "description": "Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.\n\nAdversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1602", + "url": "https://attack.mitre.org/techniques/T1602" + }, + { + "source_name": "US-CERT-TA18-106A", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A", + "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020." + }, + { + "source_name": "US-CERT TA17-156A SNMP Abuse 2017", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA17-156A", + "description": "US-CERT. (2017, June 5). Reducing the Risk of SNMP Abuse. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco Advisory SNMP v3 Authentication Vulnerabilities", + "url": "https://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20080610-SNMPv3", + "description": "Cisco. (2008, June 10). Identifying and Mitigating Exploitation of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October 19, 2020." + } + ], + "platforms": [ + "Network" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "permissions": [ + "Administrator" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0bda01d5-4c1d-4062-8ee2-6872334383c3.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0bda01d5-4c1d-4062-8ee2-6872334383c3.json index 21d1479ab..6fed226d7 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0bda01d5-4c1d-4062-8ee2-6872334383c3.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0bda01d5-4c1d-4062-8ee2-6872334383c3.json @@ -8,6 +8,16 @@ "external_id": "T1498.001", "url": "https://attack.mitre.org/techniques/T1498/001" }, + { + "external_id": "CAPEC-125", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/125.html" + }, + { + "external_id": "CAPEC-486", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/486.html" + }, { "source_name": "USNYAG IranianBotnet March 2016", "url": "https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0c0f075b-5d69-43f2-90df-d9ad18f44624.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0c0f075b-5d69-43f2-90df-d9ad18f44624.json index 293fe1fbf..265782ef6 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0c0f075b-5d69-43f2-90df-d9ad18f44624.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0c0f075b-5d69-43f2-90df-d9ad18f44624.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--0c0f075b-5d69-43f2-90df-d9ad18f44624", "name": "Identify people of interest", - "description": "The attempt to identify people of interest or with an inherent weakness for direct or indirect targeting to determine an approach to compromise a person or organization. Such targets may include individuals with poor OPSEC practices or those who have a trusted relationship with the intended target. (Citation: RSA-APTRecon) (Citation: Scasny2015)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1269).\n\nThe attempt to identify people of interest or with an inherent weakness for direct or indirect targeting to determine an approach to compromise a person or organization. Such targets may include individuals with poor OPSEC practices or those who have a trusted relationship with the intended target. (Citation: RSA-APTRecon) (Citation: Scasny2015)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32.json index d998183b3..39e307895 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32.json @@ -9,9 +9,14 @@ "url": "https://attack.mitre.org/techniques/T1574/007" }, { - "external_id": "CAPEC-capec", + "external_id": "CAPEC-13", "source_name": "capec", - "url": "https://capec.mitre.org/data/definitions/capec.html" + "url": "https://capec.mitre.org/data/definitions/13.html" + }, + { + "external_id": "CAPEC-38", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/38.html" } ], "platforms": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0c592c79-29a7-4a94-81a4-c87eae3aead6.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0c592c79-29a7-4a94-81a4-c87eae3aead6.json index 6c1424e26..ead560ca7 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0c592c79-29a7-4a94-81a4-c87eae3aead6.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0c592c79-29a7-4a94-81a4-c87eae3aead6.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--0c592c79-29a7-4a94-81a4-c87eae3aead6", "name": "Common, high volume protocols and software", - "description": "Certain types of traffic (e.g., Twitter14, HTTP) are more commonly used than others. Utilizing more common protocols and software may make an adversary's traffic more difficult to distinguish from legitimate traffic. (Citation: symantecNITRO)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1321).\n\nCertain types of traffic (e.g., Twitter14, HTTP) are more commonly used than others. Utilizing more common protocols and software may make an adversary's traffic more difficult to distinguish from legitimate traffic. (Citation: symantecNITRO)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad.json index 549b1ab4f..df2d5129a 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad.json @@ -1,17 +1,17 @@ { "id": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "name": "Supply Chain Compromise", - "description": "As further described in [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Somewhat related, adversaries could also identify and exploit inadvertently present vulnerabilities. In many cases, it may be difficult to be certain whether exploitable functionality is due to malicious intent or simply inadvertent mistake.\n\nRelated PRE-ATT&CK techniques include:\n\n* [Identify vulnerabilities in third-party software libraries](https://attack.mitre.org/techniques/T1389) - Third-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities. For example, Ryan Welton of NowSecure identified exploitable remote code execution vulnerabilities in a third-party advertisement library (Citation: NowSecure-RemoteCode). Grace et al. identified security issues in mobile advertisement libraries (Citation: Grace-Advertisement).\n* [Distribute malicious software development tools](https://attack.mitre.org/techniques/T1394) - As demonstrated by the XcodeGhost attack (Citation: PaloAlto-XcodeGhost1), app developers could be provided with modified versions of software development tools (e.g. compilers) that automatically inject malicious or exploitable code into applications.", + "description": "As further described in [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Somewhat related, adversaries could also identify and exploit inadvertently present vulnerabilities. In many cases, it may be difficult to be certain whether exploitable functionality is due to malicious intent or simply inadvertent mistake.\n\nThird-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities. For example, security issues have previously been identified in third-party advertising libraries incorporated into apps.(Citation: NowSecure-RemoteCode)(Citation: Grace-Advertisement).", "references": [ { "source_name": "mitre-mobile-attack", - "url": "https://attack.mitre.org/techniques/T1474", - "external_id": "T1474" + "external_id": "T1474", + "url": "https://attack.mitre.org/techniques/T1474" }, { + "external_id": "APP-6", "source_name": "NIST Mobile Threat Catalogue", - "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html", - "external_id": "APP-6" + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html" }, { "source_name": "NowSecure-RemoteCode", @@ -22,11 +22,6 @@ "source_name": "Grace-Advertisement", "description": "M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved December 22, 2016.", "url": "https://www.nowsecure.com/blog/2015/06/15/a-pattern-for-remote-code-execution-using-arbitrary-file-writes-and-multidex-applications/" - }, - { - "source_name": "PaloAlto-XcodeGhost1", - "description": "Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016.", - "url": "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/" } ], "platforms": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0dda99f0-4701-48ca-9774-8504922e92d3.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0dda99f0-4701-48ca-9774-8504922e92d3.json new file mode 100644 index 000000000..0f127422d --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0dda99f0-4701-48ca-9774-8504922e92d3.json @@ -0,0 +1,36 @@ +{ + "id": "attack-pattern--0dda99f0-4701-48ca-9774-8504922e92d3", + "name": "IP Addresses", + "description": "Before compromising a victim, adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about assigned IP addresses may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1590.005", + "url": "https://attack.mitre.org/techniques/T1590/005" + }, + { + "source_name": "WHOIS", + "url": "https://www.whois.net/", + "description": "NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020." + }, + { + "source_name": "DNS Dumpster", + "url": "https://dnsdumpster.com/", + "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020." + }, + { + "source_name": "Circl Passive DNS", + "url": "https://www.circl.lu/services/passive-dns/", + "description": "CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0df05477-c572-4ed6-88a9-47c581f548f7.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0df05477-c572-4ed6-88a9-47c581f548f7.json index 13a3b8145..297b9935d 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0df05477-c572-4ed6-88a9-47c581f548f7.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0df05477-c572-4ed6-88a9-47c581f548f7.json @@ -8,6 +8,16 @@ "external_id": "T1499.001", "url": "https://attack.mitre.org/techniques/T1499/001" }, + { + "external_id": "CAPEC-469", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/469.html" + }, + { + "external_id": "CAPEC-482", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/482.html" + }, { "source_name": "Arbor AnnualDoSreport Jan 2018", "url": "https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0fad2267-9f46-4ebb-91b5-d543243732cb.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0fad2267-9f46-4ebb-91b5-d543243732cb.json index bb51423bc..455c0c0f1 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0fad2267-9f46-4ebb-91b5-d543243732cb.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0fad2267-9f46-4ebb-91b5-d543243732cb.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--0fad2267-9f46-4ebb-91b5-d543243732cb", "name": "Identify analyst level gaps", - "description": "Analysts identify gap areas that generate a compelling need to generate a Key Intelligence Topic (KIT) or Key Intelligence Question (KIQ). (Citation: BrighthubGapAnalysis) (Citation: ICD115) (Citation: JP2-01)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1233).\n\nAnalysts identify gap areas that generate a compelling need to generate a Key Intelligence Topic (KIT) or Key Intelligence Question (KIQ). (Citation: BrighthubGapAnalysis) (Citation: ICD115) (Citation: JP2-01)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea.json new file mode 100644 index 000000000..2f053aaef --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea.json @@ -0,0 +1,31 @@ +{ + "id": "attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea", + "name": "DNS", + "description": "Before compromising a victim, adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target\u2019s subdomains, mail servers, and other hosts.\n\nAdversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1590.002", + "url": "https://attack.mitre.org/techniques/T1590/002" + }, + { + "source_name": "DNS Dumpster", + "url": "https://dnsdumpster.com/", + "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020." + }, + { + "source_name": "Circl Passive DNS", + "url": "https://www.circl.lu/services/passive-dns/", + "description": "CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--103d72e6-7e0d-4b3a-9373-c38567305c33.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--103d72e6-7e0d-4b3a-9373-c38567305c33.json index 8eac8b69a..bdb9a4d00 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--103d72e6-7e0d-4b3a-9373-c38567305c33.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--103d72e6-7e0d-4b3a-9373-c38567305c33.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--103d72e6-7e0d-4b3a-9373-c38567305c33", "name": "Friend/Follow/Connect to targets of interest", - "description": "Once a persona has been developed an adversary will use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others. (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1344).\n\nOnce a persona has been developed an adversary will use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others. (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage)", "references": [ { "source_name": "mitre-pre-attack", @@ -10,11 +10,13 @@ }, { "source_name": "NEWSCASTER2014", - "description": "Mike Lennon. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017." + "description": "Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.", + "url": "https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation" }, { "source_name": "BlackHatRobinSage", - "description": "Thomas Ryan. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017." + "description": "Ryan, T. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017.", + "url": "http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf" } ], "kill_chain": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073.json index ab7e9fabd..3bc177d11 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073.json @@ -1,6 +1,6 @@ { "id": "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073", - "name": "Bypass User Access Control", + "name": "Bypass User Account Control", "description": "Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)\n\nIf the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)\n\nMany methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:\n\n* eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)\n\nAnother bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)", "references": [ { diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--13ff5307-b650-405a-9664-d8076930b2bf.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--13ff5307-b650-405a-9664-d8076930b2bf.json index 07367b327..e692351e9 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--13ff5307-b650-405a-9664-d8076930b2bf.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--13ff5307-b650-405a-9664-d8076930b2bf.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--13ff5307-b650-405a-9664-d8076930b2bf", "name": "Port redirector", - "description": "Redirecting a communication request from one address and port number combination to another. May be set up to obfuscate the final location of communications that will occur in later stages of an attack. (Citation: SecureWorks HTRAN Analysis)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1363).\n\nRedirecting a communication request from one address and port number combination to another. May be set up to obfuscate the final location of communications that will occur in later stages of an attack. (Citation: SecureWorks HTRAN Analysis)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--144e007b-e638-431d-a894-45d90c54ab90.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--144e007b-e638-431d-a894-45d90c54ab90.json index 8cd534a19..c4d0a69e7 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--144e007b-e638-431d-a894-45d90c54ab90.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--144e007b-e638-431d-a894-45d90c54ab90.json @@ -11,7 +11,7 @@ { "source_name": "Mandiant M-Trends 2020", "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." + "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." } ], "platforms": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--15d5eaa4-597a-47fd-a692-f2bed434d904.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--15d5eaa4-597a-47fd-a692-f2bed434d904.json index 4ef95d802..65dc442c9 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--15d5eaa4-597a-47fd-a692-f2bed434d904.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--15d5eaa4-597a-47fd-a692-f2bed434d904.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--15d5eaa4-597a-47fd-a692-f2bed434d904", "name": "Derive intelligence requirements", - "description": "Leadership or key decision makers may derive specific intelligence requirements from Key Intelligence Topics (KITs) or Key Intelligence Questions (KIQs). Specific intelligence requirements assist analysts in gathering information to establish a baseline of information about a topic or question and collection managers to clarify the types of information that should be collected to satisfy the requirement. (Citation: LowenthalCh4) (Citation: Heffter)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1230).\n\nLeadership or key decision makers may derive specific intelligence requirements from Key Intelligence Topics (KITs) or Key Intelligence Questions (KIQs). Specific intelligence requirements assist analysts in gathering information to establish a baseline of information about a topic or question and collection managers to clarify the types of information that should be collected to satisfy the requirement. (Citation: LowenthalCh4) (Citation: Heffter)", "references": [ { "external_id": "T1230", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--15ef4da5-3b93-4bb1-a39a-5396661956d3.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--15ef4da5-3b93-4bb1-a39a-5396661956d3.json index 1a9e32b20..536dadda3 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--15ef4da5-3b93-4bb1-a39a-5396661956d3.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--15ef4da5-3b93-4bb1-a39a-5396661956d3.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--15ef4da5-3b93-4bb1-a39a-5396661956d3", "name": "Build and configure delivery systems", - "description": "Delivery systems are the infrastructure used by the adversary to host malware or other tools used during exploitation. Building and configuring delivery systems may include multiple activities such as registering domain names, renting hosting space, or configuring previously exploited environments. (Citation: APT1)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1347).\n\nDelivery systems are the infrastructure used by the adversary to host malware or other tools used during exploitation. Building and configuring delivery systems may include multiple activities such as registering domain names, renting hosting space, or configuring previously exploited environments. (Citation: APT1)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--166de1c6-2814-4fe5-8438-4e80f76b169f.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--166de1c6-2814-4fe5-8438-4e80f76b169f.json new file mode 100644 index 000000000..4c2e86183 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--166de1c6-2814-4fe5-8438-4e80f76b169f.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--166de1c6-2814-4fe5-8438-4e80f76b169f", + "name": "WHOIS", + "description": "Before compromising a victim, adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)\n\nAdversaries may search WHOIS data to gather actionable information. Threat actors can use online resources or command-line utilities to pillage through WHOIS data for information about potential victims. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1596.002", + "url": "https://attack.mitre.org/techniques/T1596/002" + }, + { + "source_name": "WHOIS", + "url": "https://www.whois.net/", + "description": "NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26.json new file mode 100644 index 000000000..f26f09bdd --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26", + "name": "Search Victim-Owned Websites", + "description": "Before compromising a victim, adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)\n\nAdversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1594", + "url": "https://attack.mitre.org/techniques/T1594" + }, + { + "source_name": "Comparitech Leak", + "url": "https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/", + "description": "Bischoff, P. (2020, October 15). Broadvoice database of more than 350 million customer records exposed online. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--16e94db9-b5b1-4cd0-b851-f38fbd0a70f2.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--16e94db9-b5b1-4cd0-b851-f38fbd0a70f2.json index 8f781ddc7..6c9d66b01 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--16e94db9-b5b1-4cd0-b851-f38fbd0a70f2.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--16e94db9-b5b1-4cd0-b851-f38fbd0a70f2.json @@ -31,7 +31,11 @@ ], "platforms": [ "Office 365", - "Azure AD" + "Azure AD", + "GCP", + "SaaS", + "Azure", + "AWS" ], "kill_chain": [ { diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c.json index 4f4456aef..d367151f5 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c.json @@ -9,9 +9,9 @@ "url": "https://attack.mitre.org/techniques/T1574/011" }, { - "external_id": "CAPEC-CAPEC", + "external_id": "CAPEC-478", "source_name": "capec", - "url": "https://capec.mitre.org/data/definitions/CAPEC.html" + "url": "https://capec.mitre.org/data/definitions/478.html" }, { "source_name": "Registry Key Security", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--17fd695c-b88c-455a-a3d1-43b6cb728532.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--17fd695c-b88c-455a-a3d1-43b6cb728532.json new file mode 100644 index 000000000..5136a25c1 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--17fd695c-b88c-455a-a3d1-43b6cb728532.json @@ -0,0 +1,31 @@ +{ + "id": "attack-pattern--17fd695c-b88c-455a-a3d1-43b6cb728532", + "name": "DNS/Passive DNS", + "description": "Before compromising a victim, adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target\u2019s subdomains, mail servers, and other hosts.\n\nAdversaries may search DNS data to gather actionable information. Threat actors can query nameservers for a target organization directly, or search through centralized repositories of logged DNS query responses (known as passive DNS).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Adversaries may also seek and target DNS misconfigurations/leaks that reveal information about internal networks. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1596.001", + "url": "https://attack.mitre.org/techniques/T1596/001" + }, + { + "source_name": "DNS Dumpster", + "url": "https://dnsdumpster.com/", + "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020." + }, + { + "source_name": "Circl Passive DNS", + "url": "https://www.circl.lu/services/passive-dns/", + "description": "CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--18bfa01c-9fa9-409f-91f5-4a2822609d81.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--18bfa01c-9fa9-409f-91f5-4a2822609d81.json index b6d386a20..c23bff275 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--18bfa01c-9fa9-409f-91f5-4a2822609d81.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--18bfa01c-9fa9-409f-91f5-4a2822609d81.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--18bfa01c-9fa9-409f-91f5-4a2822609d81", "name": "Test physical access", - "description": "An adversary can test physical access options in preparation for the actual attack. This could range from observing behaviors and noting security precautions to actually attempting access. (Citation: OCIAC Pre Incident Indicators) (Citation: NewsAgencySpy)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1360).\n\nAn adversary can test physical access options in preparation for the actual attack. This could range from observing behaviors and noting security precautions to actually attempting access. (Citation: OCIAC Pre Incident Indicators) (Citation: NewsAgencySpy)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421.json new file mode 100644 index 000000000..3fe4c15dc --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421.json @@ -0,0 +1,41 @@ +{ + "id": "attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421", + "name": "Digital Certificates", + "description": "Before compromising a victim, adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.\n\nAdversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic (ex: [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Man-in-the-Middle](https://attack.mitre.org/techniques/T1557) if the certificate is trusted or otherwise added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)). The purchase of digital certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal certificate materials directly from a compromised third-party, including from certificate authorities.(Citation: DiginotarCompromise)\n\nCertificate authorities exist that allow adversaries to acquire SSL/TLS certificates, such as domain validation certificates, for free.(Citation: Let's Encrypt FAQ)\n\nAdversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for.", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1588.004", + "url": "https://attack.mitre.org/techniques/T1588/004" + }, + { + "description": "Fisher, D. (2012, October 31). Final Report on DigiNotar Hack Shows Total Compromise of CA Servers. Retrieved March 6, 2017.", + "source_name": "DiginotarCompromise", + "url": "https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/" + }, + { + "source_name": "Let's Encrypt FAQ", + "url": "https://letsencrypt.org/docs/faq/", + "description": "Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved October 15, 2020." + }, + { + "source_name": "Splunk Kovar Certificates 2017", + "url": "https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html", + "description": "Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL Certificates. Retrieved October 16, 2020." + }, + { + "source_name": "Recorded Future Beacon Certificates", + "url": "https://www.recordedfuture.com/cobalt-strike-servers/", + "description": "Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying Rogue Cobalt Strike Servers. Retrieved October 16, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--194bff4f-c218-40df-bea3-1ace715de8dd.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--194bff4f-c218-40df-bea3-1ace715de8dd.json index 435aabe8a..e1ff345a9 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--194bff4f-c218-40df-bea3-1ace715de8dd.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--194bff4f-c218-40df-bea3-1ace715de8dd.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--194bff4f-c218-40df-bea3-1ace715de8dd", "name": "Identify technology usage patterns", - "description": "Technology usage patterns include identifying if users work offsite, connect remotely, or other possibly less restricted/secured access techniques. (Citation: SANSRemoteAccess)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1264).\n\nTechnology usage patterns include identifying if users work offsite, connect remotely, or other possibly less restricted/secured access techniques. (Citation: SANSRemoteAccess)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--197ef1b9-e764-46c3-b96c-23f77985dc81.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--197ef1b9-e764-46c3-b96c-23f77985dc81.json new file mode 100644 index 000000000..bf01ed3cc --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--197ef1b9-e764-46c3-b96c-23f77985dc81.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--197ef1b9-e764-46c3-b96c-23f77985dc81", + "name": "DNS Server", + "description": "Before compromising a victim, adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.\n\nBy running their own DNS servers, adversaries can have more control over how they administer server-side DNS C2 traffic ([DNS](https://attack.mitre.org/techniques/T1071/004)). With control over a DNS server, adversaries can configure DNS applications to provide conditional responses to malware and, generally, have more flexibility in the structure of the DNS-based C2 channel.(Citation: Unit42 DNS Mar 2019)", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1583.002", + "url": "https://attack.mitre.org/techniques/T1583/002" + }, + { + "source_name": "Unit42 DNS Mar 2019", + "url": "https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/", + "description": "Hinchliffe, A. (2019, March 15). DNS Tunneling: how DNS can be (ab)used by malicious actors. Retrieved October 3, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1a295f87-af63-4d94-b130-039d6221fb11.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1a295f87-af63-4d94-b130-039d6221fb11.json index 641d8f64a..2b058f88d 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1a295f87-af63-4d94-b130-039d6221fb11.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1a295f87-af63-4d94-b130-039d6221fb11.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--1a295f87-af63-4d94-b130-039d6221fb11", "name": "Acquire and/or use 3rd party software services", - "description": "A wide variety of 3rd party software services are available (e.g., [Twitter](https://twitter.com), [Dropbox](https://www.dropbox.com), [GoogleDocs](https://www.google.com/docs/about)). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LUCKYCAT2012) (Citation: Nemucod Facebook)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1308).\n\nA wide variety of 3rd party software services are available (e.g., [Twitter](https://twitter.com), [Dropbox](https://www.dropbox.com), [GoogleDocs](https://www.google.com/docs/about)). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LUCKYCAT2012) (Citation: Nemucod Facebook)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1b7b1806-7746-41a1-a35d-e48dae25ddba.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1b7b1806-7746-41a1-a35d-e48dae25ddba.json index 79af14a2c..3eaccd610 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1b7b1806-7746-41a1-a35d-e48dae25ddba.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1b7b1806-7746-41a1-a35d-e48dae25ddba.json @@ -8,6 +8,11 @@ "external_id": "T1542.003", "url": "https://attack.mitre.org/techniques/T1542/003" }, + { + "external_id": "CAPEC-552", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/552.html" + }, { "source_name": "Mandiant M Trends 2016", "url": "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1cec9319-743b-4840-bb65-431547bce82a.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1cec9319-743b-4840-bb65-431547bce82a.json new file mode 100644 index 000000000..a11a625c7 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1cec9319-743b-4840-bb65-431547bce82a.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--1cec9319-743b-4840-bb65-431547bce82a", + "name": "Digital Certificates", + "description": "Before compromising a victim, adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).\n\nAdversaries may create self-signed SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Man-in-the-Middle](https://attack.mitre.org/techniques/T1557) if added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1587.003", + "url": "https://attack.mitre.org/techniques/T1587/003" + }, + { + "source_name": "Splunk Kovar Certificates 2017", + "url": "https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html", + "description": "Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL Certificates. Retrieved October 16, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1d24cdee-9ea2-4189-b08e-af110bf2435d.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1d24cdee-9ea2-4189-b08e-af110bf2435d.json index 8e3566f4f..d57ae49da 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1d24cdee-9ea2-4189-b08e-af110bf2435d.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1d24cdee-9ea2-4189-b08e-af110bf2435d.json @@ -8,6 +8,11 @@ "external_id": "T1110.002", "url": "https://attack.mitre.org/techniques/T1110/002" }, + { + "external_id": "CAPEC-55", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/55.html" + }, { "url": "https://en.wikipedia.org/wiki/Password_cracking", "description": "Wikipedia. (n.d.). Password cracking. Retrieved December 23, 2015.", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1def484d-2343-470d-8925-88f45b5f9615.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1def484d-2343-470d-8925-88f45b5f9615.json index 9b23a9e3e..b864efa87 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1def484d-2343-470d-8925-88f45b5f9615.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1def484d-2343-470d-8925-88f45b5f9615.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--1def484d-2343-470d-8925-88f45b5f9615", "name": "Assess vulnerability of 3rd party vendors", - "description": "Once a 3rd party vendor has been identified as being of interest it can be probed for vulnerabilities just like the main target would be. (Citation: Zetter2015Threats) (Citation: WSJTargetBreach)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1298).\n\nOnce a 3rd party vendor has been identified as being of interest it can be probed for vulnerabilities just like the main target would be. (Citation: Zetter2015Threats) (Citation: WSJTargetBreach)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf.json index b4abf2802..1f6e0cbbd 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf.json @@ -8,6 +8,11 @@ "external_id": "T1547", "url": "https://attack.mitre.org/techniques/T1547" }, + { + "external_id": "CAPEC-564", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/564.html" + }, { "url": "http://msdn.microsoft.com/en-us/library/aa376977", "description": "Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014.", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1f82ef59-b7da-4cd3-a41c-2e80f80f084f.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1f82ef59-b7da-4cd3-a41c-2e80f80f084f.json index d5ac9c3e1..fff683a53 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1f82ef59-b7da-4cd3-a41c-2e80f80f084f.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1f82ef59-b7da-4cd3-a41c-2e80f80f084f.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--1f82ef59-b7da-4cd3-a41c-2e80f80f084f", "name": "Identify business processes/tempo", - "description": "Understanding an organizations business processes and tempo may allow an adversary to more effectively craft social engineering attempts or to better hide technical actions, such as those that generate network traffic. (Citation: Scasny2015) (Citation: Infosec-osint)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1280).\n\nUnderstanding an organizations business processes and tempo may allow an adversary to more effectively craft social engineering attempts or to better hide technical actions, such as those that generate network traffic. (Citation: Scasny2015) (Citation: Infosec-osint)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1f9012ef-1e10-4e48-915e-e03563435fe8.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1f9012ef-1e10-4e48-915e-e03563435fe8.json new file mode 100644 index 000000000..efad1624f --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1f9012ef-1e10-4e48-915e-e03563435fe8.json @@ -0,0 +1,34 @@ +{ + "id": "attack-pattern--1f9012ef-1e10-4e48-915e-e03563435fe8", + "name": "Weaken Encryption", + "description": "Adversaries may compromise a network device\u2019s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)\n\nEncryption can be used to protect transmitted network traffic to maintain its confidentiality (protect against unauthorized disclosure) and integrity (protect against unauthorized changes). Encryption ciphers are used to convert a plaintext message to ciphertext and can be computationally intensive to decipher without the associated decryption key. Typically, longer keys increase the cost of cryptanalysis, or decryption without the key.\n\nAdversaries can compromise and manipulate devices that perform encryption of network traffic. For example, through behaviors such as [Modify System Image](https://attack.mitre.org/techniques/T1601), [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001), and [Disable Crypto Hardware](https://attack.mitre.org/techniques/T1600/002), an adversary can negatively effect and/or eliminate a device\u2019s ability to securely encrypt network traffic. This poses a greater risk of unauthorized disclosure and may help facilitate data manipulation, Credential Access, or Collection efforts. (Citation: Cisco Blog Legacy Device Attacks)", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1600", + "url": "https://attack.mitre.org/techniques/T1600" + }, + { + "source_name": "Cisco Synful Knock Evolution", + "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices", + "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." + } + ], + "platforms": [ + "Network" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "permissions": [ + "Administrator" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1ff8b824-5287-4583-ab6a-013bf36d4864.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1ff8b824-5287-4583-ab6a-013bf36d4864.json index eb6d0053b..cbea5fb8d 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1ff8b824-5287-4583-ab6a-013bf36d4864.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--1ff8b824-5287-4583-ab6a-013bf36d4864.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--1ff8b824-5287-4583-ab6a-013bf36d4864", "name": "Data Hiding", - "description": "Certain types of traffic (e.g., DNS tunneling, header inject) allow for user-defined fields. These fields can then be used to hide data. In addition to hiding data in network protocols, steganography techniques can be used to hide data in images or other file formats. Detection can be difficult unless a particular signature is already known. (Citation: BotnetsDNSC2) (Citation: HAMMERTOSS2015) (Citation: DNS-Tunnel)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1320).\n\nCertain types of traffic (e.g., DNS tunneling, header inject) allow for user-defined fields. These fields can then be used to hide data. In addition to hiding data in network protocols, steganography techniques can be used to hide data in images or other file formats. Detection can be difficult unless a particular signature is already known. (Citation: BotnetsDNSC2) (Citation: HAMMERTOSS2015) (Citation: DNS-Tunnel)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2011ffeb-8003-41ef-b962-9d1cbfa35e6d.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2011ffeb-8003-41ef-b962-9d1cbfa35e6d.json index 064446ce5..24a7b17db 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2011ffeb-8003-41ef-b962-9d1cbfa35e6d.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2011ffeb-8003-41ef-b962-9d1cbfa35e6d.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--2011ffeb-8003-41ef-b962-9d1cbfa35e6d", "name": "Determine physical locations", - "description": "Physical locality information may be used by an adversary to shape social engineering attempts (language, culture, events, weather, etc.) or to plan for physical actions such as dumpster diving or attempting to access a facility. (Citation: RSA-APTRecon)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1282).\n\nPhysical locality information may be used by an adversary to shape social engineering attempts (language, culture, events, weather, etc.) or to plan for physical actions such as dumpster diving or attempting to access a facility. (Citation: RSA-APTRecon)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--20a66013-8dab-4ca3-a67d-766c842c561c.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--20a66013-8dab-4ca3-a67d-766c842c561c.json index b4d52b900..33e69b101 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--20a66013-8dab-4ca3-a67d-766c842c561c.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--20a66013-8dab-4ca3-a67d-766c842c561c.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--20a66013-8dab-4ca3-a67d-766c842c561c", "name": "Dynamic DNS", - "description": "Dynamic DNS is a method of automatically updating a name in the DNS system. Providers offer this rapid reconfiguration of IPs to hostnames as a service. (Citation: DellMirage2012)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1311).\n\nDynamic DNS is a method of automatically updating a name in the DNS system. Providers offer this rapid reconfiguration of IPs to hostnames as a service. (Citation: DellMirage2012)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b.json index f822ffdca..a1159fc9e 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b.json @@ -25,7 +25,9 @@ } ], "platforms": [ - "Windows" + "Windows", + "Linux", + "macOS" ], "kill_chain": [ { diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0.json new file mode 100644 index 000000000..2b4178abd --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0.json @@ -0,0 +1,46 @@ +{ + "id": "attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "name": "Malware", + "description": "Before compromising a victim, adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors, packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)\n\nAs with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.\n\nSome aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of [Web Services](https://attack.mitre.org/techniques/T1583/006).(Citation: FireEye APT29)", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1587.001", + "url": "https://attack.mitre.org/techniques/T1587/001" + }, + { + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "source_name": "Mandiant APT1" + }, + { + "source_name": "Kaspersky Sofacy", + "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.", + "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" + }, + { + "source_name": "ActiveMalwareEnergy", + "description": "Dan Goodin. (2014, June 30). Active malware operation let attackers sabotage US energy industry. Retrieved March 9, 2017.", + "url": "https://arstechnica.com/information-technology/2014/06/active-malware-operation-let-attackers-sabotage-us-energy-industry/" + }, + { + "source_name": "FBI Flash FIN7 USB", + "url": "https://www.losangeles.va.gov/documents/MI-000120-MW.pdf", + "description": "Federal Bureau of Investigation, Cyber Division. (2020, March 26). FIN7 Cyber Actors Targeting US Businesses Through USB Keystroke Injection Attacks. Retrieved October 14, 2020." + }, + { + "source_name": "FireEye APT29", + "description": "FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.", + "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf" + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2141aea0-cf38-49aa-9e51-ac34092bc30a.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2141aea0-cf38-49aa-9e51-ac34092bc30a.json index 59701cd40..5cfcbc0f2 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2141aea0-cf38-49aa-9e51-ac34092bc30a.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2141aea0-cf38-49aa-9e51-ac34092bc30a.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--2141aea0-cf38-49aa-9e51-ac34092bc30a", "name": "Procure required equipment and software", - "description": "An adversary will require some physical hardware and software. They may only need a lightweight set-up if most of their activities will take place using on-line infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems. (Citation: NYTStuxnet)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1335).\n\nAn adversary will require some physical hardware and software. They may only need a lightweight set-up if most of their activities will take place using on-line infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems. (Citation: NYTStuxnet)", "references": [ { "source_name": "mitre-pre-attack", @@ -10,7 +10,8 @@ }, { "source_name": "NYTStuxnet", - "description": "William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017." + "description": "William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017.", + "url": "https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html" } ], "kill_chain": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8.json index d9a84577a..826a1d793 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8.json @@ -14,8 +14,8 @@ "source_name": "Sofacy Komplex Trojan" }, { - "url": "https://www2.cybereason.com/research-osx-pirrit-mac-os-x-secuirty", - "description": "Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved July 8, 2017.", + "url": "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf", + "description": "Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved July 31, 2020.", "source_name": "Cybereason OSX Pirrit" }, { diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2339cf19-8f1e-48f7-8a91-0262ba547b6f.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2339cf19-8f1e-48f7-8a91-0262ba547b6f.json new file mode 100644 index 000000000..1a3348d56 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2339cf19-8f1e-48f7-8a91-0262ba547b6f.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--2339cf19-8f1e-48f7-8a91-0262ba547b6f", + "name": "Identify Business Tempo", + "description": "Before compromising a victim, adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization\u2019s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim\u2019s hardware and software resources.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business tempo may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199))", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1591.003", + "url": "https://attack.mitre.org/techniques/T1591/003" + }, + { + "source_name": "ThreatPost Broadvoice Leak", + "url": "https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/", + "description": "Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, Personal Voicemail Transcripts. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--23ecb7e0-0340-43d9-80a5-8971fe866ddf.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--23ecb7e0-0340-43d9-80a5-8971fe866ddf.json index a06818a3c..3c9e031c6 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--23ecb7e0-0340-43d9-80a5-8971fe866ddf.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--23ecb7e0-0340-43d9-80a5-8971fe866ddf.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--23ecb7e0-0340-43d9-80a5-8971fe866ddf", "name": "Determine domain and IP address space", - "description": "Domain Names are the human readable names used to represent one or more IP addresses. IP addresses are the unique identifier of computing devices on a network. Both pieces of information are valuable to an adversary who is looking to understand the structure of a network. (Citation: RSA-APTRecon)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1250).\n\nDomain Names are the human readable names used to represent one or more IP addresses. IP addresses are the unique identifier of computing devices on a network. Both pieces of information are valuable to an adversary who is looking to understand the structure of a network. (Citation: RSA-APTRecon)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--24286c33-d4a4-4419-85c2-1d094a896c26.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--24286c33-d4a4-4419-85c2-1d094a896c26.json new file mode 100644 index 000000000..b88a2e361 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--24286c33-d4a4-4419-85c2-1d094a896c26.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--24286c33-d4a4-4419-85c2-1d094a896c26", + "name": "Hardware", + "description": "Before compromising a victim, adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: hostnames, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the hardware infrastructure may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Compromise Hardware Supply Chain](https://attack.mitre.org/techniques/T1195/003) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1592.001", + "url": "https://attack.mitre.org/techniques/T1592/001" + }, + { + "source_name": "ATT ScanBox", + "url": "https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks", + "description": "Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--271e6d40-e191-421a-8f87-a8102452c201.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--271e6d40-e191-421a-8f87-a8102452c201.json index 7c73bf7e4..444026f81 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--271e6d40-e191-421a-8f87-a8102452c201.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--271e6d40-e191-421a-8f87-a8102452c201.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--271e6d40-e191-421a-8f87-a8102452c201", "name": "Develop social network persona digital footprint", - "description": "Both newly built personas and pre-compromised personas may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage) (Citation: RobinSageInterview)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1342).\n\nBoth newly built personas and pre-compromised personas may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage) (Citation: RobinSageInterview)", "references": [ { "source_name": "mitre-pre-attack", @@ -10,11 +10,13 @@ }, { "source_name": "NEWSCASTER2014", - "description": "Mike Lennon. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017." + "description": "Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.", + "url": "https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation" }, { "source_name": "BlackHatRobinSage", - "description": "Thomas Ryan. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017." + "description": "Ryan, T. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017.", + "url": "http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf" }, { "source_name": "RobinSageInterview", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--274770e0-2612-4ccf-a678-ef8e7bad365d.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--274770e0-2612-4ccf-a678-ef8e7bad365d.json new file mode 100644 index 000000000..7c82fbec9 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--274770e0-2612-4ccf-a678-ef8e7bad365d.json @@ -0,0 +1,36 @@ +{ + "id": "attack-pattern--274770e0-2612-4ccf-a678-ef8e7bad365d", + "name": "Social Media Accounts", + "description": "Before compromising a victim, adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles (i.e. [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001)), adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. \n\nA variety of methods exist for compromising social media accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising social media accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nPersonas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Compromised social media accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.\n\nAdversaries can use a compromised social media profile to create new, or hijack existing, connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) Compromised profiles may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1586.001", + "url": "https://attack.mitre.org/techniques/T1586/001" + }, + { + "source_name": "AnonHBGary", + "description": "Bright, P. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.", + "url": "https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/" + }, + { + "source_name": "NEWSCASTER2014", + "description": "Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.", + "url": "https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation" + }, + { + "source_name": "BlackHatRobinSage", + "description": "Ryan, T. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017.", + "url": "http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf" + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768.json index 95ad98512..52a24d273 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768", "name": "Obtain/re-use payloads", - "description": "A payload is the part of the malware which performs a malicious action. The adversary may re-use payloads when the needed capability is already available. (Citation: SonyDestover)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1346).\n\nA payload is the part of the malware which performs a malicious action. The adversary may re-use payloads when the needed capability is already available. (Citation: SonyDestover)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--286cc500-4291-45c2-99a1-e760db176402.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--286cc500-4291-45c2-99a1-e760db176402.json index 44cc462ea..790139f63 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--286cc500-4291-45c2-99a1-e760db176402.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--286cc500-4291-45c2-99a1-e760db176402.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--286cc500-4291-45c2-99a1-e760db176402", "name": "Acquire and/or use 3rd party infrastructure services", - "description": "A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LUCKYCAT2012)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1307).\n\nA wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LUCKYCAT2012)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--288b3cc3-f4da-4250-ab8c-d8b5dbed94ca.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--288b3cc3-f4da-4250-ab8c-d8b5dbed94ca.json index 0e6cdec9b..263054b7e 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--288b3cc3-f4da-4250-ab8c-d8b5dbed94ca.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--288b3cc3-f4da-4250-ab8c-d8b5dbed94ca.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--288b3cc3-f4da-4250-ab8c-d8b5dbed94ca", "name": "Identify web defensive services", - "description": "An adversary can attempt to identify web defensive services as [CloudFlare](https://www.cloudflare.com), [IPBan](https://github.com/jjxtra/Windows-IP-Ban-Service), and [Snort](https://www.snort.org). This may be done by passively detecting services, like [CloudFlare](https://www.cloudflare.com) routing, or actively, such as by purposefully tripping security defenses. (Citation: NMAP WAF NSE)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1256).\n\nAn adversary can attempt to identify web defensive services as [CloudFlare](https://www.cloudflare.com), [IPBan](https://github.com/jjxtra/Windows-IP-Ban-Service), and [Snort](https://www.snort.org). This may be done by passively detecting services, like [CloudFlare](https://www.cloudflare.com) routing, or actively, such as by purposefully tripping security defenses. (Citation: NMAP WAF NSE)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4.json new file mode 100644 index 000000000..a324b5705 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4.json @@ -0,0 +1,58 @@ +{ + "id": "attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4", + "name": "TFTP Boot", + "description": "Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.\n\nAdversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with [Modify System Image](https://attack.mitre.org/techniques/T1601) to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks)", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1542.005", + "url": "https://attack.mitre.org/techniques/T1542/005" + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Secure Boot", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#35", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Secure Boot. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Image File Verification", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#7", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Run-Time Memory Verification", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#13", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Command History", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#23", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Boot Information", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#26", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot Information. Retrieved October 21, 2020." + } + ], + "platforms": [ + "Network" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "permissions": [ + "Administrator" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32.json index 31fc74ffa..30e84ddf0 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32.json @@ -8,6 +8,21 @@ "external_id": "T1543.003", "url": "https://attack.mitre.org/techniques/T1543/003" }, + { + "external_id": "CAPEC-478", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/478.html" + }, + { + "external_id": "CAPEC-550", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/550.html" + }, + { + "external_id": "CAPEC-551", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/551.html" + }, { "url": "https://technet.microsoft.com/en-us/library/cc772408.aspx", "description": "Microsoft. (n.d.). Services. Retrieved June 7, 2016.", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2b5aa86b-a0df-4382-848d-30abea443327.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2b5aa86b-a0df-4382-848d-30abea443327.json new file mode 100644 index 000000000..97e30b07e --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2b5aa86b-a0df-4382-848d-30abea443327.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--2b5aa86b-a0df-4382-848d-30abea443327", + "name": "Vulnerabilities", + "description": "Before compromising a victim, adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)\n\nAn adversary may monitor vulnerability disclosures/databases to understand the state of existing, as well as newly discovered, vulnerabilities. There is usually a delay between when a vulnerability is discovered and when it is made public. An adversary may target the systems of those known to conduct vulnerability research (including commercial vendors). Knowledge of a vulnerability may cause an adversary to search for an existing exploit (i.e. [Exploits](https://attack.mitre.org/techniques/T1588/005)) or to attempt to develop one themselves (i.e. [Exploits](https://attack.mitre.org/techniques/T1587/004)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1588.006", + "url": "https://attack.mitre.org/techniques/T1588/006" + }, + { + "source_name": "National Vulnerability Database", + "url": "https://nvd.nist.gov/", + "description": "National Vulnerability Database. (n.d.). National Vulnerability Database. Retrieved October 15, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7.json index 3bb69888f..46ed144e6 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", "name": "Spearphishing Link", - "description": "Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. \n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017)", + "description": "Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. \n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017)", "references": [ { "source_name": "mitre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2b9a666e-bd59-4f67-9031-ed41b428e04a.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2b9a666e-bd59-4f67-9031-ed41b428e04a.json index ce50c7599..e1ee4f006 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2b9a666e-bd59-4f67-9031-ed41b428e04a.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2b9a666e-bd59-4f67-9031-ed41b428e04a.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--2b9a666e-bd59-4f67-9031-ed41b428e04a", "name": "Acquire OSINT data sets and information", - "description": "Open source intelligence (OSINT) provides free, readily available information about a target while providing the target no indication they are of interest. Such information can assist an adversary in crafting a successful approach for compromise. (Citation: RSA-APTRecon)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1266).\n\nOpen source intelligence (OSINT) provides free, readily available information about a target while providing the target no indication they are of interest. Such information can assist an adversary in crafting a successful approach for compromise. (Citation: RSA-APTRecon)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2d3f5b3c-54ca-4f4d-bb1f-849346d31230.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2d3f5b3c-54ca-4f4d-bb1f-849346d31230.json new file mode 100644 index 000000000..b20a022b0 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2d3f5b3c-54ca-4f4d-bb1f-849346d31230.json @@ -0,0 +1,41 @@ +{ + "id": "attack-pattern--2d3f5b3c-54ca-4f4d-bb1f-849346d31230", + "name": "Spearphishing Link", + "description": "Before compromising a victim, adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1598.003", + "url": "https://attack.mitre.org/techniques/T1598/003" + }, + { + "source_name": "TrendMictro Phishing", + "url": "https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html", + "description": "Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved October 20, 2020." + }, + { + "source_name": "PCMag FakeLogin", + "url": "https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages", + "description": "Kan, M. (2019, October 24). Hackers Try to Phish United Nations Staffers With Fake Login Pages. Retrieved October 20, 2020." + }, + { + "source_name": "Microsoft Anti Spoofing", + "url": "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide", + "description": "Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020." + }, + { + "source_name": "ACSC Email Spoofing", + "url": "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf", + "description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad.json new file mode 100644 index 000000000..6e7bf416b --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad.json @@ -0,0 +1,39 @@ +{ + "id": "attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad", + "name": "Print Processors", + "description": "Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. \n\nAdversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\\SYSTEM\\\\[CurrentControlSet or ControlSet001]\\Control\\Print\\Environments\\\\[Windows architecture: e.g., Windows x64]\\Print Processors\\\\[user defined]\\Driver Registry key that points to the DLL. For the print processor to be correctly installed, it must be located in the system print-processor directory that can be found with the GetPrintProcessorDirectory API call.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020) The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1547.012", + "url": "https://attack.mitre.org/techniques/T1547/012" + }, + { + "source_name": "Microsoft AddPrintProcessor May 2018", + "url": "https://docs.microsoft.com/en-us/windows/win32/printdocs/addprintprocessor", + "description": "Microsoft. (2018, May 31). AddPrintProcessor function. Retrieved October 5, 2020." + }, + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "platforms": [ + "Windows" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "permissions": [ + "Administrator", + "SYSTEM" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597.json index 5da484587..10b453472 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", "name": "Spearphishing Attachment", - "description": "Adversaries may send spearphishing emails with a malicious attachment in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.", + "description": "Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.", "references": [ { "source_name": "mitre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2f442206-2983-4fc2-93fd-0a828e026412.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2f442206-2983-4fc2-93fd-0a828e026412.json index 008ade9fa..2afe4c8ac 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2f442206-2983-4fc2-93fd-0a828e026412.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--2f442206-2983-4fc2-93fd-0a828e026412.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--2f442206-2983-4fc2-93fd-0a828e026412", "name": "Disseminate removable media", - "description": "Removable media containing malware can be injected in to a supply chain at large or small scale. It can also be physically placed for someone to find or can be sent to someone in a more targeted manner. The intent is to have the user utilize the removable media on a system where the adversary is trying to gain access. (Citation: USBMalwareAttacks) (Citation: FPDefendNewDomain) (Citation: ParkingLotUSB)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1379).\n\nRemovable media containing malware can be injected in to a supply chain at large or small scale. It can also be physically placed for someone to find or can be sent to someone in a more targeted manner. The intent is to have the user utilize the removable media on a system where the adversary is trying to gain access. (Citation: USBMalwareAttacks) (Citation: FPDefendNewDomain) (Citation: ParkingLotUSB)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--31225cd3-cd46-4575-b287-c2c14011c074.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--31225cd3-cd46-4575-b287-c2c14011c074.json new file mode 100644 index 000000000..22ce2dc5a --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--31225cd3-cd46-4575-b287-c2c14011c074.json @@ -0,0 +1,46 @@ +{ + "id": "attack-pattern--31225cd3-cd46-4575-b287-c2c14011c074", + "name": "Botnet", + "description": "Before compromising a victim, adversaries may buy, lease, or rent a network of compromised systems\u00a0that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1583.005", + "url": "https://attack.mitre.org/techniques/T1583/005" + }, + { + "source_name": "Norton Botnet", + "url": "https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html", + "description": "Norton. (n.d.). What is a botnet?. Retrieved October 4, 2020." + }, + { + "source_name": "Imperva DDoS for Hire", + "url": "https://www.imperva.com/learn/ddos/booters-stressers-ddosers/", + "description": "Imperva. (n.d.). Booters, Stressers and DDoSers. Retrieved October 4, 2020." + }, + { + "source_name": "Krebs-Anna", + "description": "Brian Krebs. (2017, January 18). Who is Anna-Senpai, the Mirai Worm Author?. Retrieved May 15, 2017.", + "url": "https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/" + }, + { + "source_name": "Krebs-Bazaar", + "description": "Brian Krebs. (2016, October 31). Hackforums Shutters Booter Service Bazaar. Retrieved May 15, 2017.", + "url": "https://krebsonsecurity.com/2016/10/hackforums-shutters-booter-service-bazaar/" + }, + { + "source_name": "Krebs-Booter", + "description": "Brian Krebs. (2016, October 27). Are the Days of \u201cBooter\u201d Services Numbered?. Retrieved May 15, 2017.", + "url": "https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/" + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3160347f-11ac-44a3-9640-a648b3c17a8f.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3160347f-11ac-44a3-9640-a648b3c17a8f.json index 8e411681f..fc5a59135 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3160347f-11ac-44a3-9640-a648b3c17a8f.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3160347f-11ac-44a3-9640-a648b3c17a8f.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--3160347f-11ac-44a3-9640-a648b3c17a8f", "name": "Private whois services", - "description": "Every domain registrar maintains a publicly viewable database that displays contact information for every registered domain. Private 'whois' services display alternative information, such as their own company data, rather than the owner of the domain. (Citation: APT1)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1305).\n\nEvery domain registrar maintains a publicly viewable database that displays contact information for every registered domain. Private 'whois' services display alternative information, such as their own company data, rather than the owner of the domain. (Citation: APT1)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--31a57c70-6709-4d06-a473-c3df1f74c1d4.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--31a57c70-6709-4d06-a473-c3df1f74c1d4.json index 5c570044f..3d140de5a 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--31a57c70-6709-4d06-a473-c3df1f74c1d4.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--31a57c70-6709-4d06-a473-c3df1f74c1d4.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--31a57c70-6709-4d06-a473-c3df1f74c1d4", "name": "Assess security posture of physical locations", - "description": "Physical access may be required for certain types of adversarial actions. (Citation: CyberPhysicalAssessment) (Citation: CriticalInfrastructureAssessment)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1302).\n\nPhysical access may be required for certain types of adversarial actions. (Citation: CyberPhysicalAssessment) (Citation: CriticalInfrastructureAssessment)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--31fa5b03-1ede-4fab-8a68-ed831fcf4899.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--31fa5b03-1ede-4fab-8a68-ed831fcf4899.json index 4062628b3..c1d4a6740 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--31fa5b03-1ede-4fab-8a68-ed831fcf4899.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--31fa5b03-1ede-4fab-8a68-ed831fcf4899.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--31fa5b03-1ede-4fab-8a68-ed831fcf4899", "name": "Misattributable credentials", - "description": "The use of credentials by an adversary with the intent to hide their true identity and/or portray them self as another person or entity. An adversary may use misattributable credentials in an attack to convince a victim that credentials are legitimate and trustworthy when this is not actually the case. (Citation: FakeSSLCerts)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1322).\n\nThe use of credentials by an adversary with the intent to hide their true identity and/or portray them self as another person or entity. An adversary may use misattributable credentials in an attack to convince a victim that credentials are legitimate and trustworthy when this is not actually the case. (Citation: FakeSSLCerts)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--34450117-d1d5-417c-bb74-4359fc6551ca.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--34450117-d1d5-417c-bb74-4359fc6551ca.json index 90d7857bd..6a92dc506 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--34450117-d1d5-417c-bb74-4359fc6551ca.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--34450117-d1d5-417c-bb74-4359fc6551ca.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--34450117-d1d5-417c-bb74-4359fc6551ca", "name": "Analyze presence of outsourced capabilities", - "description": "Outsourcing, the arrangement of one company providing goods or services to another company for something that could be done in-house, provides another avenue for an adversary to target. Businesses often have networks, portals, or other technical connections between themselves and their outsourced/partner organizations that could be exploited. Additionally, outsourced/partner organization information could provide opportunities for phishing. (Citation: Scasny2015) (Citation: OPM Breach)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1303).\n\nOutsourcing, the arrangement of one company providing goods or services to another company for something that could be done in-house, provides another avenue for an adversary to target. Businesses often have networks, portals, or other technical connections between themselves and their outsourced/partner organizations that could be exploited. Additionally, outsourced/partner organization information could provide opportunities for phishing. (Citation: Scasny2015) (Citation: OPM Breach)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f.json index c3afab3fe..551716450 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f", "name": "Network Share Discovery", - "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \n\nFile sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\\\remotesystem command. It can also be used to query shared drives on the local system using net share.\n\nCloud virtual networks may contain remote network shares or file storage services accessible to an adversary after they have obtained access to a system. For example, AWS, GCP, and Azure support creation of Network File System (NFS) shares and Server Message Block (SMB) shares that may be mapped on endpoint or cloud-based systems.(Citation: Amazon Creating an NFS File Share)(Citation: Google File servers on Compute Engine)", + "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \n\nFile sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\\\remotesystem command. It can also be used to query shared drives on the local system using net share.", "references": [ { "source_name": "mitre-attack", @@ -22,24 +22,11 @@ "url": "https://technet.microsoft.com/library/cc770880.aspx", "description": "Microsoft. (n.d.). Share a Folder or Drive. Retrieved June 30, 2017.", "source_name": "TechNet Shared Folder" - }, - { - "source_name": "Amazon Creating an NFS File Share", - "url": "https://docs.aws.amazon.com/storagegateway/latest/userguide/CreatingAnNFSFileShare.html", - "description": "Amazon. (n.d.). Creating an NFS File Share. Retrieved October 23, 2019." - }, - { - "source_name": "Google File servers on Compute Engine", - "url": "https://cloud.google.com/solutions/filers-on-compute-engine", - "description": "Google Cloud. (2019, October 10). File servers on Compute Engine. Retrieved October 23, 2019." } ], "platforms": [ "macOS", "Windows", - "AWS", - "GCP", - "Azure", "Linux" ], "kill_chain": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--34ab90a3-05f6-4259-8f21-621081fdaba5.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--34ab90a3-05f6-4259-8f21-621081fdaba5.json new file mode 100644 index 000000000..365b9db11 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--34ab90a3-05f6-4259-8f21-621081fdaba5.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--34ab90a3-05f6-4259-8f21-621081fdaba5", + "name": "Network Topology", + "description": "Before compromising a victim, adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network topologies may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: DNS Dumpster) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1590.004", + "url": "https://attack.mitre.org/techniques/T1590/004" + }, + { + "source_name": "DNS Dumpster", + "url": "https://dnsdumpster.com/", + "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--34b3f738-bd64-40e5-a112-29b0542bc8bf.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--34b3f738-bd64-40e5-a112-29b0542bc8bf.json new file mode 100644 index 000000000..ae3289313 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--34b3f738-bd64-40e5-a112-29b0542bc8bf.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--34b3f738-bd64-40e5-a112-29b0542bc8bf", + "name": "Code Signing Certificates", + "description": "Before compromising a victim, adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.\n\nPrior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may develop self-signed code signing certificates for use in operations.", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1587.002", + "url": "https://attack.mitre.org/techniques/T1587/002" + }, + { + "url": "https://en.wikipedia.org/wiki/Code_signing", + "description": "Wikipedia. (2015, November 10). Code Signing. Retrieved March 31, 2016.", + "source_name": "Wikipedia Code Signing" + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--34e793de-0274-4982-9c1a-246ed1c19dee.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--34e793de-0274-4982-9c1a-246ed1c19dee.json index ac2d3a6ed..0d185d441 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--34e793de-0274-4982-9c1a-246ed1c19dee.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--34e793de-0274-4982-9c1a-246ed1c19dee.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--34e793de-0274-4982-9c1a-246ed1c19dee", "name": "Windows File and Directory Permissions Modification", - "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nWindows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)\n\nAdversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).", + "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nWindows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)\n\nAdversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `cacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).", "references": [ { "source_name": "mitre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--357e137c-7589-4af1-895c-3fbad35ea4d2.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--357e137c-7589-4af1-895c-3fbad35ea4d2.json index 942bfcf40..d218c7a82 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--357e137c-7589-4af1-895c-3fbad35ea4d2.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--357e137c-7589-4af1-895c-3fbad35ea4d2.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--357e137c-7589-4af1-895c-3fbad35ea4d2", "name": "Obfuscate or encrypt code", - "description": "Obfuscation is the act of creating code that is more difficult to understand. Encoding transforms the code using a publicly available format. Encryption transforms the code such that it requires a key to reverse the encryption. (Citation: CylanceOpCleaver)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1319).\n\nObfuscation is the act of creating code that is more difficult to understand. Encoding transforms the code using a publicly available format. Encryption transforms the code such that it requires a key to reverse the encryption. (Citation: CylanceOpCleaver)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0.json index d0dd5f185..835e5f4de 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0.json @@ -11,7 +11,7 @@ { "source_name": "Mandiant M-Trends 2020", "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." + "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." } ], "platforms": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--36aa137f-5166-41f8-b2f0-a4cfa1b4133e.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--36aa137f-5166-41f8-b2f0-a4cfa1b4133e.json new file mode 100644 index 000000000..201ccb19e --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--36aa137f-5166-41f8-b2f0-a4cfa1b4133e.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--36aa137f-5166-41f8-b2f0-a4cfa1b4133e", + "name": "Network Trust Dependencies", + "description": "Before compromising a victim, adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network trusts may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: Pentesting AD Forests) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1590.003", + "url": "https://attack.mitre.org/techniques/T1590/003" + }, + { + "source_name": "Pentesting AD Forests", + "url": "https://www.slideshare.net/rootedcon/carlos-garca-pentesting-active-directory-forests-rooted2019", + "description": "Garc\u00eda, C. (2019, April 3). Pentesting Active Directory Forests. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--36b2a1d7-e09e-49bf-b45e-477076c2ec01.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--36b2a1d7-e09e-49bf-b45e-477076c2ec01.json index 85714f66f..6fa68eba7 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--36b2a1d7-e09e-49bf-b45e-477076c2ec01.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--36b2a1d7-e09e-49bf-b45e-477076c2ec01.json @@ -8,6 +8,11 @@ "external_id": "T1498.002", "url": "https://attack.mitre.org/techniques/T1498/002" }, + { + "external_id": "CAPEC-490", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/490.html" + }, { "source_name": "Cloudflare ReflectionDoS May 2017", "url": "https://blog.cloudflare.com/reflections-on-reflections/", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--37b11151-1776-4f8f-b328-30939fbf2ceb.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--37b11151-1776-4f8f-b328-30939fbf2ceb.json index 5acc60014..8120e08a1 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--37b11151-1776-4f8f-b328-30939fbf2ceb.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--37b11151-1776-4f8f-b328-30939fbf2ceb.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--37b11151-1776-4f8f-b328-30939fbf2ceb", "name": "AppleScript", - "description": "Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. (Citation: Apple AppleScript) These AppleEvent messages can be easily scripted with AppleScript for local or remote execution.\n\nosascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the osalang program. AppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.\n\nAdversaries can use this to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006)(Citation: Macro Malware Targets Macs). Scripts can be run from the command-line via osascript /path/to/script or osascript -e \"script here\".", + "description": "Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.\n\nScripts can be run from the command-line via osascript /path/to/script or osascript -e \"script here\". Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.(Citation: SentinelOne AppleScript)\n\nAppleScripts do not need to call osascript to execute, however. They may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s\u00a0NSAppleScript\u00a0or\u00a0OSAScript, both of which execute code independent of the /usr/bin/osascript command line utility.\n\nAdversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team). Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro Malware Targets Macs)", "references": [ { "source_name": "mitre-attack", @@ -13,6 +13,16 @@ "url": "https://developer.apple.com/library/archive/documentation/AppleScript/Conceptual/AppleScriptLangGuide/introduction/ASLR_intro.html", "description": "Apple. (2016, January 25). Introduction to AppleScript Language Guide. Retrieved March 28, 2020." }, + { + "source_name": "SentinelOne AppleScript", + "url": "https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/", + "description": "Phil Stokes. (2020, March 16). How Offensive Actors Use AppleScript For Attacking macOS. Retrieved July 17, 2020." + }, + { + "source_name": "SentinelOne macOS Red Team", + "url": "https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/", + "description": "Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple APIs Without Building Binaries. Retrieved July 17, 2020." + }, { "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/macro-malware-targets-macs/", "description": "Yerko Grbic. (2017, February 14). Macro Malware Targets Macs. Retrieved July 8, 2017.", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--388f3a5c-2cdd-466c-9159-b507fa429fcd.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--388f3a5c-2cdd-466c-9159-b507fa429fcd.json index 9f96f3e32..b00f9df8b 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--388f3a5c-2cdd-466c-9159-b507fa429fcd.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--388f3a5c-2cdd-466c-9159-b507fa429fcd.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--388f3a5c-2cdd-466c-9159-b507fa429fcd", "name": "Hardware or software supply chain implant", - "description": "During production and distribution, the placement of software, firmware, or a CPU chip in a computer, handheld, or other electronic device that enables an adversary to gain illegal entrance. (Citation: McDRecall) (Citation: SeagateMaxtor)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1365).\n\nDuring production and distribution, the placement of software, firmware, or a CPU chip in a computer, handheld, or other electronic device that enables an adversary to gain illegal entrance. (Citation: McDRecall) (Citation: SeagateMaxtor)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--38eb0c22-6caf-46ce-8869-5964bd735858.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--38eb0c22-6caf-46ce-8869-5964bd735858.json index c69501735..aa463e948 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--38eb0c22-6caf-46ce-8869-5964bd735858.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--38eb0c22-6caf-46ce-8869-5964bd735858.json @@ -8,6 +8,21 @@ "external_id": "T1499.002", "url": "https://attack.mitre.org/techniques/T1499/002" }, + { + "external_id": "CAPEC-488", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/488.html" + }, + { + "external_id": "CAPEC-489", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/489.html" + }, + { + "external_id": "CAPEC-528", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/528.html" + }, { "source_name": "Arbor AnnualDoSreport Jan 2018", "url": "https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b.json new file mode 100644 index 000000000..93e7aca0a --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b.json @@ -0,0 +1,59 @@ +{ + "id": "attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b", + "name": "AS-REP Roasting", + "description": "Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002) Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017) \n\nPreauthentication offers protection against offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002). When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user\u2019s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user\u2019s password.(Citation: Microsoft Kerberos Preauth 2014)\n\nFor each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002) attacks similarly to [Kerberoasting](https://attack.mitre.org/techniques/T1558/003) and expose plaintext credentials. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019) \n\nAn account registered to a domain, with or without special privileges, can be abused to list all domain accounts that have preauthentication disabled by utilizing Windows tools like [PowerShell](https://attack.mitre.org/techniques/T1059/001) with an LDAP filter. Alternatively, the adversary may send an AS-REQ message for each user. If the DC responds without errors, the account does not require preauthentication and the AS-REP message will already contain the encrypted data. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019)\n\nCracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014)", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1558.004", + "url": "https://attack.mitre.org/techniques/T1558/004" + }, + { + "source_name": "Harmj0y Roasting AS-REPs Jan 2017", + "url": "http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/", + "description": "HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved August 24, 2020." + }, + { + "source_name": "Microsoft Kerberos Preauth 2014", + "url": "https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx", + "description": "Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why It Should Not Be Disabled. Retrieved August 25, 2020." + }, + { + "source_name": "Stealthbits Cracking AS-REP Roasting Jun 2019", + "url": "https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/", + "description": "Jeff Warren. (2019, June 27). Cracking Active Directory Passwords with AS-REP Roasting. Retrieved August 24, 2020." + }, + { + "description": "Medin, T. (2014, November). Attacking Kerberos - Kicking the Guard Dog of Hades. Retrieved March 22, 2018.", + "source_name": "SANS Attacking Kerberos Nov 2014", + "url": "https://redsiege.com/kerberoast-slides" + }, + { + "url": "https://adsecurity.org/?p=2293", + "description": "Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast \u2013 Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.", + "source_name": "AdSecurity Cracking Kerberos Dec 2015" + }, + { + "url": "https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/", + "description": "Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018.", + "source_name": "Microsoft Detecting Kerberoasting Feb 2018" + }, + { + "source_name": "Microsoft 4768 TGT 2017", + "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768", + "description": "Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication ticket (TGT) was requested. Retrieved August 24, 2020." + } + ], + "platforms": [ + "Windows" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "permissions": [ + "User" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--39cc9f64-cf74-4a48-a4d8-fe98c54a02e0.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--39cc9f64-cf74-4a48-a4d8-fe98c54a02e0.json new file mode 100644 index 000000000..08342ef78 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--39cc9f64-cf74-4a48-a4d8-fe98c54a02e0.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--39cc9f64-cf74-4a48-a4d8-fe98c54a02e0", + "name": "Virtual Private Server", + "description": "Before compromising a victim, adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)\n\nCompromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party.", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1584.003", + "url": "https://attack.mitre.org/techniques/T1584/003" + }, + { + "source_name": "NSA NCSC Turla OilRig", + "url": "https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf", + "description": "NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3a40f208-a9c1-4efa-a598-4003c3681fb8.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3a40f208-a9c1-4efa-a598-4003c3681fb8.json new file mode 100644 index 000000000..c8dfafbaf --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3a40f208-a9c1-4efa-a598-4003c3681fb8.json @@ -0,0 +1,34 @@ +{ + "id": "attack-pattern--3a40f208-a9c1-4efa-a598-4003c3681fb8", + "name": "Reduce Key Space", + "description": "Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)\n\nAdversaries can weaken the encryption software on a compromised network device by reducing the key size used by the software to convert plaintext to ciphertext (e.g., from hundreds or thousands of bytes to just a couple of bytes). As a result, adversaries dramatically reduce the amount of effort needed to decrypt the protected information without the key.\n\nAdversaries may modify the key size used and other encryption parameters using specialized commands in a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) introduced to the system through [Modify System Image](https://attack.mitre.org/techniques/T1601) to change the configuration of the device. (Citation: Cisco Blog Legacy Device Attacks)", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1600.001", + "url": "https://attack.mitre.org/techniques/T1600/001" + }, + { + "source_name": "Cisco Synful Knock Evolution", + "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices", + "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." + } + ], + "platforms": [ + "Network" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "permissions": [ + "Administrator" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3aef9463-9a7a-43ba-8957-a867e07c1e6a.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3aef9463-9a7a-43ba-8957-a867e07c1e6a.json index ef09a2970..a7140e31d 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3aef9463-9a7a-43ba-8957-a867e07c1e6a.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3aef9463-9a7a-43ba-8957-a867e07c1e6a.json @@ -1,17 +1,33 @@ { "id": "attack-pattern--3aef9463-9a7a-43ba-8957-a867e07c1e6a", "name": "Clear Command History", - "description": "In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. macOS and Linux both keep track of the commands users type in their terminal so that users can retrace what they've done.\n\nThese logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.\n\nAdversaries can use a variety of methods to prevent their own commands from appear in these logs, such as clearing the history environment variable (unset HISTFILE), setting the command history size to zero (export HISTFILESIZE=0), manually clearing the history (history -c), or deleting the bash history file rm ~/.bash_history.", + "description": "In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.\n\nOn Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.\n\nAdversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history.\n\nOn Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.\n\nThe PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)\n\nAdversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)", "references": [ { "source_name": "mitre-attack", "external_id": "T1070.003", "url": "https://attack.mitre.org/techniques/T1070/003" + }, + { + "source_name": "Microsoft PowerShell Command History", + "url": "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7", + "description": "Microsoft. (2020, May 13). About History. Retrieved September 4, 2020." + }, + { + "source_name": "Sophos PowerShell command audit", + "url": "https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit", + "description": "jak. (2020, June 27). Live Discover - PowerShell command audit. Retrieved August 21, 2020." + }, + { + "source_name": "Sophos PowerShell Command History Forensics", + "url": "https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics", + "description": "Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved September 4, 2020." } ], "platforms": [ "Linux", - "macOS" + "macOS", + "Windows" ], "kill_chain": [ { diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3d1488a6-59e6-455a-8b80-78b53edc33fe.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3d1488a6-59e6-455a-8b80-78b53edc33fe.json index 241e80c31..08898759f 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3d1488a6-59e6-455a-8b80-78b53edc33fe.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3d1488a6-59e6-455a-8b80-78b53edc33fe.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--3d1488a6-59e6-455a-8b80-78b53edc33fe", "name": "Obtain booter/stressor subscription", - "description": "Configure and setup booter/stressor services, often intended for server stress testing, to enable denial of service attacks. (Citation: Krebs-Anna) (Citation: Krebs-Booter) (Citation: Krebs-Bazaar)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1396).\n\nConfigure and setup booter/stressor services, often intended for server stress testing, to enable denial of service attacks. (Citation: Krebs-Anna) (Citation: Krebs-Booter) (Citation: Krebs-Bazaar)", "references": [ { "source_name": "mitre-pre-attack", @@ -10,15 +10,18 @@ }, { "source_name": "Krebs-Anna", - "description": "Brian Krebs. (2017, January 18). Who is Anna-Senpai, the Mirai Worm Author?. Retrieved May 15, 2017." + "description": "Brian Krebs. (2017, January 18). Who is Anna-Senpai, the Mirai Worm Author?. Retrieved May 15, 2017.", + "url": "https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/" }, { "source_name": "Krebs-Booter", - "description": "Brian Krebs. (2016, October 27). Are the Days of \u201cBooter\u201d Services Numbered?. Retrieved May 15, 2017." + "description": "Brian Krebs. (2016, October 27). Are the Days of \u201cBooter\u201d Services Numbered?. Retrieved May 15, 2017.", + "url": "https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/" }, { "source_name": "Krebs-Bazaar", - "description": "Brian Krebs. (2016, October 31). Hackforums Shutters Booter Service Bazaar. Retrieved May 15, 2017." + "description": "Brian Krebs. (2016, October 31). Hackforums Shutters Booter Service Bazaar. Retrieved May 15, 2017.", + "url": "https://krebsonsecurity.com/2016/10/hackforums-shutters-booter-service-bazaar/" } ], "kill_chain": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b.json new file mode 100644 index 000000000..f65314b96 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b", + "name": "Email Accounts", + "description": "Before compromising a victim, adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566). Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).\n\nA variety of methods exist for compromising email accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nAdversaries can use a compromised email account to hijack existing email threads with targets of interest.", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1586.002", + "url": "https://attack.mitre.org/techniques/T1586/002" + }, + { + "source_name": "AnonHBGary", + "description": "Bright, P. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.", + "url": "https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/" + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3f157dee-74f0-41fc-801e-f837b8985b0a.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3f157dee-74f0-41fc-801e-f837b8985b0a.json index 41991f65f..572f5c2d7 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3f157dee-74f0-41fc-801e-f837b8985b0a.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3f157dee-74f0-41fc-801e-f837b8985b0a.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--3f157dee-74f0-41fc-801e-f837b8985b0a", "name": "Shadow DNS", - "description": "The process of gathering domain account credentials in order to silently create subdomains pointed at malicious servers without tipping off the actual owner. (Citation: CiscoAngler) (Citation: ProofpointDomainShadowing)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1340).\n\nThe process of gathering domain account credentials in order to silently create subdomains pointed at malicious servers without tipping off the actual owner. (Citation: CiscoAngler) (Citation: ProofpointDomainShadowing)", "references": [ { "source_name": "mitre-pre-attack", @@ -10,7 +10,8 @@ }, { "source_name": "CiscoAngler", - "description": "Nick Biasini. (2015, March 3). Threat Spotlight: Angler Lurking in the Domain Shadows. Retrieved March 6, 2017." + "description": "Nick Biasini. (2015, March 3). Threat Spotlight: Angler Lurking in the Domain Shadows. Retrieved March 6, 2017.", + "url": "https://blogs.cisco.com/security/talos/angler-domain-shadowing" }, { "source_name": "ProofpointDomainShadowing", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3f18edba-28f4-4bb9-82c3-8aa60dcac5f7.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3f18edba-28f4-4bb9-82c3-8aa60dcac5f7.json index 60608f8b9..052682fac 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3f18edba-28f4-4bb9-82c3-8aa60dcac5f7.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3f18edba-28f4-4bb9-82c3-8aa60dcac5f7.json @@ -30,7 +30,7 @@ }, { "source_name": "Schneider Electric USB Malware", - "url": "https://www.schneider-electric.com/en/download/document/SESN-2018-236-01/", + "url": "https://www.se.com/ww/en/download/document/SESN-2018-236-01/", "description": "Schneider Electric. (2018, August 24). Security Notification \u2013 USB Removable Media Provided With Conext Combox and Conext Battery Monitor. Retrieved May 28, 2019." }, { diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c.json index b021e584b..88f4d441e 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c", "name": "Exploit Public-Facing Application", - "description": "Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL)(Citation: NVD CVE-2016-6662), standard services (like SMB(Citation: CIS Multiple SMB Vulnerabilities) or SSH), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211).\n\nIf an application is hosted on cloud-based infrastructure, then exploiting it may lead to compromise of the underlying instance. This can allow an adversary a path to access the cloud APIs or to take advantage of weak identity and access management policies.\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)", + "description": "Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL)(Citation: NVD CVE-2016-6662), standard services (like SMB(Citation: CIS Multiple SMB Vulnerabilities) or SSH), network device administration and management protocols (like SNMP and Smart Install(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). \n\nIf an application is hosted on cloud-based infrastructure, then exploiting it may lead to compromise of the underlying instance. This can allow an adversary a path to access the cloud APIs or to take advantage of weak identity and access management policies.\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)", "references": [ { "source_name": "mitre-attack", @@ -18,6 +18,16 @@ "description": "CIS. (2017, May 15). Multiple Vulnerabilities in Microsoft Windows SMB Server Could Allow for Remote Code Execution. Retrieved April 3, 2018.", "source_name": "CIS Multiple SMB Vulnerabilities" }, + { + "source_name": "US-CERT TA18-106A Network Infrastructure Devices 2018", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-106A", + "description": "US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." + }, { "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-7169", "description": "National Vulnerability Database. (2017, September 24). CVE-2014-7169 Detail. Retrieved April 3, 2018.", @@ -40,7 +50,8 @@ "macOS", "AWS", "GCP", - "Azure" + "Azure", + "Network" ], "kill_chain": [ { diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3fc01293-ef5e-41c6-86ce-61f10706b64a.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3fc01293-ef5e-41c6-86ce-61f10706b64a.json index 3da28fc6e..a04aec682 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3fc01293-ef5e-41c6-86ce-61f10706b64a.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--3fc01293-ef5e-41c6-86ce-61f10706b64a.json @@ -8,6 +8,11 @@ "external_id": "T1558", "url": "https://attack.mitre.org/techniques/T1558" }, + { + "external_id": "CAPEC-652", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/652.html" + }, { "source_name": "ADSecurity Kerberos Ring Decoder", "url": "https://adsecurity.org/?p=227", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3.json new file mode 100644 index 000000000..4b6ad019a --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3.json @@ -0,0 +1,51 @@ +{ + "id": "attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3", + "name": "Domains", + "description": "Before compromising a victim, adversaries may purchase domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.\n\nAdversaries can use purchased domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries can also use internationalized domain names (IDNs) to create visually similar lookalike domains for use in operations.(Citation: CISA IDN ST05-016)\n\nDomain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1583.001", + "url": "https://attack.mitre.org/techniques/T1583/001" + }, + { + "external_id": "CAPEC-630", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/630.html" + }, + { + "source_name": "CISA MSS Sep 2020", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-258a", + "description": "CISA. (2020, September 14). Alert (AA20-258A): Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity. Retrieved October 1, 2020." + }, + { + "source_name": "FireEye APT28", + "description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" + }, + { + "source_name": "PaypalScam", + "description": "Bob Sullivan. (2000, July 24). PayPal alert! Beware the 'PaypaI' scam. Retrieved March 2, 2017.", + "url": "https://www.zdnet.com/article/paypal-alert-beware-the-paypai-scam-5000109103/" + }, + { + "source_name": "CISA IDN ST05-016", + "url": "https://us-cert.cisa.gov/ncas/tips/ST05-016", + "description": "CISA. (2019, September 27). Security Tip (ST05-016): Understanding Internationalized Domain Names. Retrieved October 20, 2020." + }, + { + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "source_name": "Mandiant APT1" + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--42fe883a-21ea-4cfb-b94a-78b6476dcc83.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--42fe883a-21ea-4cfb-b94a-78b6476dcc83.json index 822131c26..7bfce0eff 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--42fe883a-21ea-4cfb-b94a-78b6476dcc83.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--42fe883a-21ea-4cfb-b94a-78b6476dcc83.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--42fe883a-21ea-4cfb-b94a-78b6476dcc83", "name": "Application Shimming", - "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Endgame Process Injection July 2017)\n\nWithin the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS. \n\nA list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\n\n* %WINDIR%\\AppPatch\\sysmain.sdb and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb\n\nCustom databases are stored in:\n\n* %WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).\n\nUtilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. (Citation: FireEye Application Shimming) Shims can also be abused to establish persistence by continuously being invoked by affected programs.", + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Endgame Process Injection July 2017)\n\nWithin the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS. \n\nA list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\n\n* %WINDIR%\\AppPatch\\sysmain.sdb and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb\n\nCustom databases are stored in:\n\n* %WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).\n\nUtilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. (Citation: FireEye Application Shimming) Shims can also be abused to establish persistence by continuously being invoked by affected programs.", "references": [ { "source_name": "mitre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--451a9977-d255-43c9-b431-66de80130c8c.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--451a9977-d255-43c9-b431-66de80130c8c.json index a9fe66e6e..33d0af009 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--451a9977-d255-43c9-b431-66de80130c8c.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--451a9977-d255-43c9-b431-66de80130c8c.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--451a9977-d255-43c9-b431-66de80130c8c", "name": "Traffic Signaling", - "description": "Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.\n\nAdversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).\n\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.", + "description": "Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.\n\nAdversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).\n\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.\n\nOn network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities.(Citation: Cisco Synful Knock Evolution) (Citation: FireEye - Synful Knock) (Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture.", "references": [ { "source_name": "mitre-attack", @@ -12,12 +12,28 @@ "url": "https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631", "description": "Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible backdoor. Retrieved October 13, 2018.", "source_name": "Hartrell cd00r 2002" + }, + { + "source_name": "Cisco Synful Knock Evolution", + "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices", + "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020." + }, + { + "source_name": "FireEye - Synful Knock", + "url": "https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html", + "description": "Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." } ], "platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "kill_chain": [ { diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--45242287-2964-4a3e-9373-159fad4d8195.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--45242287-2964-4a3e-9373-159fad4d8195.json index f2913e736..f826c9e29 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--45242287-2964-4a3e-9373-159fad4d8195.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--45242287-2964-4a3e-9373-159fad4d8195.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--45242287-2964-4a3e-9373-159fad4d8195", "name": "Buy domain name", - "description": "Domain Names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. (Citation: PWCSofacy2014)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1328).\n\nDomain Names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. (Citation: PWCSofacy2014)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--46017368-6e09-412b-a29c-385be201cc03.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--46017368-6e09-412b-a29c-385be201cc03.json index 20108fd76..9d120f7cc 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--46017368-6e09-412b-a29c-385be201cc03.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--46017368-6e09-412b-a29c-385be201cc03.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--46017368-6e09-412b-a29c-385be201cc03", "name": "Obtain domain/IP registration information", - "description": "For a computing resource to be accessible to the public, domain names and IP addresses must be registered with an authorized organization. (Citation: Google Domains WHOIS) (Citation: FunAndSun2012) (Citation: Scasny2015)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1251).\n\nFor a computing resource to be accessible to the public, domain names and IP addresses must be registered with an authorized organization. (Citation: Google Domains WHOIS) (Citation: FunAndSun2012) (Citation: Scasny2015)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--4886e3c2-468b-4e26-b7e5-2031d995d13a.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--4886e3c2-468b-4e26-b7e5-2031d995d13a.json index 7843b20c9..8a7ae924c 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--4886e3c2-468b-4e26-b7e5-2031d995d13a.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--4886e3c2-468b-4e26-b7e5-2031d995d13a.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--4886e3c2-468b-4e26-b7e5-2031d995d13a", "name": "Build or acquire exploits", - "description": "An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. The adversary may use or modify existing exploits when those exploits are still relevant to the environment they are trying to compromise. (Citation: NYTStuxnet) (Citation: NationsBuying)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1349).\n\nAn exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. The adversary may use or modify existing exploits when those exploits are still relevant to the environment they are trying to compromise. (Citation: NYTStuxnet) (Citation: NationsBuying)", "references": [ { "source_name": "mitre-pre-attack", @@ -10,11 +10,13 @@ }, { "source_name": "NYTStuxnet", - "description": "William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017." + "description": "William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017.", + "url": "https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html" }, { "source_name": "NationsBuying", - "description": "Nicole Perlroth and David E. Sanger. (2013, July 12). Nations Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017." + "description": "Nicole Perlroth and David E. Sanger. (2013, July 12). Nations Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.", + "url": "https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html" } ], "kill_chain": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc6682c6.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc6682c6.json index cc51f51f0..f1712006f 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc6682c6.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc6682c6.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc6682c6", "name": "Acquire and/or use 3rd party software services", - "description": "A wide variety of 3rd party software services are available (e.g., [Twitter](https://twitter.com), [Dropbox](https://www.dropbox.com), [GoogleDocs](https://www.google.com/docs/about)). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LOWBALL2015)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1330).\n\nA wide variety of 3rd party software services are available (e.g., [Twitter](https://twitter.com), [Dropbox](https://www.dropbox.com), [GoogleDocs](https://www.google.com/docs/about)). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LOWBALL2015)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--4900fabf-1142-4c1f-92f5-0b590e049077.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--4900fabf-1142-4c1f-92f5-0b590e049077.json index e79a11860..94f6687db 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--4900fabf-1142-4c1f-92f5-0b590e049077.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--4900fabf-1142-4c1f-92f5-0b590e049077.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--4900fabf-1142-4c1f-92f5-0b590e049077", "name": "Compromise 3rd party infrastructure to support delivery", - "description": "Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle. (Citation: WateringHole2014) (Citation: FireEye Operation SnowMan)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1312).\n\nInstead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle. (Citation: WateringHole2014) (Citation: FireEye Operation SnowMan)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--4cbc6a62-9e34-4f94-8a19-5c1a11392a49.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--4cbc6a62-9e34-4f94-8a19-5c1a11392a49.json index c64506be9..d40cf0ca1 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--4cbc6a62-9e34-4f94-8a19-5c1a11392a49.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--4cbc6a62-9e34-4f94-8a19-5c1a11392a49.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--4cbc6a62-9e34-4f94-8a19-5c1a11392a49", "name": "CMSTP", - "description": "Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.\n\nAdversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / \u201dSquiblydoo\u201d, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.\n\nCMSTP.exe can also be abused to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)", + "description": "Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.\n\nAdversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / \u201dSquiblydoo\u201d, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.\n\nCMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)", "references": [ { "source_name": "mitre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--4fad17d3-8f42-449d-ac4b-dbb4c486127d.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--4fad17d3-8f42-449d-ac4b-dbb4c486127d.json index 8b7b7ee44..319fff4a2 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--4fad17d3-8f42-449d-ac4b-dbb4c486127d.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--4fad17d3-8f42-449d-ac4b-dbb4c486127d.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--4fad17d3-8f42-449d-ac4b-dbb4c486127d", "name": "Assign KITs, KIQs, and/or intelligence requirements", - "description": "Once generated, Key Intelligence Topics (KITs), Key Intelligence Questions (KIQs), and/or intelligence requirements are assigned to applicable agencies and/or personnel. For example, an adversary may decide nuclear energy requirements should be assigned to a specific organization based on their mission. (Citation: AnalystsAndPolicymaking) (Citation: JP2-01)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1238).\n\nOnce generated, Key Intelligence Topics (KITs), Key Intelligence Questions (KIQs), and/or intelligence requirements are assigned to applicable agencies and/or personnel. For example, an adversary may decide nuclear energy requirements should be assigned to a specific organization based on their mission. (Citation: AnalystsAndPolicymaking) (Citation: JP2-01)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--4ff5d6a8-c062-4c68-a778-36fc5edd564f.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--4ff5d6a8-c062-4c68-a778-36fc5edd564f.json index a287238c6..3f22d7c5e 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--4ff5d6a8-c062-4c68-a778-36fc5edd564f.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--4ff5d6a8-c062-4c68-a778-36fc5edd564f.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--4ff5d6a8-c062-4c68-a778-36fc5edd564f", "name": "Control Panel", - "description": "Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013)\n\nFor ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. (Citation: Microsoft Implementing CPL)\n\nMalicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware. (Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.", + "description": "Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.\n\nControl Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function.(Citation: Microsoft Implementing CPL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.(Citation: Microsoft Implementing CPL) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.(Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013)\n\nMalicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns(Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware.(Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.\n\nAdversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.(Citation: ESET InvisiMole June 2020)", "references": [ { "source_name": "mitre-attack", @@ -9,9 +9,9 @@ "url": "https://attack.mitre.org/techniques/T1218/002" }, { - "url": "https://msdn.microsoft.com/library/windows/desktop/cc144185.aspx", + "source_name": "Microsoft Implementing CPL", "description": "M. (n.d.). Implementing Control Panel Items. Retrieved January 18, 2018.", - "source_name": "Microsoft Implementing CPL" + "url": "https://msdn.microsoft.com/library/windows/desktop/cc144185.aspx" }, { "url": "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf", @@ -27,6 +27,11 @@ "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/", "description": "Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.", "source_name": "Palo Alto Reaver Nov 2017" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." } ], "platforms": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de.json new file mode 100644 index 000000000..9a739d362 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de.json @@ -0,0 +1,29 @@ +{ + "id": "attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de", + "name": "Network Address Translation Traversal", + "description": "Adversaries may bridge network boundaries by modifying a network device\u2019s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\n\nNetwork devices such as routers and firewalls that connect multiple networks together may implement NAT during the process of passing packets between networks. When performing NAT, the network device will rewrite the source and/or destination addresses of the IP address header. Some network designs require NAT for the packets to cross the border device. A typical example of this is environments where internal networks make use of non-Internet routable addresses.(Citation: RFC1918)\n\nWhen an adversary gains control of a network boundary device, they can either leverage existing NAT configurations to send traffic between two separated networks, or they can implement NAT configurations of their own design. In the case of network designs that require NAT to function, this enables the adversary to overcome inherent routing limitations that would normally prevent them from accessing protected systems behind the border device. In the case of network designs that do not require NAT, address translation can be used by adversaries to obscure their activities, as changing the addresses of packets that traverse a network boundary device can make monitoring data transmissions more challenging for defenders. \n\nAdversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1599.001", + "url": "https://attack.mitre.org/techniques/T1599/001" + }, + { + "source_name": "RFC1918", + "url": "https://tools.ietf.org/html/rfc1918", + "description": "IETF Network Working Group. (1996, February). Address Allocation for Private Internets. Retrieved October 20, 2020." + } + ], + "platforms": [ + "Network" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "permissions": [ + "Administrator" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--51bca707-a806-49bf-91e0-03885b0ac85c.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--51bca707-a806-49bf-91e0-03885b0ac85c.json index 61451fe44..1ddde972e 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--51bca707-a806-49bf-91e0-03885b0ac85c.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--51bca707-a806-49bf-91e0-03885b0ac85c.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--51bca707-a806-49bf-91e0-03885b0ac85c", "name": "Conduct cost/benefit analysis", - "description": "Leadership conducts a cost/benefit analysis that generates a compelling need for information gathering which triggers a Key Intelligence Toptic (KIT) or Key Intelligence Question (KIQ). For example, an adversary compares the cost of cyber intrusions with the expected benefits from increased intelligence collection on cyber adversaries. (Citation: LowenthalCh4) (Citation: KIT-Herring)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1226).\n\nLeadership conducts a cost/benefit analysis that generates a compelling need for information gathering which triggers a Key Intelligence Toptic (KIT) or Key Intelligence Question (KIQ). For example, an adversary compares the cost of cyber intrusions with the expected benefits from increased intelligence collection on cyber adversaries. (Citation: LowenthalCh4) (Citation: KIT-Herring)", "references": [ { "external_id": "T1226", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--51e54974-a541-4fb6-a61b-0518e4c6de41.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--51e54974-a541-4fb6-a61b-0518e4c6de41.json new file mode 100644 index 000000000..525a5c152 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--51e54974-a541-4fb6-a61b-0518e4c6de41.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--51e54974-a541-4fb6-a61b-0518e4c6de41", + "name": "Threat Intel Vendors", + "description": "Before compromising a victim, adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)\n\nAdversaries may search in private threat intelligence vendor data to gather actionable information. Threat actors may seek information/indicators gathered about their own campaigns, as well as those conducted by other adversaries that may align with their target industries, capabilities/objectives, or other operational concerns. Information reported by vendors may also reveal opportunities other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1597.001", + "url": "https://attack.mitre.org/techniques/T1597/001" + }, + { + "source_name": "D3Secutrity CTI Feeds", + "url": "https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/", + "description": "Banerd, W. (2019, April 30). 10 of the Best Open Source Threat Intelligence Feeds. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf7dd7fd.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf7dd7fd.json new file mode 100644 index 000000000..438aed349 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf7dd7fd.json @@ -0,0 +1,39 @@ +{ + "id": "attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf7dd7fd", + "name": "Network Device Configuration Dump", + "description": "Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.\n\nAdversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files. (Citation: US-CERT TA18-106A Network Infrastructure Devices 2018) (Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis. ", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1602.002", + "url": "https://attack.mitre.org/techniques/T1602/002" + }, + { + "source_name": "US-CERT TA18-106A Network Infrastructure Devices 2018", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-106A", + "description": "US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." + }, + { + "source_name": "US-CERT TA18-068A 2018", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-086A", + "description": "US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019." + } + ], + "platforms": [ + "Network" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "permissions": [ + "Administrator" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--5282dd9a-d26d-4e16-88b7-7c0f4553daf4.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--5282dd9a-d26d-4e16-88b7-7c0f4553daf4.json new file mode 100644 index 000000000..e2e5e2913 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--5282dd9a-d26d-4e16-88b7-7c0f4553daf4.json @@ -0,0 +1,61 @@ +{ + "id": "attack-pattern--5282dd9a-d26d-4e16-88b7-7c0f4553daf4", + "name": "Gather Victim Identity Information", + "description": "Before compromising a victim, adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1589", + "url": "https://attack.mitre.org/techniques/T1589" + }, + { + "source_name": "OPM Leak", + "url": "https://www.opm.gov/cybersecurity/cybersecurity-incidents/", + "description": "Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS. Retrieved October 20, 2020." + }, + { + "source_name": "Register Deloitte", + "url": "https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/", + "description": "Thomson, I. (2017, September 26). Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy 'login details leaked'. Retrieved October 19, 2020." + }, + { + "source_name": "Register Uber", + "url": "https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/", + "description": "McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub into court to find who hacked database of 50,000 drivers. Retrieved October 19, 2020." + }, + { + "source_name": "Detectify Slack Tokens", + "url": "https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/", + "description": "Detectify. (2016, April 28). Slack bot token leakage exposing business critical information. Retrieved October 19, 2020." + }, + { + "source_name": "Forbes GitHub Creds", + "url": "https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196", + "description": "Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved October 19, 2020." + }, + { + "source_name": "GitHub truffleHog", + "url": "https://github.com/dxa4481/truffleHog", + "description": "Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October 19, 2020." + }, + { + "source_name": "GitHub Gitrob", + "url": "https://github.com/michenriksen/gitrob", + "description": "Michael Henriksen. (2018, June 9). Gitrob: Putting the Open Source in OSINT. Retrieved October 19, 2020." + }, + { + "source_name": "CNET Leaks", + "url": "https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/", + "description": "Ng, A. (2019, January 17). Massive breach leaks 773 million email addresses, 21 million passwords. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--5436571f-2332-4b51-b7ed-0bc822fe02c2.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--5436571f-2332-4b51-b7ed-0bc822fe02c2.json index 93a1902e3..dea4680f9 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--5436571f-2332-4b51-b7ed-0bc822fe02c2.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--5436571f-2332-4b51-b7ed-0bc822fe02c2.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--5436571f-2332-4b51-b7ed-0bc822fe02c2", "name": "OS-vendor provided communication channels", - "description": "Google and Apple provide Google Cloud Messaging and Apple Push Notification Service, respectively, services designed to enable efficient communication between third-party mobile app backend servers and the mobile apps running on individual devices. These services maintain an encrypted connection between every mobile device and Google or Apple that cannot easily be inspected and must be allowed to traverse networks as part of normal device operation. These services could be used by adversaries for communication to compromised mobile devices. (Citation: Securelist Mobile Malware 2013) (Citation: DroydSeuss)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1390).\n\nGoogle and Apple provide Google Cloud Messaging and Apple Push Notification Service, respectively, services designed to enable efficient communication between third-party mobile app backend servers and the mobile apps running on individual devices. These services maintain an encrypted connection between every mobile device and Google or Apple that cannot easily be inspected and must be allowed to traverse networks as part of normal device operation. These services could be used by adversaries for communication to compromised mobile devices. (Citation: Securelist Mobile Malware 2013) (Citation: DroydSeuss)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--54a42187-a20c-4e4e-ba31-8d15c9e1f57f.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--54a42187-a20c-4e4e-ba31-8d15c9e1f57f.json index 0ff92fee4..8b5b063c4 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--54a42187-a20c-4e4e-ba31-8d15c9e1f57f.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--54a42187-a20c-4e4e-ba31-8d15c9e1f57f.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--54a42187-a20c-4e4e-ba31-8d15c9e1f57f", "name": "SSL certificate acquisition for trust breaking", - "description": "Fake certificates can be acquired by legal process or coercion. Or, an adversary can trick a Certificate Authority into issuing a certificate. These fake certificates can be used as a part of Man-in-the-Middle attacks. (Citation: SubvertSSL)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1338).\n\nFake certificates can be acquired by legal process or coercion. Or, an adversary can trick a Certificate Authority into issuing a certificate. These fake certificates can be used as a part of Man-in-the-Middle attacks. (Citation: SubvertSSL)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b.json index 999e6ffb8..881575640 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", "name": "Mail Protocols", - "description": "Adversaries may communicate using application layer protocols associated with electronic map delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", + "description": "Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", "references": [ { "source_name": "mitre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--54eb2bab-125f-4d1c-b999-0c692860bafe.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--54eb2bab-125f-4d1c-b999-0c692860bafe.json index c7017cf69..bcb667a53 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--54eb2bab-125f-4d1c-b999-0c692860bafe.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--54eb2bab-125f-4d1c-b999-0c692860bafe.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--54eb2bab-125f-4d1c-b999-0c692860bafe", "name": "Dynamic DNS", - "description": "Dynamic DNS is a automated method to rapidly update the domain name system mapping of hostnames to IPs. (Citation: FireEyeSupplyChain)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1333).\n\nDynamic DNS is a automated method to rapidly update the domain name system mapping of hostnames to IPs. (Citation: FireEyeSupplyChain)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4.json new file mode 100644 index 000000000..d250b9567 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4", + "name": "Vulnerability Scanning", + "description": "Before compromising a victim, adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.\n\nThese scans may also include more broad attempts to [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592) that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1595.002", + "url": "https://attack.mitre.org/techniques/T1595/002" + }, + { + "source_name": "OWASP Vuln Scanning", + "url": "https://wiki.owasp.org/index.php/OAT-014_Vulnerability_Scanning", + "description": "OWASP Wiki. (2018, February 16). OAT-014 Vulnerability Scanning. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0.json new file mode 100644 index 000000000..0e1e69f87 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0.json @@ -0,0 +1,56 @@ +{ + "id": "attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0", + "name": "Search Open Technical Databases", + "description": "Before compromising a victim, adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation: DigitalShadows CDN)(Citation: Shodan)\n\nAdversaries may search in different open databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1596", + "url": "https://attack.mitre.org/techniques/T1596" + }, + { + "source_name": "WHOIS", + "url": "https://www.whois.net/", + "description": "NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020." + }, + { + "source_name": "DNS Dumpster", + "url": "https://dnsdumpster.com/", + "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020." + }, + { + "source_name": "Circl Passive DNS", + "url": "https://www.circl.lu/services/passive-dns/", + "description": "CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020." + }, + { + "source_name": "Medium SSL Cert", + "url": "https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2", + "description": "Jain, M. (2019, September 16). Export & Download \u2014 SSL Certificate from Server (Site URL). Retrieved October 20, 2020." + }, + { + "source_name": "SSLShopper Lookup", + "url": "https://www.sslshopper.com/ssl-checker.html", + "description": "SSL Shopper. (n.d.). SSL Checker. Retrieved October 20, 2020." + }, + { + "source_name": "DigitalShadows CDN", + "url": "https://www.digitalshadows.com/blog-and-research/content-delivery-networks-cdns-can-leave-you-exposed-how-you-might-be-affected-and-what-you-can-do-about-it/", + "description": "Swisscom & Digital Shadows. (2017, September 6). Content Delivery Networks (CDNs) Can Leave You Exposed \u2013 How You Might Be Affected And What You Can Do About It. Retrieved October 20, 2020." + }, + { + "source_name": "Shodan", + "url": "https://shodan.io", + "description": "Shodan. (n.d.). Shodan. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--57061a8a-d7c5-42a9-be60-f79526b95bf6.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--57061a8a-d7c5-42a9-be60-f79526b95bf6.json index 6b334fa84..1ecd97257 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--57061a8a-d7c5-42a9-be60-f79526b95bf6.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--57061a8a-d7c5-42a9-be60-f79526b95bf6.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--57061a8a-d7c5-42a9-be60-f79526b95bf6", "name": "Test signature detection", - "description": "An adversary can test the detections of malicious emails or files by using publicly available services, such as virus total, to see if their files or emails cause an alert. They can also use similar services that are not openly available and don't publicly publish results or they can test on their own internal infrastructure. (Citation: WiredVirusTotal)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1292).\n\nAn adversary can test the detections of malicious emails or files by using publicly available services, such as virus total, to see if their files or emails cause an alert. They can also use similar services that are not openly available and don't publicly publish results or they can test on their own internal infrastructure. (Citation: WiredVirusTotal)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--573ad264-1371-4ae0-8482-d2673b719dba.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--573ad264-1371-4ae0-8482-d2673b719dba.json index b5cefc1e7..bfaf279a1 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--573ad264-1371-4ae0-8482-d2673b719dba.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--573ad264-1371-4ae0-8482-d2673b719dba.json @@ -8,6 +8,16 @@ "external_id": "T1543.004", "url": "https://attack.mitre.org/techniques/T1543/004" }, + { + "external_id": "CAPEC-550", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/550.html" + }, + { + "external_id": "CAPEC-551", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/551.html" + }, { "url": "https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html", "description": "Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017.", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--57619ab3-f6a5-43c8-8dd1-b0b8a986a870.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--57619ab3-f6a5-43c8-8dd1-b0b8a986a870.json index 044457ee9..60bdafcc8 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--57619ab3-f6a5-43c8-8dd1-b0b8a986a870.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--57619ab3-f6a5-43c8-8dd1-b0b8a986a870.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--57619ab3-f6a5-43c8-8dd1-b0b8a986a870", "name": "Analyze business processes", - "description": "Business processes, such as who typically communicates with who, or what the supply chain is for a particular part, provide opportunities for social engineering or other (Citation: Warwick2015)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1301).\n\nBusiness processes, such as who typically communicates with who, or what the supply chain is for a particular part, provide opportunities for social engineering or other (Citation: Warwick2015)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d.json new file mode 100644 index 000000000..cf582f76a --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d.json @@ -0,0 +1,56 @@ +{ + "id": "attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d", + "name": "Cloud Infrastructure Discovery", + "description": "An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.\n\nCloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, as well as the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API) Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project(Citation: Google Compute Instances), and Azure's CLI command az vm list lists details of virtual machines.(Citation: Microsoft AZ CLI)\n\nAn adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020) Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1580", + "url": "https://attack.mitre.org/techniques/T1580" + }, + { + "source_name": "Amazon Describe Instance", + "url": "https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html", + "description": "Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020." + }, + { + "source_name": "Amazon Describe Instances API", + "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html", + "description": "Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020." + }, + { + "source_name": "Google Compute Instances", + "url": "https://cloud.google.com/sdk/gcloud/reference/compute/instances/list", + "description": "Google. (n.d.). gcloud compute instances list. Retrieved May 26, 2020." + }, + { + "description": "Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.", + "url": "https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest", + "source_name": "Microsoft AZ CLI" + }, + { + "source_name": "Expel IO Evil in AWS", + "url": "https://expel.io/blog/finding-evil-in-aws/", + "description": "A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020." + }, + { + "source_name": "Mandiant M-Trends 2020", + "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020", + "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." + } + ], + "platforms": [ + "AWS", + "Azure", + "GCP" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "permissions": [ + "User" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2.json index 598658a6e..5deec8c8f 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2.json @@ -9,9 +9,9 @@ "url": "https://attack.mitre.org/techniques/T1574/008" }, { - "external_id": "CAPEC-CAPEC", + "external_id": "CAPEC-159", "source_name": "capec", - "url": "https://capec.mitre.org/data/definitions/CAPEC.html" + "url": "https://capec.mitre.org/data/definitions/159.html" }, { "url": "http://msdn.microsoft.com/en-us/library/ms682425", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--59369f72-3005-4e54-9095-3d00efcece73.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--59369f72-3005-4e54-9095-3d00efcece73.json index b2ddede24..157d65ec6 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--59369f72-3005-4e54-9095-3d00efcece73.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--59369f72-3005-4e54-9095-3d00efcece73.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--59369f72-3005-4e54-9095-3d00efcece73", "name": "Identify supply chains", - "description": "Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the people, their positions, and relationships, that are part of the supply chain. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1265).\n\nSupply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the people, their positions, and relationships, that are part of the supply chain. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--5a68c603-d7f9-4535-927e-ab56819eaa85.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--5a68c603-d7f9-4535-927e-ab56819eaa85.json index e063bf03f..f3a5dfdb9 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--5a68c603-d7f9-4535-927e-ab56819eaa85.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--5a68c603-d7f9-4535-927e-ab56819eaa85.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--5a68c603-d7f9-4535-927e-ab56819eaa85", "name": "Compromise 3rd party or closed-source vulnerability/exploit information", - "description": "There is usually a delay between when a vulnerability or exploit is discovered and when it is made public. An adversary may target the systems of those known to research vulnerabilities in order to gain that knowledge for use during a different attack. (Citation: TempertonDarkHotel)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1354).\n\nThere is usually a delay between when a vulnerability or exploit is discovered and when it is made public. An adversary may target the systems of those known to research vulnerabilities in order to gain that knowledge for use during a different attack. (Citation: TempertonDarkHotel)", "references": [ { "source_name": "mitre-pre-attack", @@ -10,7 +10,8 @@ }, { "source_name": "TempertonDarkHotel", - "description": "JAMES TEMPERTON. (2015, August 10). Hacking Team zero-day used in new Darkhotel attacks. Retrieved March 9, 2017." + "description": "Temperton, J. (2015, August 10). Hacking Team zero-day used in new Darkhotel attacks. Retrieved March 9, 2017.", + "url": "https://www.wired.co.uk/article/darkhotel-hacking-team-cyber-espionage" } ], "kill_chain": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--5b6ce031-bb86-407a-9984-2b9700ac4549.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--5b6ce031-bb86-407a-9984-2b9700ac4549.json index d3d7bb201..7e5fc5ae5 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--5b6ce031-bb86-407a-9984-2b9700ac4549.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--5b6ce031-bb86-407a-9984-2b9700ac4549.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--5b6ce031-bb86-407a-9984-2b9700ac4549", "name": "Identify business relationships", - "description": "Business relationship information includes the associates of a target and may be discovered via social media sites such as [LinkedIn](https://www.linkedin.com) or public press releases announcing new partnerships between organizations or people (such as key hire announcements in industry articles). This information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship. (Citation: RSA-APTRecon) (Citation: Scasny2015)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1272).\n\nBusiness relationship information includes the associates of a target and may be discovered via social media sites such as [LinkedIn](https://www.linkedin.com) or public press releases announcing new partnerships between organizations or people (such as key hire announcements in industry articles). This information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship. (Citation: RSA-APTRecon) (Citation: Scasny2015)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5.json index 123fe273a..f7f6d41f2 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5.json @@ -13,6 +13,11 @@ "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/572.html" }, + { + "external_id": "CAPEC-655", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/655.html" + }, { "source_name": "ESET OceanLotus", "description": "Folt\u00fdn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.", @@ -25,7 +30,7 @@ }, { "source_name": "VirusTotal FAQ", - "url": "https://www.virustotal.com/en/faq/ ", + "url": "https://www.virustotal.com/en/faq/", "description": "VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019." } ], diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb.json index b26c2cb52..d685ed019 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb.json @@ -9,9 +9,14 @@ "url": "https://attack.mitre.org/techniques/T1505/003" }, { - "url": "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html", + "external_id": "CAPEC-650", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/650.html" + }, + { + "source_name": "Lee 2013", "description": "Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.", - "source_name": "Lee 2013" + "url": "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html" }, { "url": "https://www.us-cert.gov/ncas/alerts/TA15-314A", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6063b486-a247-499b-976a-9de16f4e83bc.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6063b486-a247-499b-976a-9de16f4e83bc.json index 99d5e18ca..d147f5b3b 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6063b486-a247-499b-976a-9de16f4e83bc.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6063b486-a247-499b-976a-9de16f4e83bc.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--6063b486-a247-499b-976a-9de16f4e83bc", "name": "Develop KITs/KIQs", - "description": "Leadership derives Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) from the areas of most interest to them. KITs are an expression of management's intelligence needs with respect to early warning, strategic and operational decisions, knowing the competition, and understanding the competitive situation. KIQs are the critical questions aligned by KIT which provide the basis for collection plans, create a context for analytic work, and/or identify necessary external operations. (Citation: Herring1999)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1227).\n\nLeadership derives Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) from the areas of most interest to them. KITs are an expression of management's intelligence needs with respect to early warning, strategic and operational decisions, knowing the competition, and understanding the competitive situation. KIQs are the critical questions aligned by KIT which provide the basis for collection plans, create a context for analytic work, and/or identify necessary external operations. (Citation: Herring1999)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--60c4b628-4807-4b0b-bbf5-fdac8643c337.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--60c4b628-4807-4b0b-bbf5-fdac8643c337.json new file mode 100644 index 000000000..7fd4d907a --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--60c4b628-4807-4b0b-bbf5-fdac8643c337.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--60c4b628-4807-4b0b-bbf5-fdac8643c337", + "name": "Server", + "description": "Before compromising a victim, adversaries may buy, lease, or rent physical servers\u00a0that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations.\n\nAdversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1583.004", + "url": "https://attack.mitre.org/techniques/T1583/004" + }, + { + "source_name": "NYTStuxnet", + "description": "William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017.", + "url": "https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html" + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6151cbea-819b-455a-9fa6-99a1cc58797d.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6151cbea-819b-455a-9fa6-99a1cc58797d.json index a8f0910ac..754e98b49 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6151cbea-819b-455a-9fa6-99a1cc58797d.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6151cbea-819b-455a-9fa6-99a1cc58797d.json @@ -8,6 +8,11 @@ "external_id": "T1078.001", "url": "https://attack.mitre.org/techniques/T1078/001" }, + { + "external_id": "CAPEC-70", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/70.html" + }, { "source_name": "Microsoft Local Accounts Feb 2019", "url": "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--616238cb-990b-4c71-8f50-d8b10ed8ce6b.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--616238cb-990b-4c71-8f50-d8b10ed8ce6b.json index e058751cb..d0d042cb1 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--616238cb-990b-4c71-8f50-d8b10ed8ce6b.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--616238cb-990b-4c71-8f50-d8b10ed8ce6b.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--616238cb-990b-4c71-8f50-d8b10ed8ce6b", "name": "Use multiple DNS infrastructures", - "description": "A technique used by the adversary similar to Dynamic DNS with the exception that the use of multiple DNS infrastructures likely have whois records. (Citation: KrebsStLouisFed)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1327).\n\nA technique used by the adversary similar to Dynamic DNS with the exception that the use of multiple DNS infrastructures likely have whois records. (Citation: KrebsStLouisFed)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825.json index 617ec6d96..91c69fbe1 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825.json @@ -8,6 +8,16 @@ "external_id": "T1574.006", "url": "https://attack.mitre.org/techniques/T1574/006" }, + { + "external_id": "CAPEC-13", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/13.html" + }, + { + "external_id": "CAPEC-640", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/640.html" + }, { "source_name": "Man LD.SO", "url": "https://www.man7.org/linux/man-pages/man8/ld.so.8.html", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--65013dd2-bc61-43e3-afb5-a14c4fa7437a.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--65013dd2-bc61-43e3-afb5-a14c4fa7437a.json new file mode 100644 index 000000000..f1b931e80 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--65013dd2-bc61-43e3-afb5-a14c4fa7437a.json @@ -0,0 +1,31 @@ +{ + "id": "attack-pattern--65013dd2-bc61-43e3-afb5-a14c4fa7437a", + "name": "Email Accounts", + "description": "Before compromising a victim, adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) Adversaries may also take steps to cultivate a persona around the email account, such as through use of [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001), to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).(Citation: Mandiant APT1)\n\nTo decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.(Citation: Trend Micro R980 2016)", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1585.002", + "url": "https://attack.mitre.org/techniques/T1585/002" + }, + { + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "source_name": "Mandiant APT1" + }, + { + "source_name": "Trend Micro R980 2016", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/r980-ransomware-disposable-email-service/", + "description": "Antazo, F. and Yambao, M. (2016, August 10). R980 Ransomware Found Abusing Disposable Email Address Service. Retrieved October 13, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b.json new file mode 100644 index 000000000..e97016277 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b.json @@ -0,0 +1,31 @@ +{ + "id": "attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b", + "name": "Active Scanning", + "description": "Before compromising a victim, adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.\n\nAdversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.(Citation: Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1595", + "url": "https://attack.mitre.org/techniques/T1595" + }, + { + "source_name": "Botnet Scan", + "url": "https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf", + "description": "Dainotti, A. et al. (2012). Analysis of a \u201c/0\u201d Stealth Scan from a Botnet. Retrieved October 20, 2020." + }, + { + "source_name": "OWASP Fingerprinting", + "url": "https://wiki.owasp.org/index.php/OAT-004_Fingerprinting", + "description": "OWASP Wiki. (2018, February 16). OAT-004 Fingerprinting. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--68b45999-bb0c-4829-bbd0-75d6dac57c94.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--68b45999-bb0c-4829-bbd0-75d6dac57c94.json index 21aeefca2..6e5d2b395 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--68b45999-bb0c-4829-bbd0-75d6dac57c94.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--68b45999-bb0c-4829-bbd0-75d6dac57c94.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--68b45999-bb0c-4829-bbd0-75d6dac57c94", "name": "Obtain templates/branding materials", - "description": "Templates and branding materials may be used by an adversary to add authenticity to social engineering message. (Citation: Scasny2015)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1281).\n\nTemplates and branding materials may be used by an adversary to add authenticity to social engineering message. (Citation: Scasny2015)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--692074ae-bb62-4a5e-a735-02cb6bde458c.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--692074ae-bb62-4a5e-a735-02cb6bde458c.json index 92b7f580f..e82d6a158 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--692074ae-bb62-4a5e-a735-02cb6bde458c.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--692074ae-bb62-4a5e-a735-02cb6bde458c.json @@ -8,6 +8,11 @@ "external_id": "T1110.003", "url": "https://attack.mitre.org/techniques/T1110/003" }, + { + "external_id": "CAPEC-565", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/565.html" + }, { "url": "http://www.blackhillsinfosec.com/?p=4645", "description": "Thyer, J. (2015, October 30). Password Spraying & Other Fun with RPCCLIENT. Retrieved April 25, 2017.", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--695b1cce-57d7-49ae-a2af-820d50153f12.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--695b1cce-57d7-49ae-a2af-820d50153f12.json index e2c72255e..18377170f 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--695b1cce-57d7-49ae-a2af-820d50153f12.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--695b1cce-57d7-49ae-a2af-820d50153f12.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--695b1cce-57d7-49ae-a2af-820d50153f12", "name": "Mine social media", - "description": "An adversary may research available open source information about a target commonly found on social media sites such as [Facebook](https://www.facebook.com), [Instagram](https://www.instagram.com), or [Pinterest](https://www.pinterest.com). Social media is public by design and provides insight into the interests and potentially inherent weaknesses of a target for exploitation by the adversary. (Citation: RSA-APTRecon)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1273).\n\nAn adversary may research available open source information about a target commonly found on social media sites such as [Facebook](https://www.facebook.com), [Instagram](https://www.instagram.com), or [Pinterest](https://www.pinterest.com). Social media is public by design and provides insight into the interests and potentially inherent weaknesses of a target for exploitation by the adversary. (Citation: RSA-APTRecon)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--69f897fd-12a9-4c89-ad6a-46d2f3c38262.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--69f897fd-12a9-4c89-ad6a-46d2f3c38262.json new file mode 100644 index 000000000..0a4d92740 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--69f897fd-12a9-4c89-ad6a-46d2f3c38262.json @@ -0,0 +1,31 @@ +{ + "id": "attack-pattern--69f897fd-12a9-4c89-ad6a-46d2f3c38262", + "name": "Email Addresses", + "description": "Before compromising a victim, adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees.\n\nAdversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: HackersArise Email)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Email Accounts](https://attack.mitre.org/techniques/T1586/002)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1589.002", + "url": "https://attack.mitre.org/techniques/T1589/002" + }, + { + "source_name": "HackersArise Email", + "url": "https://www.hackers-arise.com/email-scraping-and-maltego", + "description": "Hackers Arise. (n.d.). Email Scraping and Maltego. Retrieved October 20, 2020." + }, + { + "source_name": "CNET Leaks", + "url": "https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/", + "description": "Ng, A. (2019, January 17). Massive breach leaks 773 million email addresses, 21 million passwords. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6baf6388-d49f-4804-86a4-5837240555cd.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6baf6388-d49f-4804-86a4-5837240555cd.json index 41c3aaad6..56fca7925 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6baf6388-d49f-4804-86a4-5837240555cd.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6baf6388-d49f-4804-86a4-5837240555cd.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--6baf6388-d49f-4804-86a4-5837240555cd", "name": "Determine firmware version", - "description": "Firmware is permanent software programmed into the read-only memory of a device. As with other types of software, firmware may be updated over time and have multiple versions. (Citation: Abdelnur Advanced Fingerprinting)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1258).\n\nFirmware is permanent software programmed into the read-only memory of a device. As with other types of software, firmware may be updated over time and have multiple versions. (Citation: Abdelnur Advanced Fingerprinting)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6c2957f9-502a-478c-b1dd-d626c0659413.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6c2957f9-502a-478c-b1dd-d626c0659413.json new file mode 100644 index 000000000..0e76ea3fd --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6c2957f9-502a-478c-b1dd-d626c0659413.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--6c2957f9-502a-478c-b1dd-d626c0659413", + "name": "Network Security Appliances", + "description": "Before compromising a victim, adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598).(Citation: Nmap Firewalls NIDS) Information about network security appliances may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1590.006", + "url": "https://attack.mitre.org/techniques/T1590/006" + }, + { + "source_name": "Nmap Firewalls NIDS", + "url": "https://nmap.org/book/firewalls.html", + "description": "Nmap. (n.d.). Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6c79d654-6506-4f33-b48f-c80babdcc52d.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6c79d654-6506-4f33-b48f-c80babdcc52d.json index 6bb309e5f..d579d1736 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6c79d654-6506-4f33-b48f-c80babdcc52d.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6c79d654-6506-4f33-b48f-c80babdcc52d.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--6c79d654-6506-4f33-b48f-c80babdcc52d", "name": "Dumpster dive", - "description": "Dumpster diving is looking through waste for information on technology, people, and/or organizational items of interest. (Citation: FriedDumpsters)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1286).\n\nDumpster diving is looking through waste for information on technology, people, and/or organizational items of interest. (Citation: FriedDumpsters)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6d4a7fb3-5a24-42be-ae61-6728a2b581f6.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6d4a7fb3-5a24-42be-ae61-6728a2b581f6.json index 772c081eb..a81e4757e 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6d4a7fb3-5a24-42be-ae61-6728a2b581f6.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6d4a7fb3-5a24-42be-ae61-6728a2b581f6.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--6d4a7fb3-5a24-42be-ae61-6728a2b581f6", "name": "Image File Execution Options Injection", - "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IEFO) debuggers. IEFOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application\u2019s IFEO will be prepended to the application\u2019s name, effectively launching the new process under the debugger (e.g., C:\\dbg\\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nIFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\\SOFTWARE{\\Wow6432Node}\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nIFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IEFO and silent process exit Registry values in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)\n\nSimilar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures \"cmd.exe,\" or another program that provides backdoor access, as a \"debugger\" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the \"debugger\" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)\n\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Endgame Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.\n\nMalware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008)", + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application\u2019s IFEO will be prepended to the application\u2019s name, effectively launching the new process under the debugger (e.g., C:\\dbg\\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nIFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\\SOFTWARE{\\Wow6432Node}\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nIFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)\n\nSimilar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures \"cmd.exe,\" or another program that provides backdoor access, as a \"debugger\" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the \"debugger\" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)\n\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Endgame Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.\n\nMalware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008)", "references": [ { "source_name": "mitre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968.json new file mode 100644 index 000000000..cb79b1a02 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968.json @@ -0,0 +1,31 @@ +{ + "id": "attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968", + "name": "Search Engines", + "description": "Before compromising a victim, adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)\n\nAdversaries may craft various search engine queries depending on what information they seek to gather. Threat actors may use search engines to harvest general information about victims, as well as use specialized queries to look for spillages/leaks of sensitive information such as network details or credentials. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Valid Accounts](https://attack.mitre.org/techniques/T1078) or [Phishing](https://attack.mitre.org/techniques/T1566)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1593.002", + "url": "https://attack.mitre.org/techniques/T1593/002" + }, + { + "source_name": "SecurityTrails Google Hacking", + "url": "https://securitytrails.com/blog/google-hacking-techniques", + "description": "Borges, E. (2019, March 5). Exploring Google Hacking Techniques. Retrieved October 20, 2020." + }, + { + "source_name": "ExploitDB GoogleHacking", + "url": "https://www.exploit-db.com/google-hacking-database", + "description": "Offensive Security. (n.d.). Google Hacking Database. Retrieved October 23, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6ee2dc99-91ad-4534-a7d8-a649358c331f.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6ee2dc99-91ad-4534-a7d8-a649358c331f.json new file mode 100644 index 000000000..9db8c5361 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6ee2dc99-91ad-4534-a7d8-a649358c331f.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--6ee2dc99-91ad-4534-a7d8-a649358c331f", + "name": "Business Relationships", + "description": "Before compromising a victim, adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization\u2019s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim\u2019s hardware and software resources.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business relationships may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1591.002", + "url": "https://attack.mitre.org/techniques/T1591/002" + }, + { + "source_name": "ThreatPost Broadvoice Leak", + "url": "https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/", + "description": "Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, Personal Voicemail Transcripts. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6f088e84-37b2-44de-8df3-393908f2d77b.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6f088e84-37b2-44de-8df3-393908f2d77b.json index 7a575e025..259df0373 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6f088e84-37b2-44de-8df3-393908f2d77b.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--6f088e84-37b2-44de-8df3-393908f2d77b.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--6f088e84-37b2-44de-8df3-393908f2d77b", "name": "Host-based hiding techniques", - "description": "Host based hiding techniques are designed to allow an adversary to remain undetected on a machine upon which they have taken action. They may do this through the use of static linking of binaries, polymorphic code, exploiting weakness in file formats, parsers, or self-deleting code. (Citation: VirutAP)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1314).\n\nHost based hiding techniques are designed to allow an adversary to remain undetected on a machine upon which they have taken action. They may do this through the use of static linking of binaries, polymorphic code, exploiting weakness in file formats, parsers, or self-deleting code. (Citation: VirutAP)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4.json index a63d45426..bd76216f5 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4.json @@ -11,7 +11,7 @@ { "source_name": "Mandiant M-Trends 2020", "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." + "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." }, { "source_name": "AWS CloudTrail Search", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--70d81154-b187-45f9-8ec5-295d01255979.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--70d81154-b187-45f9-8ec5-295d01255979.json index 1b579e3e9..781040db6 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--70d81154-b187-45f9-8ec5-295d01255979.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--70d81154-b187-45f9-8ec5-295d01255979.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--70d81154-b187-45f9-8ec5-295d01255979", "name": "Executable Installer File Permissions Weakness", - "description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.", + "description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.", "references": [ { "source_name": "mitre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08.json index 214f46539..a565d50c7 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08.json @@ -7,6 +7,11 @@ "source_name": "mitre-attack", "external_id": "T1087", "url": "https://attack.mitre.org/techniques/T1087" + }, + { + "external_id": "CAPEC-575", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/575.html" } ], "platforms": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--72c8d526-1247-42d4-919c-6d7a31ca8f39.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--72c8d526-1247-42d4-919c-6d7a31ca8f39.json index e9b49af89..f3c67ab7e 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--72c8d526-1247-42d4-919c-6d7a31ca8f39.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--72c8d526-1247-42d4-919c-6d7a31ca8f39.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--72c8d526-1247-42d4-919c-6d7a31ca8f39", "name": "Obfuscate infrastructure", - "description": "Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. (Citation: FireEyeAPT17)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1331).\n\nObfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. (Citation: FireEyeAPT17)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea.json index f7d757a8e..836819f15 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea.json @@ -22,7 +22,8 @@ "platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "kill_chain": [ { diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830.json index 156ddab5d..571ff4104 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830.json @@ -12,7 +12,8 @@ "platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "kill_chain": [ { diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--73e394e5-3d8a-40d1-ab8c-a1b4ea9db424.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--73e394e5-3d8a-40d1-ab8c-a1b4ea9db424.json index 1a098c372..48ee9fa3f 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--73e394e5-3d8a-40d1-ab8c-a1b4ea9db424.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--73e394e5-3d8a-40d1-ab8c-a1b4ea9db424.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--73e394e5-3d8a-40d1-ab8c-a1b4ea9db424", "name": "Install and configure hardware, network, and systems", - "description": "An adversary needs the necessary skills to set up procured equipment and software to create their desired infrastructure. (Citation: KasperskyRedOctober)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1336).\n\nAn adversary needs the necessary skills to set up procured equipment and software to create their desired infrastructure. (Citation: KasperskyRedOctober)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a.json index b45175d9b..a57fb5681 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a", "name": "Identify business relationships", - "description": "Business relationship information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship. (Citation: 11StepsAttackers)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1283).\n\nBusiness relationship information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship. (Citation: 11StepsAttackers)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--74a3288e-eee9-4f8e-973a-fbc128e033f1.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--74a3288e-eee9-4f8e-973a-fbc128e033f1.json index 0337230b9..71497c90b 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--74a3288e-eee9-4f8e-973a-fbc128e033f1.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--74a3288e-eee9-4f8e-973a-fbc128e033f1.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--74a3288e-eee9-4f8e-973a-fbc128e033f1", "name": "Conduct social engineering", - "description": "Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action. (Citation: SEAttackVectors) (Citation: BeachSE2003)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1249).\n\nSocial Engineering is the practice of manipulating people in order to get them to divulge information or take an action. (Citation: SEAttackVectors) (Citation: BeachSE2003)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--762771c2-3675-4535-88e9-b1f891758974.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--762771c2-3675-4535-88e9-b1f891758974.json index cb8b544dd..3d390620b 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--762771c2-3675-4535-88e9-b1f891758974.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--762771c2-3675-4535-88e9-b1f891758974.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--762771c2-3675-4535-88e9-b1f891758974", "name": "Identify personnel with an authority/privilege", - "description": "Personnel internally to a company may have non-electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is an individual with financial authority to authorize large transactions. An adversary who compromises this individual might be able to subvert large dollar transfers. (Citation: RSA-APTRecon)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1271).\n\nPersonnel internally to a company may have non-electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is an individual with financial authority to authorize large transactions. An adversary who compromises this individual might be able to subvert large dollar transfers. (Citation: RSA-APTRecon)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156.json new file mode 100644 index 000000000..330e955ac --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156", + "name": "Employee Names", + "description": "Before compromising a victim, adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.\n\nAdversaries may easily gather employee names, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1589.003", + "url": "https://attack.mitre.org/techniques/T1589/003" + }, + { + "source_name": "OPM Leak", + "url": "https://www.opm.gov/cybersecurity/cybersecurity-incidents/", + "description": "Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0.json index 055815835..668f164cd 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0.json @@ -20,7 +20,7 @@ }, { "source_name": "Harmj0y Domain Trusts", - "url": "http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ ", + "url": "http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", "description": "Schroeder, W. (2017, October 30). A Guide to Attacking Domain Trusts. Retrieved February 14, 2019." }, { diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7718e92f-b011-4f88-b822-ae245a1de407.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7718e92f-b011-4f88-b822-ae245a1de407.json index 237f2d12c..be67d6cfd 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7718e92f-b011-4f88-b822-ae245a1de407.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7718e92f-b011-4f88-b822-ae245a1de407.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--7718e92f-b011-4f88-b822-ae245a1de407", "name": "Identify job postings and needs/gaps", - "description": "Job postings, on either company sites, or in other forums, provide information on organizational structure, needs, and gaps in an organization. This may give an adversary an indication of weakness in an organization (such as under-resourced IT shop). Job postings can also provide information on an organizations structure which could be valuable in social engineering attempts. (Citation: JobPostingThreat) (Citation: RSA-APTRecon)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1278).\n\nJob postings, on either company sites, or in other forums, provide information on organizational structure, needs, and gaps in an organization. This may give an adversary an indication of weakness in an organization (such as under-resourced IT shop). Job postings can also provide information on an organizations structure which could be valuable in social engineering attempts. (Citation: JobPostingThreat) (Citation: RSA-APTRecon)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--773950e1-090c-488b-a480-9ff236312e31.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--773950e1-090c-488b-a480-9ff236312e31.json index c48632c17..270f637ce 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--773950e1-090c-488b-a480-9ff236312e31.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--773950e1-090c-488b-a480-9ff236312e31.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--773950e1-090c-488b-a480-9ff236312e31", "name": "Analyze data collected", - "description": "An adversary will assess collected information such as software/hardware versions, vulnerabilities, patch level, etc. They will analyze technical scanning results to identify weaknesses in the confirmation or architecture. (Citation: SurveyDetectionStrategies) (Citation: CyberReconPaper) (Citation: RSA-APTRecon) (Citation: FireEyeAPT28)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1287).\n\nAn adversary will assess collected information such as software/hardware versions, vulnerabilities, patch level, etc. They will analyze technical scanning results to identify weaknesses in the confirmation or architecture. (Citation: SurveyDetectionStrategies) (Citation: CyberReconPaper) (Citation: RSA-APTRecon) (Citation: FireEyeAPT28)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9.json index 94215a9bc..9dc92d067 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9.json @@ -12,7 +12,8 @@ "platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "kill_chain": [ { diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--774ad5bb-2366-4c13-a8a9-65e50b292e7c.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--774ad5bb-2366-4c13-a8a9-65e50b292e7c.json new file mode 100644 index 000000000..d02c0b5cb --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--774ad5bb-2366-4c13-a8a9-65e50b292e7c.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--774ad5bb-2366-4c13-a8a9-65e50b292e7c", + "name": "Client Configurations", + "description": "Before compromising a victim, adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the client configurations may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1592.004", + "url": "https://attack.mitre.org/techniques/T1592/004" + }, + { + "source_name": "ATT ScanBox", + "url": "https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks", + "description": "Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--77532a55-c283-4cd2-bc5d-2d0b65e9d88c.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--77532a55-c283-4cd2-bc5d-2d0b65e9d88c.json index c03a4437a..9f0b6e11a 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--77532a55-c283-4cd2-bc5d-2d0b65e9d88c.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--77532a55-c283-4cd2-bc5d-2d0b65e9d88c.json @@ -11,7 +11,7 @@ { "source_name": "Expel IO Evil in AWS", "url": "https://expel.io/blog/finding-evil-in-aws/", - "description": "Anthony Randazzo, Britton Manahan and Sam Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020." + "description": "A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020." } ], "platforms": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58.json index 6af382eec..defe322b3 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58.json @@ -1,12 +1,17 @@ { "id": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58", - "name": "Android Intent Hijacking", - "description": "A malicious app can register to receive intents meant for other applications and may then be able to receive sensitive values such as OAuth authorization codes(Citation: IETF-PKCE).", + "name": "URI Hijacking", + "description": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.\n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If a malicious application were to register for a URI that was already in use by a genuine application, the malicious application may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the malicious application to gain access to resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)", "references": [ { "source_name": "mitre-mobile-attack", - "url": "https://attack.mitre.org/techniques/T1416", - "external_id": "T1416" + "external_id": "T1416", + "url": "https://attack.mitre.org/techniques/T1416" + }, + { + "source_name": "Trend Micro iOS URL Hijacking", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/", + "description": "L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020." }, { "source_name": "IETF-PKCE", @@ -15,7 +20,8 @@ } ], "platforms": [ - "Android" + "Android", + "iOS" ], "kill_chain": [ { diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7807d3a4-a885-4639-a786-c1ed41484970.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7807d3a4-a885-4639-a786-c1ed41484970.json new file mode 100644 index 000000000..f789f7592 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7807d3a4-a885-4639-a786-c1ed41484970.json @@ -0,0 +1,21 @@ +{ + "id": "attack-pattern--7807d3a4-a885-4639-a786-c1ed41484970", + "name": "Malware", + "description": "Before compromising a victim, adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.\n\nIn addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1588.001", + "url": "https://attack.mitre.org/techniques/T1588/001" + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--784ff1bc-1483-41fe-a172-4cd9ae25c06b.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--784ff1bc-1483-41fe-a172-4cd9ae25c06b.json index 4113b27e7..e3f6da42a 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--784ff1bc-1483-41fe-a172-4cd9ae25c06b.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--784ff1bc-1483-41fe-a172-4cd9ae25c06b.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--784ff1bc-1483-41fe-a172-4cd9ae25c06b", "name": "Acquire OSINT data sets and information", - "description": "Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line, such as from search engines, as well as in the physical world. (Citation: RSA-APTRecon)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1247).\n\nOpen source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line, such as from search engines, as well as in the physical world. (Citation: RSA-APTRecon)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7860e21e-7514-4a3f-8a9d-56405ccfdb0c.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7860e21e-7514-4a3f-8a9d-56405ccfdb0c.json index 8d4761f97..422dfb75a 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7860e21e-7514-4a3f-8a9d-56405ccfdb0c.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7860e21e-7514-4a3f-8a9d-56405ccfdb0c.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--7860e21e-7514-4a3f-8a9d-56405ccfdb0c", "name": "Identify supply chains", - "description": "Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit organizational relationships. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1276).\n\nSupply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit organizational relationships. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7863b7f1-c18a-4aad-a6cf-4aa6d8797531.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7863b7f1-c18a-4aad-a6cf-4aa6d8797531.json index 20b824e9d..35316c8aa 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7863b7f1-c18a-4aad-a6cf-4aa6d8797531.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7863b7f1-c18a-4aad-a6cf-4aa6d8797531.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--7863b7f1-c18a-4aad-a6cf-4aa6d8797531", "name": "Receive operator KITs/KIQs tasking", - "description": "Analysts may receive intelligence requirements from leadership and begin research process to satisfy a requirement. Part of this process may include delineating between needs and wants and thinking through all the possible aspects associating with satisfying a requirement. (Citation: FBIIntelligencePrimer)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1235).\n\nAnalysts may receive intelligence requirements from leadership and begin research process to satisfy a requirement. Part of this process may include delineating between needs and wants and thinking through all the possible aspects associating with satisfying a requirement. (Citation: FBIIntelligencePrimer)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--78ae433b-289d-4c8d-b8c1-f8de0b7f9090.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--78ae433b-289d-4c8d-b8c1-f8de0b7f9090.json index 7736d1e10..06963a1dd 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--78ae433b-289d-4c8d-b8c1-f8de0b7f9090.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--78ae433b-289d-4c8d-b8c1-f8de0b7f9090.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--78ae433b-289d-4c8d-b8c1-f8de0b7f9090", "name": "Enumerate client configurations", - "description": "Client configurations information such as the operating system and web browser, along with additional information such as version or language, are often transmitted as part of web browsing communications. This can be accomplished in several ways including use of a compromised web site to collect details on visiting computers. (Citation: UnseenWorldOfCookies) (Citation: Panopticlick)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1262).\n\nClient configurations information such as the operating system and web browser, along with additional information such as version or language, are often transmitted as part of web browsing communications. This can be accomplished in several ways including use of a compromised web site to collect details on visiting computers. (Citation: UnseenWorldOfCookies) (Citation: Panopticlick)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--78e41091-d10d-4001-b202-89612892b6ff.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--78e41091-d10d-4001-b202-89612892b6ff.json index e1eb25380..18d44502a 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--78e41091-d10d-4001-b202-89612892b6ff.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--78e41091-d10d-4001-b202-89612892b6ff.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--78e41091-d10d-4001-b202-89612892b6ff", "name": "Identify supply chains", - "description": "Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the technology or interconnections that are part of the supply chain. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain) (Citation: RSA-supply-chain)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1246).\n\nSupply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the technology or interconnections that are part of the supply chain. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain) (Citation: RSA-supply-chain)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--795c1a92-3a26-453e-b99a-6a566aa94dc6.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--795c1a92-3a26-453e-b99a-6a566aa94dc6.json index c8dc60d75..d035a3c62 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--795c1a92-3a26-453e-b99a-6a566aa94dc6.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--795c1a92-3a26-453e-b99a-6a566aa94dc6.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--795c1a92-3a26-453e-b99a-6a566aa94dc6", "name": "Acquire and/or use 3rd party infrastructure services", - "description": "A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: TrendmicroHideoutsLease)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1329).\n\nA wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: TrendmicroHideoutsLease)", "references": [ { "source_name": "mitre-pre-attack", @@ -10,7 +10,8 @@ }, { "source_name": "TrendmicroHideoutsLease", - "description": "Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017." + "description": "Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017.", + "url": "https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf" } ], "kill_chain": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795.json new file mode 100644 index 000000000..8a6b1e790 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795", + "name": "Virtual Private Server", + "description": "Before compromising a victim, adversaries may rent Virtual Private Servers (VPSs)\u00a0that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.\n\nAcquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.(Citation: TrendmicroHideoutsLease)", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1583.003", + "url": "https://attack.mitre.org/techniques/T1583/003" + }, + { + "source_name": "TrendmicroHideoutsLease", + "description": "Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017.", + "url": "https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf" + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7a265bf0-6acc-4f43-8b22-2e58b443e62e.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7a265bf0-6acc-4f43-8b22-2e58b443e62e.json index 1a2c103d2..9a851ee97 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7a265bf0-6acc-4f43-8b22-2e58b443e62e.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7a265bf0-6acc-4f43-8b22-2e58b443e62e.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--7a265bf0-6acc-4f43-8b22-2e58b443e62e", "name": "Choose pre-compromised mobile app developer account credentials or signing keys", - "description": "The adversary can use account credentials or signing keys of an existing mobile app developer to publish malicious updates of existing mobile apps to an application store, or to abuse the developer's identity and reputation to publish new malicious apps. Many mobile devices are configured to automatically install new versions of already-installed apps. (Citation: Fraudenlent Apps Stolen Dev Credentials)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1391).\n\nThe adversary can use account credentials or signing keys of an existing mobile app developer to publish malicious updates of existing mobile apps to an application store, or to abuse the developer's identity and reputation to publish new malicious apps. Many mobile devices are configured to automatically install new versions of already-installed apps. (Citation: Fraudenlent Apps Stolen Dev Credentials)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7baccb84-356c-4e89-8c5d-58e701f033fc.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7baccb84-356c-4e89-8c5d-58e701f033fc.json index 947a56b10..3b5237cae 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7baccb84-356c-4e89-8c5d-58e701f033fc.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7baccb84-356c-4e89-8c5d-58e701f033fc.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--7baccb84-356c-4e89-8c5d-58e701f033fc", "name": "Analyze organizational skillsets and deficiencies", - "description": "Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts. (Citation: FakeLinkedIn)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1300).\n\nAnalyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts. (Citation: FakeLinkedIn)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18.json index 8857ca483..f7e241d73 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18.json @@ -8,6 +8,16 @@ "external_id": "T1083", "url": "https://attack.mitre.org/techniques/T1083" }, + { + "external_id": "CAPEC-127", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/127.html" + }, + { + "external_id": "CAPEC-497", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/497.html" + }, { "url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1.json new file mode 100644 index 000000000..d62262b0c --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1.json @@ -0,0 +1,49 @@ +{ + "id": "attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1", + "name": "Traffic Duplication", + "description": "Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring) (Citation: Juniper Traffic Mirroring)\n\nAdversaries may abuse traffic mirroring to mirror or redirect network traffic through other network infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) or [Patch System Image](https://attack.mitre.org/techniques/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) Adversaries may use traffic duplication in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Input Capture](https://attack.mitre.org/techniques/T1056), or [Man-in-the-Middle](https://attack.mitre.org/techniques/T1557) depending on the goals and objectives of the adversary.", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1020.001", + "url": "https://attack.mitre.org/techniques/T1020/001" + }, + { + "external_id": "CAPEC-117", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/117.html" + }, + { + "source_name": "Cisco Traffic Mirroring", + "url": "https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r5-1/interfaces/configuration/guide/hc51xcrsbook/hc51span.html", + "description": "Cisco. (n.d.). Cisco IOS XR Interface and Hardware Component Configuration Guide for the Cisco CRS Router, Release 5.1.x. Retrieved October 19, 2020." + }, + { + "source_name": "Juniper Traffic Mirroring", + "url": "https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html", + "description": "Juniper. (n.d.). Understanding Port Mirroring on EX2200, EX3200, EX3300, EX4200, EX4500, EX4550, EX6200, and EX8200 Series Switches. Retrieved October 19, 2020." + }, + { + "source_name": "US-CERT-TA18-106A", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A", + "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." + } + ], + "platforms": [ + "Network" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "exfiltration" + } + ], + "permissions": [ + "Administrator" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7dae871c-effc-444b-9962-4b7efefe7d40.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7dae871c-effc-444b-9962-4b7efefe7d40.json index d9199574d..12203cdcf 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7dae871c-effc-444b-9962-4b7efefe7d40.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7dae871c-effc-444b-9962-4b7efefe7d40.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--7dae871c-effc-444b-9962-4b7efefe7d40", "name": "Identify sensitive personnel information", - "description": "An adversary may identify sensitive personnel information not typically posted on a social media site, such as address, marital status, financial history, and law enforcement infractions. This could be conducted by searching public records that are frequently available for free or at a low cost online. (Citation: RSA-APTRecon)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1274).\n\nAn adversary may identify sensitive personnel information not typically posted on a social media site, such as address, marital status, financial history, and law enforcement infractions. This could be conducted by searching public records that are frequently available for free or at a low cost online. (Citation: RSA-APTRecon)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e.json index 0b26208ba..5cae78493 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e.json @@ -16,7 +16,7 @@ { "source_name": "Mandiant M-Trends 2020", "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." + "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." } ], "platforms": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9.json new file mode 100644 index 000000000..6642350ca --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9.json @@ -0,0 +1,46 @@ +{ + "id": "attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9", + "name": "Compromise Infrastructure", + "description": "Before compromising a victim, adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\n\nUse of compromised infrastructure allows an adversary to stage, launch, and execute an operation. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1584", + "url": "https://attack.mitre.org/techniques/T1584" + }, + { + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "source_name": "Mandiant APT1" + }, + { + "source_name": "ICANNDomainNameHijacking", + "description": "ICANN Security and Stability Advisory Committee. (2005, July 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved March 6, 2017.", + "url": "https://www.icann.org/groups/ssac/documents/sac-007-en" + }, + { + "source_name": "Talos DNSpionage Nov 2018", + "url": "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html", + "description": "Mercer, W., Rascagneres, P. (2018, November 27). DNSpionage Campaign Targets Middle East. Retrieved October 9, 2020." + }, + { + "source_name": "FireEye EPS Awakens Part 2", + "description": "Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.", + "url": "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" + }, + { + "source_name": "NSA NCSC Turla OilRig", + "url": "https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf", + "description": "NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7efba77e-3bc4-4ca5-8292-d8201dcd64b5.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7efba77e-3bc4-4ca5-8292-d8201dcd64b5.json new file mode 100644 index 000000000..5215d8859 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7efba77e-3bc4-4ca5-8292-d8201dcd64b5.json @@ -0,0 +1,29 @@ +{ + "id": "attack-pattern--7efba77e-3bc4-4ca5-8292-d8201dcd64b5", + "name": "Disable Crypto Hardware", + "description": "Adversaries disable a network device\u2019s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.\n\nMany network devices such as routers, switches, and firewalls, perform encryption on network traffic to secure transmission across networks. Often, these devices are equipped with special, dedicated encryption hardware to greatly increase the speed of the encryption process as well as to prevent malicious tampering. When an adversary takes control of such a device, they may disable the dedicated hardware, for example, through use of [Modify System Image](https://attack.mitre.org/techniques/T1601), forcing the use of software to perform encryption on general processors. This is typically used in conjunction with attacks to weaken the strength of the cipher in software (e.g., [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001)). (Citation: Cisco Blog Legacy Device Attacks)", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1600.002", + "url": "https://attack.mitre.org/techniques/T1600/002" + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." + } + ], + "platforms": [ + "Network" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "permissions": [ + "Administrator" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7f0ca133-88c4-40c6-a62f-b3083a7fbc2e.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7f0ca133-88c4-40c6-a62f-b3083a7fbc2e.json index a955e85ee..b490830b1 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7f0ca133-88c4-40c6-a62f-b3083a7fbc2e.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7f0ca133-88c4-40c6-a62f-b3083a7fbc2e.json @@ -21,7 +21,8 @@ ], "platforms": [ "Linux", - "Windows" + "Windows", + "Network" ], "kill_chain": [ { diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7f2d3da6-7e34-44a3-9e7f-905455339726.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7f2d3da6-7e34-44a3-9e7f-905455339726.json index 5e95f4be3..6b3bdec63 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7f2d3da6-7e34-44a3-9e7f-905455339726.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--7f2d3da6-7e34-44a3-9e7f-905455339726.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--7f2d3da6-7e34-44a3-9e7f-905455339726", "name": "Conduct active scanning", - "description": "Active scanning is the act of sending transmissions to end nodes, and analyzing the responses, in order to identify information about the communications system. (Citation: RSA-APTRecon)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1254).\n\nActive scanning is the act of sending transmissions to end nodes, and analyzing the responses, in order to identify information about the communications system. (Citation: RSA-APTRecon)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--808e6329-ca91-4b87-ac2d-8eadc5f8f327.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--808e6329-ca91-4b87-ac2d-8eadc5f8f327.json new file mode 100644 index 000000000..e0def25cc --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--808e6329-ca91-4b87-ac2d-8eadc5f8f327.json @@ -0,0 +1,49 @@ +{ + "id": "attack-pattern--808e6329-ca91-4b87-ac2d-8eadc5f8f327", + "name": "Verclsid", + "description": "Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe)\n\nAdversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C {CLSID}, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010)). Since it is signed and native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation: Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation: Nick Tyrer GitHub) ", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1218.012", + "url": "https://attack.mitre.org/techniques/T1218/012" + }, + { + "source_name": "WinOSBite verclsid.exe", + "url": "https://www.winosbite.com/verclsid-exe/\u00a0", + "description": "verclsid-exe. (2019, December 17). verclsid.exe File Information - What is it & How to Block\u00a0. Retrieved August 10, 2020." + }, + { + "source_name": "LOLBAS Verclsid", + "url": "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", + "description": "LOLBAS. (n.d.). Verclsid.exe. Retrieved August 10, 2020." + }, + { + "source_name": "Red Canary Verclsid.exe", + "url": "https://redcanary.com/blog/verclsid-exe-threat-detection/", + "description": "Haag, M., Levan, K. (2017, April 6). Old Phishing Attacks Deploy a New Methodology: Verclsid.exe. Retrieved August 10, 2020." + }, + { + "source_name": "BOHOPS Abusing the COM Registry", + "url": "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", + "description": "BOHOPS. (2018, August 18). Abusing the COM Registry Structure (Part 2): Hijacking & Loading Techniques. Retrieved August 10, 2020." + }, + { + "source_name": "Nick Tyrer GitHub", + "url": "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", + "description": "Tyrer, N. (n.d.). Instructions. Retrieved August 10, 2020." + } + ], + "platforms": [ + "Windows" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "permissions": [ + "User" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--81033c3b-16a4-46e4-8fed-9b030dd03c4a.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--81033c3b-16a4-46e4-8fed-9b030dd03c4a.json new file mode 100644 index 000000000..821dc3102 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--81033c3b-16a4-46e4-8fed-9b030dd03c4a.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--81033c3b-16a4-46e4-8fed-9b030dd03c4a", + "name": "Compromise Accounts", + "description": "Before compromising a victim, adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. \n\nA variety of methods exist for compromising accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nPersonas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.\n\nAdversaries may directly leverage compromised email accounts for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1586", + "url": "https://attack.mitre.org/techniques/T1586" + }, + { + "source_name": "AnonHBGary", + "description": "Bright, P. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.", + "url": "https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/" + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--810d8072-afb6-4a56-9ee7-86379ac4a6f3.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--810d8072-afb6-4a56-9ee7-86379ac4a6f3.json new file mode 100644 index 000000000..0c5e331c9 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--810d8072-afb6-4a56-9ee7-86379ac4a6f3.json @@ -0,0 +1,36 @@ +{ + "id": "attack-pattern--810d8072-afb6-4a56-9ee7-86379ac4a6f3", + "name": "Botnet", + "description": "Before compromising a victim, adversaries may compromise numerous third-party systems to form a botnet\u00a0that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service(Citation: Imperva DDoS for Hire), adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1584.005", + "url": "https://attack.mitre.org/techniques/T1584/005" + }, + { + "source_name": "Norton Botnet", + "url": "https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html", + "description": "Norton. (n.d.). What is a botnet?. Retrieved October 4, 2020." + }, + { + "source_name": "Imperva DDoS for Hire", + "url": "https://www.imperva.com/learn/ddos/booters-stressers-ddosers/", + "description": "Imperva. (n.d.). Booters, Stressers and DDoSers. Retrieved October 4, 2020." + }, + { + "source_name": "Dell Dridex Oct 2015", + "url": "https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation", + "description": "Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, October 13). Dridex (Bugat v5) Botnet Takeover Operation. Retrieved May 31, 2019." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--818302b2-d640-477b-bf88-873120ce85c4.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--818302b2-d640-477b-bf88-873120ce85c4.json new file mode 100644 index 000000000..f10e02092 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--818302b2-d640-477b-bf88-873120ce85c4.json @@ -0,0 +1,35 @@ +{ + "id": "attack-pattern--818302b2-d640-477b-bf88-873120ce85c4", + "name": "Network Device CLI", + "description": "Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. \n\nScripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or secure shell (SSH).\n\nAdversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection. (Citation: Cisco Synful Knock Evolution)", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1059.008", + "url": "https://attack.mitre.org/techniques/T1059/008" + }, + { + "source_name": "Cisco Synful Knock Evolution", + "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices", + "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Command History", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#23", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020." + } + ], + "platforms": [ + "Network" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + } + ], + "permissions": [ + "Administrator", + "User" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31.json new file mode 100644 index 000000000..2000da47d --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31.json @@ -0,0 +1,37 @@ +{ + "id": "attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31", + "name": "Geofencing", + "description": "Adversaries may use a device\u2019s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)\n\n[Geofencing](https://attack.mitre.org/techniques/T1581) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device\u2019s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements.\n\nOne method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1581) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other [Geofencing](https://attack.mitre.org/techniques/T1581) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include \u201cAllow only while using the app\u201d, which will effectively prohibit background location collection.(Citation: Android Geofencing API)\n\nSimilarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call `requestWhenInUseAuthorization()` or `requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device\u2019s location, including one-time use and only when the application is running in the foreground.(Citation: Apple Location Services)\n\n[Geofencing](https://attack.mitre.org/techniques/T1581) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific [Input Prompt](https://attack.mitre.org/techniques/T1411)s and/or advertisements.", + "references": [ + { + "source_name": "mitre-mobile-attack", + "external_id": "T1581", + "url": "https://attack.mitre.org/techniques/T1581" + }, + { + "source_name": "Lookout eSurv", + "url": "https://blog.lookout.com/esurv-research", + "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020." + }, + { + "source_name": "Android Geofencing API", + "url": "https://developer.android.com/training/location/geofencing", + "description": "Google. (n.d.). Create and monitor geofences. Retrieved September 11, 2020." + }, + { + "source_name": "Apple Location Services", + "url": "https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services", + "description": "Apple. (n.d.). Requesting Authorization for Location Services. Retrieved September 11, 2020." + } + ], + "platforms": [ + "Android", + "iOS" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--82bbd209-f516-45e0-9542-4ffbbc2a8717.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--82bbd209-f516-45e0-9542-4ffbbc2a8717.json index 8dadd15d6..f48f7b35f 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--82bbd209-f516-45e0-9542-4ffbbc2a8717.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--82bbd209-f516-45e0-9542-4ffbbc2a8717.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--82bbd209-f516-45e0-9542-4ffbbc2a8717", "name": "Discover new exploits and monitor exploit-provider forums", - "description": "An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. The adversary may need to discover new exploits when existing exploits are no longer relevant to the environment they are trying to compromise. An adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. (Citation: EquationQA)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1350).\n\nAn exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. The adversary may need to discover new exploits when existing exploits are no longer relevant to the environment they are trying to compromise. An adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. (Citation: EquationQA)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--856a9371-4f0f-4ea9-946e-f3144204240f.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--856a9371-4f0f-4ea9-946e-f3144204240f.json index e724fa0cf..befde40dd 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--856a9371-4f0f-4ea9-946e-f3144204240f.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--856a9371-4f0f-4ea9-946e-f3144204240f.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--856a9371-4f0f-4ea9-946e-f3144204240f", "name": "Determine 3rd party infrastructure services", - "description": "Infrastructure services includes the hardware, software, and network resources required to operate a communications environment. This infrastructure can be managed by a 3rd party rather than being managed by the owning organization. (Citation: FFIECAwareness) (Citation: Zetter2015Threats)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1260).\n\nInfrastructure services includes the hardware, software, and network resources required to operate a communications environment. This infrastructure can be managed by a 3rd party rather than being managed by the owning organization. (Citation: FFIECAwareness) (Citation: Zetter2015Threats)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--87775365-2081-4b6e-99bd-48a3b8f36563.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--87775365-2081-4b6e-99bd-48a3b8f36563.json index 96006598c..af9344252 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--87775365-2081-4b6e-99bd-48a3b8f36563.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--87775365-2081-4b6e-99bd-48a3b8f36563.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--87775365-2081-4b6e-99bd-48a3b8f36563", "name": "Analyze architecture and configuration posture", - "description": "An adversary may analyze technical scanning results to identify weaknesses in the configuration or architecture of a victim network. These weaknesses could include architectural flaws, misconfigurations, or improper security controls. (Citation: FireEyeAPT28)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1288).\n\nAn adversary may analyze technical scanning results to identify weaknesses in the configuration or architecture of a victim network. These weaknesses could include architectural flaws, misconfigurations, or improper security controls. (Citation: FireEyeAPT28)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8868cb5b-d575-4a60-acb2-07d37389a2fd.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8868cb5b-d575-4a60-acb2-07d37389a2fd.json index c1e5c6443..7df469d27 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8868cb5b-d575-4a60-acb2-07d37389a2fd.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8868cb5b-d575-4a60-acb2-07d37389a2fd.json @@ -17,7 +17,8 @@ "platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "kill_chain": [ { diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54.json new file mode 100644 index 000000000..7d4a34a72 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54.json @@ -0,0 +1,21 @@ +{ + "id": "attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54", + "name": "Web Services", + "description": "Before compromising a victim, adversaries may register for web services\u00a0that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1583.006", + "url": "https://attack.mitre.org/techniques/T1583/006" + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc.json new file mode 100644 index 000000000..a1711e485 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc.json @@ -0,0 +1,41 @@ +{ + "id": "attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc", + "name": "Spearphishing Attachment", + "description": "Before compromising a victim, adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon the recipient populating information then returning the file.(Citation: Sophos Attachment)(Citation: GitHub Phishery) The text of the spearphishing email usually tries to give a plausible reason why the file should be filled-in, such as a request for information from a business associate. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1598.002", + "url": "https://attack.mitre.org/techniques/T1598/002" + }, + { + "source_name": "Sophos Attachment", + "url": "https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/", + "description": "Ducklin, P. (2020, October 2). Serious Security: Phishing without links \u2013 when phishers bring along their own web pages. Retrieved October 20, 2020." + }, + { + "source_name": "GitHub Phishery", + "url": "https://github.com/ryhanson/phishery", + "description": "Ryan Hanson. (2016, September 24). phishery. Retrieved October 23, 2020." + }, + { + "source_name": "Microsoft Anti Spoofing", + "url": "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide", + "description": "Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020." + }, + { + "source_name": "ACSC Email Spoofing", + "url": "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf", + "description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--89a79d91-53e0-4ef5-ba28-558cb8b01f76.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--89a79d91-53e0-4ef5-ba28-558cb8b01f76.json index a3d341fca..3a6853a94 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--89a79d91-53e0-4ef5-ba28-558cb8b01f76.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--89a79d91-53e0-4ef5-ba28-558cb8b01f76.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--89a79d91-53e0-4ef5-ba28-558cb8b01f76", "name": "Identify groups/roles", - "description": "Personnel internally to a company may belong to a group or maintain a role with electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is a system administrator. (Citation: RSA-APTRecon)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1270).\n\nPersonnel internally to a company may belong to a group or maintain a role with electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is a system administrator. (Citation: RSA-APTRecon)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd.json index 325119332..310872a0c 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", - "name": "Additional Azure Service Principal Credentials", - "description": "Adversaries may add adversary-controlled credentials for Azure Service Principals in addition to existing legitimate credentials(Citation: Create Azure Service Principal) to maintain persistent access to victim Azure accounts.(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) Azure Service Principals support both password and certificate credentials.(Citation: Why AAD Service Principals) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules.(Citation: Demystifying Azure AD Service Principals)", + "name": "Additional Cloud Credentials", + "description": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.\n\nAdversaries may add credentials for Azure Service Principals in addition to existing legitimate credentials(Citation: Create Azure Service Principal) to victim Azure accounts.(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) Azure Service Principals support both password and certificate credentials.(Citation: Why AAD Service Principals) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules.(Citation: Demystifying Azure AD Service Principals)\n\nAfter gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)", "references": [ { "source_name": "mitre-attack", @@ -32,11 +32,28 @@ "source_name": "Demystifying Azure AD Service Principals", "url": "https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/", "description": "Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service Principals. Retrieved January 19, 2020." + }, + { + "source_name": "GCP SSH Key Add", + "url": "https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add", + "description": "Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved October 1, 2020." + }, + { + "source_name": "Expel IO Evil in AWS", + "url": "https://expel.io/blog/finding-evil-in-aws/", + "description": "A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020." + }, + { + "source_name": "Expel Behind the Scenes", + "url": "https://expel.io/blog/behind-the-scenes-expel-soc-alert-aws/", + "description": "S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020, July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved October 1, 2020." } ], "platforms": [ "Azure AD", - "Azure" + "Azure", + "AWS", + "GCP" ], "kill_chain": [ { @@ -45,6 +62,7 @@ } ], "permissions": [ - "Administrator" + "Administrator", + "User" ] } \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8b57a8f1-9cbc-4b95-b162-cc2a1add94f2.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8b57a8f1-9cbc-4b95-b162-cc2a1add94f2.json index 48ee51463..37cb36665 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8b57a8f1-9cbc-4b95-b162-cc2a1add94f2.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8b57a8f1-9cbc-4b95-b162-cc2a1add94f2.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--8b57a8f1-9cbc-4b95-b162-cc2a1add94f2", "name": "Test malware to evade detection", - "description": "An adversary can run their code on systems with cyber security protections, such as antivirus products, in place to see if their code is detected. They can also test their malware on freely available public services. (Citation: MalwareQAZirtest)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1359).\n\nAn adversary can run their code on systems with cyber security protections, such as antivirus products, in place to see if their code is detected. They can also test their malware on freely available public services. (Citation: MalwareQAZirtest)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8c4aef43-48d5-49aa-b2af-c0cd58d30c3d.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8c4aef43-48d5-49aa-b2af-c0cd58d30c3d.json index 7cc09a96e..fb4624338 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8c4aef43-48d5-49aa-b2af-c0cd58d30c3d.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8c4aef43-48d5-49aa-b2af-c0cd58d30c3d.json @@ -9,8 +9,8 @@ "url": "https://attack.mitre.org/techniques/T1564/002" }, { - "url": "https://www2.cybereason.com/research-osx-pirrit-mac-os-x-secuirty", - "description": "Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved July 8, 2017.", + "url": "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf", + "description": "Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved July 31, 2020.", "source_name": "Cybereason OSX Pirrit" } ], diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8e211ec9-5dfc-4915-aff4-84d5908f0336.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8e211ec9-5dfc-4915-aff4-84d5908f0336.json index e09c636b1..c4af97886 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8e211ec9-5dfc-4915-aff4-84d5908f0336.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8e211ec9-5dfc-4915-aff4-84d5908f0336.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--8e211ec9-5dfc-4915-aff4-84d5908f0336", "name": "C2 protocol development", - "description": "Command and Control (C2 or C&C) is a method by which the adversary communicates with malware. An adversary may use a variety of protocols and methods to execute C2 such as a centralized server, peer to peer, IRC, compromised web sites, or even social media. (Citation: HAMMERTOSS2015)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1352).\n\nCommand and Control (C2 or C&C) is a method by which the adversary communicates with malware. An adversary may use a variety of protocols and methods to execute C2 such as a centralized server, peer to peer, IRC, compromised web sites, or even social media. (Citation: HAMMERTOSS2015)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8e27551a-5080-4148-a584-c64348212e4f.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8e27551a-5080-4148-a584-c64348212e4f.json index 127a86d9a..160352078 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8e27551a-5080-4148-a584-c64348212e4f.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8e27551a-5080-4148-a584-c64348212e4f.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f", "name": "Delete Device Data", - "description": "An adversary could wipe the entire device contents or delete specific files. A malicious application could obtain and abuse Android device administrator access to wipe the entire device.(Citation: Android DevicePolicyManager 2019) Access to external storage directories or escalated privileges could be used to delete individual files.", + "description": "Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location. (Citation: Android DevicePolicyManager 2019)\n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.", "references": [ { "source_name": "mitre-mobile-attack", @@ -21,6 +21,10 @@ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" } ] } \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8e927b19-04a6-4aaa-a42f-4f0a53411d27.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8e927b19-04a6-4aaa-a42f-4f0a53411d27.json index a3a74dd25..3d3a8555b 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8e927b19-04a6-4aaa-a42f-4f0a53411d27.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8e927b19-04a6-4aaa-a42f-4f0a53411d27.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--8e927b19-04a6-4aaa-a42f-4f0a53411d27", "name": "Assess current holdings, needs, and wants", - "description": "Analysts assess current information available against requirements that outline needs and wants as part of the research baselining process to begin satisfying a requirement. (Citation: CyberAdvertisingChar) (Citation: CIATradecraft) (Citation: ForensicAdversaryModeling) (Citation: CyberAdversaryBehavior)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1236).\n\nAnalysts assess current information available against requirements that outline needs and wants as part of the research baselining process to begin satisfying a requirement. (Citation: CyberAdvertisingChar) (Citation: CIATradecraft) (Citation: ForensicAdversaryModeling) (Citation: CyberAdversaryBehavior)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe.json index c4bb1270c..3bcf4d1a5 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe", "name": "Cloud Account", - "description": "Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider of SaaS application.\n\nWith authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance)\n\nAzure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018) ", + "description": "Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.\n\nWith authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance) The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018) \n\nThe AWS command aws iam list-users may be used to obtain a list of users in the current account while aws iam list-roles can obtain IAM roles that have a specified path prefix.(Citation: AWS List Roles)(Citation: AWS List Users) In GCP, gcloud iam service-accounts list and gcloud projects get-iam-policy may be used to obtain a listing of service accounts and users in a project.(Citation: Google Cloud - IAM Servie Accounts List API)", "references": [ { "source_name": "mitre-attack", @@ -27,6 +27,21 @@ "description": "Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active Directory Leaks via Azure. Retrieved October 6, 2019.", "url": "https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/", "source_name": "Black Hills Red Teaming MS AD Azure, 2018" + }, + { + "source_name": "AWS List Roles", + "description": "Amazon. (n.d.). List Roles. Retrieved August 11, 2020.", + "url": "https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html" + }, + { + "source_name": "AWS List Users", + "url": "https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html", + "description": "Amazon. (n.d.). List Users. Retrieved August 11, 2020." + }, + { + "source_name": "Google Cloud - IAM Servie Accounts List API", + "url": "https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list", + "description": "Google. (2020, June 23). gcloud iam service-accounts list. Retrieved August 4, 2020." } ], "platforms": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e.json deleted file mode 100644 index 073d67013..000000000 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "id": "attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e", - "name": "URL Scheme Hijacking", - "description": "An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application(Citation: FireEye-Masque2)(Citation: Dhanjani-URLScheme). This technique, for example, could be used to capture OAuth authorization codes(Citation: IETF-PKCE) or to phish user credentials(Citation: MobileIron-XARA).", - "references": [ - { - "source_name": "mitre-mobile-attack", - "url": "https://attack.mitre.org/techniques/T1415", - "external_id": "T1415" - }, - { - "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html", - "source_name": "NIST Mobile Threat Catalogue", - "external_id": "AUT-10" - }, - { - "source_name": "FireEye-Masque2", - "description": "Hui Xue, Tao Wei, Yulong Zhang, Song Jin, Zhaofeng Chen. (2015, February 19). IOS MASQUE ATTACK REVIVED: BYPASSING PROMPT FOR TRUST AND APP URL SCHEME HIJACKING. Retrieved December 21, 2016.", - "url": "https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html" - }, - { - "source_name": "Dhanjani-URLScheme", - "description": "Nitesh Dhanjani. (2010, November 8). Insecure Handling of URL Schemes in Apple\u2019s iOS. Retrieved December 21, 2016.", - "url": "http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html" - }, - { - "source_name": "IETF-PKCE", - "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.", - "url": "https://tools.ietf.org/html/rfc7636" - }, - { - "source_name": "MobileIron-XARA", - "description": "Michael T. Raggo. (2015, October 1). iOS URL Scheme Hijacking (XARA) Attack Analysis and Countermeasures. Retrieved December 21, 2016.", - "url": "https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures" - } - ], - "platforms": [ - "iOS" - ], - "kill_chain": [ - { - "kill_chain_name": "mitre-mobile-attack", - "phase_name": "credential-access" - } - ] -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8f504411-cb96-4dac-a537-8d2bb7679c59.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8f504411-cb96-4dac-a537-8d2bb7679c59.json index 58b66fe22..88a18f9e8 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8f504411-cb96-4dac-a537-8d2bb7679c59.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--8f504411-cb96-4dac-a537-8d2bb7679c59.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--8f504411-cb96-4dac-a537-8d2bb7679c59", - "name": "HISTCONTROL", - "description": "Adversaries may configure HISTCONTROL to not log all command history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.\n\nThis setting can be configured to ignore commands that start with a space by simply setting it to \"ignorespace\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous examples. This means that \u201c ls\u201d will not be saved, but \u201cls\u201d would be saved by history.\n\n Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.", + "name": "Impair Command History Logging", + "description": "Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. \n\nOn Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.\n\nAdversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to \"ignorespace\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous examples. This means that \u201c ls\u201d will not be saved, but \u201cls\u201d would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.\n\nOn Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)", "references": [ { "source_name": "mitre-attack", @@ -12,11 +12,27 @@ "external_id": "CAPEC-13", "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/13.html" + }, + { + "source_name": "Microsoft PowerShell Command History", + "url": "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7", + "description": "Microsoft. (2020, May 13). About History. Retrieved September 4, 2020." + }, + { + "source_name": "Sophos PowerShell command audit", + "url": "https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit", + "description": "jak. (2020, June 27). Live Discover - PowerShell command audit. Retrieved August 21, 2020." + }, + { + "source_name": "Sophos PowerShell Command History Forensics", + "url": "https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics", + "description": "Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved September 4, 2020." } ], "platforms": [ "Linux", - "macOS" + "macOS", + "Windows" ], "kill_chain": [ { diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--90884cdb-31dd-431c-87db-9cc7e03191e5.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--90884cdb-31dd-431c-87db-9cc7e03191e5.json index 72bc3a46e..f1f9e1cae 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--90884cdb-31dd-431c-87db-9cc7e03191e5.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--90884cdb-31dd-431c-87db-9cc7e03191e5.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--90884cdb-31dd-431c-87db-9cc7e03191e5", "name": "Network-based hiding techniques", - "description": "Technical network hiding techniques are methods of modifying traffic to evade network signature detection or to utilize misattribution techniques. Examples include channel/IP/VLAN hopping, mimicking legitimate operations, or seeding with misinformation. (Citation: HAMMERTOSS2015)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1315).\n\nTechnical network hiding techniques are methods of modifying traffic to evade network signature detection or to utilize misattribution techniques. Examples include channel/IP/VLAN hopping, mimicking legitimate operations, or seeding with misinformation. (Citation: HAMMERTOSS2015)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9108e212-1c94-4f8d-be76-1aad9b4c86a4.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9108e212-1c94-4f8d-be76-1aad9b4c86a4.json index 0aba1d9c0..aa4131431 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9108e212-1c94-4f8d-be76-1aad9b4c86a4.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9108e212-1c94-4f8d-be76-1aad9b4c86a4.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--9108e212-1c94-4f8d-be76-1aad9b4c86a4", "name": "Build social network persona", - "description": "For attacks incorporating social engineering the utilization of an on-line persona is important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites ([Facebook](https://www.facebook.com), [LinkedIn](https://www.linkedin.com), [Twitter](https://twitter.com), [Google+](https://plus.google.com), etc.). (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage) (Citation: RobinSageInterview)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1341).\n\nFor attacks incorporating social engineering the utilization of an on-line persona is important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites ([Facebook](https://www.facebook.com), [LinkedIn](https://www.linkedin.com), [Twitter](https://twitter.com), [Google+](https://plus.google.com), etc.). (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage) (Citation: RobinSageInterview)", "references": [ { "source_name": "mitre-pre-attack", @@ -10,11 +10,13 @@ }, { "source_name": "NEWSCASTER2014", - "description": "Mike Lennon. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017." + "description": "Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.", + "url": "https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation" }, { "source_name": "BlackHatRobinSage", - "description": "Thomas Ryan. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017." + "description": "Ryan, T. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017.", + "url": "http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf" }, { "source_name": "RobinSageInterview", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--91177e6d-b616-4a03-ba4b-f3b32f7dda75.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--91177e6d-b616-4a03-ba4b-f3b32f7dda75.json new file mode 100644 index 000000000..669490a3b --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--91177e6d-b616-4a03-ba4b-f3b32f7dda75.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--91177e6d-b616-4a03-ba4b-f3b32f7dda75", + "name": "CDNs", + "description": "Before compromising a victim, adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor\u2019s geographical region.\n\nAdversaries may search CDN data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about content servers within a CDN. Adversaries may also seek and target CDN misconfigurations that leak sensitive information not intended to be hosted and/or do not have the same protection mechanisms (ex: login portals) as the content hosted on the organization\u2019s website.(Citation: DigitalShadows CDN) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1596.004", + "url": "https://attack.mitre.org/techniques/T1596/004" + }, + { + "source_name": "DigitalShadows CDN", + "url": "https://www.digitalshadows.com/blog-and-research/content-delivery-networks-cdns-can-leave-you-exposed-how-you-might-be-affected-and-what-you-can-do-about-it/", + "description": "Swisscom & Digital Shadows. (2017, September 6). Content Delivery Networks (CDNs) Can Leave You Exposed \u2013 How You Might Be Affected And What You Can Do About It. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--91a3735f-817a-4450-8ed4-f05a0f5c3877.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--91a3735f-817a-4450-8ed4-f05a0f5c3877.json index fc990d8f7..fb9aed48c 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--91a3735f-817a-4450-8ed4-f05a0f5c3877.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--91a3735f-817a-4450-8ed4-f05a0f5c3877.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--91a3735f-817a-4450-8ed4-f05a0f5c3877", "name": "Determine strategic target", - "description": "An adversary undergoes an iterative target selection process that may begin either broadly and narrow down into specifics (strategic to tactical) or narrowly and expand outward (tactical to strategic). As part of this process, an adversary may determine a high level target they wish to attack. One example of this may be a particular country, government, or commercial sector. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1241).\n\nAn adversary undergoes an iterative target selection process that may begin either broadly and narrow down into specifics (strategic to tactical) or narrowly and expand outward (tactical to strategic). As part of this process, an adversary may determine a high level target they wish to attack. One example of this may be a particular country, government, or commercial sector. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--92a78814-b191-47ca-909c-1ccfe3777414.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--92a78814-b191-47ca-909c-1ccfe3777414.json index 1b7628767..c06e0904d 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--92a78814-b191-47ca-909c-1ccfe3777414.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--92a78814-b191-47ca-909c-1ccfe3777414.json @@ -5,8 +5,13 @@ "references": [ { "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1072", - "external_id": "T1072" + "external_id": "T1072", + "url": "https://attack.mitre.org/techniques/T1072" + }, + { + "external_id": "CAPEC-187", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/187.html" } ], "platforms": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--937e4772-8441-4e4a-8bf0-8d447d667e23.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--937e4772-8441-4e4a-8bf0-8d447d667e23.json new file mode 100644 index 000000000..31bf4067c --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--937e4772-8441-4e4a-8bf0-8d447d667e23.json @@ -0,0 +1,31 @@ +{ + "id": "attack-pattern--937e4772-8441-4e4a-8bf0-8d447d667e23", + "name": "Gather Victim Org Information", + "description": "Before compromising a victim, adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak)(Citation: DOB Business Lookup) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1591", + "url": "https://attack.mitre.org/techniques/T1591" + }, + { + "source_name": "ThreatPost Broadvoice Leak", + "url": "https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/", + "description": "Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, Personal Voicemail Transcripts. Retrieved October 20, 2020." + }, + { + "source_name": "DOB Business Lookup", + "url": "https://www.dobsearch.com/business-lookup/", + "description": "Concert Technologies . (n.d.). Business Lookup - Company Name Search. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--96eb59d1-6c46-44bb-bfcd-56be02a00d41.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--96eb59d1-6c46-44bb-bfcd-56be02a00d41.json index 2c92f0611..110148c2e 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--96eb59d1-6c46-44bb-bfcd-56be02a00d41.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--96eb59d1-6c46-44bb-bfcd-56be02a00d41.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--96eb59d1-6c46-44bb-bfcd-56be02a00d41", "name": "Analyze organizational skillsets and deficiencies", - "description": "Understanding organizational skillsets and deficiencies could provide insight in to weakness in defenses, or opportunities for exploitation. (Citation: FakeLinkedIn)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1297).\n\nUnderstanding organizational skillsets and deficiencies could provide insight in to weakness in defenses, or opportunities for exploitation. (Citation: FakeLinkedIn)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9755ecdc-deb0-40e6-af49-713cb0f8ed92.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9755ecdc-deb0-40e6-af49-713cb0f8ed92.json index 77120dc17..9bcb14da6 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9755ecdc-deb0-40e6-af49-713cb0f8ed92.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9755ecdc-deb0-40e6-af49-713cb0f8ed92.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--9755ecdc-deb0-40e6-af49-713cb0f8ed92", "name": "Remote access tool development", - "description": "A remote access tool (RAT) is a piece of software that allows a remote user to control a system as if they had physical access to that system. An adversary may utilize existing RATs, modify existing RATs, or create their own RAT. (Citation: ActiveMalwareEnergy)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1351).\n\nA remote access tool (RAT) is a piece of software that allows a remote user to control a system as if they had physical access to that system. An adversary may utilize existing RATs, modify existing RATs, or create their own RAT. (Citation: ActiveMalwareEnergy)", "references": [ { "source_name": "mitre-pre-attack", @@ -10,7 +10,8 @@ }, { "source_name": "ActiveMalwareEnergy", - "description": "Dan Goodin. (2014, June 30). Active malware operation let attackers sabotage US energy industry. Retrieved March 9, 2017." + "description": "Dan Goodin. (2014, June 30). Active malware operation let attackers sabotage US energy industry. Retrieved March 9, 2017.", + "url": "https://arstechnica.com/information-technology/2014/06/active-malware-operation-let-attackers-sabotage-us-energy-industry/" } ], "kill_chain": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b.json index 6350f4eb0..362e52d73 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b", "name": "File Transfer Protocols", - "description": "Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as FTP, FTPS, and TFPT that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", + "description": "Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", "references": [ { "source_name": "mitre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9a8c47f6-ae69-4044-917d-4b1602af64d9.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9a8c47f6-ae69-4044-917d-4b1602af64d9.json index 02c9652b9..aff49bc32 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9a8c47f6-ae69-4044-917d-4b1602af64d9.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9a8c47f6-ae69-4044-917d-4b1602af64d9.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--9a8c47f6-ae69-4044-917d-4b1602af64d9", "name": "Choose pre-compromised persona and affiliated accounts", - "description": "For attacks incorporating social engineering the utilization of an on-line persona is important. Utilizing an existing persona with compromised accounts may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. (Citation: AnonHBGary) (Citation: Hacked Social Media Accounts)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1343).\n\nFor attacks incorporating social engineering the utilization of an on-line persona is important. Utilizing an existing persona with compromised accounts may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. (Citation: AnonHBGary) (Citation: Hacked Social Media Accounts)", "references": [ { "source_name": "mitre-pre-attack", @@ -10,7 +10,8 @@ }, { "source_name": "AnonHBGary", - "description": "PETER BRIGHT. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017." + "description": "Bright, P. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.", + "url": "https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/" }, { "source_name": "Hacked Social Media Accounts", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9d234df0-2344-4db4-bc0f-8de9c6c071a7.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9d234df0-2344-4db4-bc0f-8de9c6c071a7.json index 1dc9b0bc1..6792e2174 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9d234df0-2344-4db4-bc0f-8de9c6c071a7.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9d234df0-2344-4db4-bc0f-8de9c6c071a7.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--9d234df0-2344-4db4-bc0f-8de9c6c071a7", "name": "Obfuscate operational infrastructure", - "description": "Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. (Citation: DellComfooMasters)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1318).\n\nObfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. (Citation: DellComfooMasters)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109.json new file mode 100644 index 000000000..d8f642811 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109.json @@ -0,0 +1,36 @@ +{ + "id": "attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109", + "name": "Gather Victim Network Information", + "description": "Before compromising a victim, adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about networks may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1590", + "url": "https://attack.mitre.org/techniques/T1590" + }, + { + "source_name": "WHOIS", + "url": "https://www.whois.net/", + "description": "NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020." + }, + { + "source_name": "DNS Dumpster", + "url": "https://dnsdumpster.com/", + "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020." + }, + { + "source_name": "Circl Passive DNS", + "url": "https://www.circl.lu/services/passive-dns/", + "description": "CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9e7452df-5144-4b6e-b04a-b66dd4016747.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9e7452df-5144-4b6e-b04a-b66dd4016747.json index a4b55317e..360212bfc 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9e7452df-5144-4b6e-b04a-b66dd4016747.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9e7452df-5144-4b6e-b04a-b66dd4016747.json @@ -15,7 +15,7 @@ }, { "description": "THE FINANCIAL TIMES. (2019, September 2). A sobering day. Retrieved October 8, 2019.", - "url": " https://labs.ft.com/2013/05/a-sobering-day/?mhq5j=e6 ", + "url": "https://labs.ft.com/2013/05/a-sobering-day/?mhq5j=e6", "source_name": "THE FINANCIAL TIMES LTD 2019." } ], diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd.json index fe9856950..8fc5a50ca 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd.json @@ -9,9 +9,9 @@ "url": "https://attack.mitre.org/techniques/T1574/010" }, { - "external_id": "CAPEC-CAPEC", + "external_id": "CAPEC-17", "source_name": "capec", - "url": "https://capec.mitre.org/data/definitions/CAPEC.html" + "url": "https://capec.mitre.org/data/definitions/17.html" } ], "platforms": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279.json index 98a6b0165..39def0037 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279", "name": "Registry Run Keys / Startup Folder", - "description": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\Users\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. The startup folder path for all users is C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp.\n\nThe following run keys are created by default on Windows systems:\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n\nThe HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n\nThe following Registry keys can control automatic startup of services during boot:\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit and HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell subkeys can automatically launch programs.\n\nPrograms listed in the load value of the registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows run when any user logs on.\n\nBy default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.", + "description": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\Users\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. The startup folder path for all users is C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp.\n\nThe following run keys are created by default on Windows systems:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n\nRun keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n\nThe following Registry keys can control automatic startup of services during boot:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit and HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell subkeys can automatically launch programs.\n\nPrograms listed in the load value of the registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows run when any user logs on.\n\nBy default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.", "references": [ { "source_name": "mitre-attack", @@ -18,6 +18,16 @@ "description": "Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014.", "source_name": "Microsoft Run Key" }, + { + "source_name": "Microsoft Wow6432Node 2018", + "url": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry", + "description": "Microsoft. (2018, May 31). 32-bit and 64-bit Application Data in the Registry. Retrieved August 3, 2020." + }, + { + "source_name": "Malwarebytes Wow6432Node 2016", + "url": "https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/", + "description": "Arntz, P. (2016, March 30). Hiding in Plain Sight. Retrieved August 3, 2020." + }, { "url": "https://support.microsoft.com/help/310593/description-of-the-runonceex-registry-key", "description": "Microsoft. (2018, August 20). Description of the RunOnceEx Registry Key. Retrieved June 29, 2018.", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365.json new file mode 100644 index 000000000..38ead0f3a --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365.json @@ -0,0 +1,36 @@ +{ + "id": "attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365", + "name": "Search Open Websites/Domains", + "description": "Before compromising a victim, adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)\n\nAdversaries may search in different online sites depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Phishing](https://attack.mitre.org/techniques/T1566)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1593", + "url": "https://attack.mitre.org/techniques/T1593" + }, + { + "source_name": "Cyware Social Media", + "url": "https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e", + "description": "Cyware Hacker News. (2019, October 2). How Hackers Exploit Social Media To Break Into Your Company. Retrieved October 20, 2020." + }, + { + "source_name": "SecurityTrails Google Hacking", + "url": "https://securitytrails.com/blog/google-hacking-techniques", + "description": "Borges, E. (2019, March 5). Exploring Google Hacking Techniques. Retrieved October 20, 2020." + }, + { + "source_name": "ExploitDB GoogleHacking", + "url": "https://www.exploit-db.com/google-hacking-database", + "description": "Offensive Security. (n.d.). Google Hacking Database. Retrieved October 23, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a16e4004-caac-4a0b-acd5-486f8fda1665.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a16e4004-caac-4a0b-acd5-486f8fda1665.json index 5aebf1963..c0ba33f76 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a16e4004-caac-4a0b-acd5-486f8fda1665.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a16e4004-caac-4a0b-acd5-486f8fda1665.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--a16e4004-caac-4a0b-acd5-486f8fda1665", "name": "Review logs and residual traces", - "description": "Execution of code and network communications often result in logging or other system or network forensic artifacts. An adversary can run their code to identify what is recorded under different conditions. This may result in changes to their code or adding additional actions (such as deleting a record from a log) to the code. (Citation: EDB-39007) (Citation: infosec-covering-tracks)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1358).\n\nExecution of code and network communications often result in logging or other system or network forensic artifacts. An adversary can run their code to identify what is recorded under different conditions. This may result in changes to their code or adding additional actions (such as deleting a record from a log) to the code. (Citation: EDB-39007) (Citation: infosec-covering-tracks)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a1e8d61b-22e1-4983-8485-96420152ecd8.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a1e8d61b-22e1-4983-8485-96420152ecd8.json index 1b679d7a7..234c15b29 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a1e8d61b-22e1-4983-8485-96420152ecd8.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a1e8d61b-22e1-4983-8485-96420152ecd8.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--a1e8d61b-22e1-4983-8485-96420152ecd8", "name": "Analyze hardware/software security defensive capabilities", - "description": "An adversary can probe a victim's network to determine configurations. The configurations may provide opportunities to route traffic through the network in an undetected or less detectable way. (Citation: OSFingerprinting2014)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1294).\n\nAn adversary can probe a victim's network to determine configurations. The configurations may provide opportunities to route traffic through the network in an undetected or less detectable way. (Citation: OSFingerprinting2014)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a2029942-0a85-4947-b23c-ca434698171d.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a2029942-0a85-4947-b23c-ca434698171d.json index 5abe4353d..abfc35b20 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a2029942-0a85-4947-b23c-ca434698171d.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a2029942-0a85-4947-b23c-ca434698171d.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--a2029942-0a85-4947-b23c-ca434698171d", "name": "GUI Input Capture", - "description": "Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)).\n\nAdversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as AppleScript(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware) and PowerShell(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015). ", + "description": "Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).\n\nAdversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as AppleScript(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware) and PowerShell(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015). ", "references": [ { "source_name": "mitre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a2fc93cd-e371-4755-9305-2615b6753d91.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a2fc93cd-e371-4755-9305-2615b6753d91.json index 8a8f51cbb..6d171150d 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a2fc93cd-e371-4755-9305-2615b6753d91.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a2fc93cd-e371-4755-9305-2615b6753d91.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--a2fc93cd-e371-4755-9305-2615b6753d91", "name": "Determine external network trust dependencies", - "description": "Network trusts enable communications between different networks with specific accesses and permissions. Network trusts could include the implementation of domain trusts or the use of virtual private networks (VPNs). (Citation: CuckoosEgg) (Citation: CuckoosEggWikipedia) (Citation: KGBComputerMe)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1259).\n\nNetwork trusts enable communications between different networks with specific accesses and permissions. Network trusts could include the implementation of domain trusts or the use of virtual private networks (VPNs). (Citation: CuckoosEgg) (Citation: CuckoosEggWikipedia) (Citation: KGBComputerMe)", "references": [ { "external_id": "T1259", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0.json new file mode 100644 index 000000000..1d7558565 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "name": "Tool", + "description": "Before compromising a victim, adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)\n\nAdversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1588.002", + "url": "https://attack.mitre.org/techniques/T1588/002" + }, + { + "source_name": "Recorded Future Beacon 2019", + "url": "https://www.recordedfuture.com/identifying-cobalt-strike-servers/", + "description": "Recorded Future. (2019, June 20). Out of the Blue: How Recorded Future Identified Rogue Cobalt Strike Servers. Retrieved October 16, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a425598d-7c19-40f7-9aa3-ac20f0d5c2b2.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a425598d-7c19-40f7-9aa3-ac20f0d5c2b2.json index 395c73a9d..5d2277921 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a425598d-7c19-40f7-9aa3-ac20f0d5c2b2.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a425598d-7c19-40f7-9aa3-ac20f0d5c2b2.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--a425598d-7c19-40f7-9aa3-ac20f0d5c2b2", "name": "Create backup infrastructure", - "description": "Backup infrastructure allows an adversary to recover from environmental and system failures. It also facilitates recovery or movement to other infrastructure if the primary infrastructure is discovered or otherwise is no longer viable. (Citation: LUCKYCAT2012)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1339).\n\nBackup infrastructure allows an adversary to recover from environmental and system failures. It also facilitates recovery or movement to other infrastructure if the primary infrastructure is discovered or otherwise is no longer viable. (Citation: LUCKYCAT2012)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4.json new file mode 100644 index 000000000..65d980cd0 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4.json @@ -0,0 +1,31 @@ +{ + "id": "attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4", + "name": "Search Closed Sources", + "description": "Before compromising a victim, adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)\n\nAdversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1597", + "url": "https://attack.mitre.org/techniques/T1597" + }, + { + "source_name": "D3Secutrity CTI Feeds", + "url": "https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/", + "description": "Banerd, W. (2019, April 30). 10 of the Best Open Source Threat Intelligence Feeds. Retrieved October 20, 2020." + }, + { + "source_name": "ZDNET Selling Data", + "url": "https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/", + "description": "Cimpanu, C. (2020, May 9). A hacker group is selling more than 73 million user records on the dark web. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21.json new file mode 100644 index 000000000..b40429272 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21.json @@ -0,0 +1,58 @@ +{ + "id": "attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21", + "name": "Systemd Timers", + "description": "Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020)\n\nEach .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.\n\nAn adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1053.006", + "url": "https://attack.mitre.org/techniques/T1053/006" + }, + { + "source_name": "archlinux Systemd Timers Aug 2020", + "url": "https://wiki.archlinux.org/index.php/Systemd/Timers", + "description": "archlinux. (2020, August 11). systemd/Timers. Retrieved October 12, 2020." + }, + { + "source_name": "Linux man-pages: systemd January 2014", + "url": "http://man7.org/linux/man-pages/man1/systemd.1.html", + "description": "Linux man-pages. (2014, January). systemd(1) - Linux manual page. Retrieved April 23, 2019." + }, + { + "description": "Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux AUR Package Repository. Retrieved April 23, 2019.", + "url": "https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/", + "source_name": "Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018" + }, + { + "description": "Catalin Cimpanu. (2018, July 10). ~x file downloaded in public Arch package compromise. Retrieved April 23, 2019.", + "url": "https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a", + "source_name": "gist Arch package compromise 10JUL2018" + }, + { + "description": "Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved April 23, 2019.", + "url": "https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html", + "source_name": "acroread package compromised Arch Linux Mail 8JUL2018" + } + ], + "platforms": [ + "Linux" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "permissions": [ + "User", + "root" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a54a7708-8f64-45f3-ad51-1abf976986a0.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a54a7708-8f64-45f3-ad51-1abf976986a0.json index 2a213fefc..6d2a8c2f5 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a54a7708-8f64-45f3-ad51-1abf976986a0.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a54a7708-8f64-45f3-ad51-1abf976986a0.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--a54a7708-8f64-45f3-ad51-1abf976986a0", "name": "Mine technical blogs/forums", - "description": "Technical blogs and forums provide a way for technical staff to ask for assistance or troubleshoot problems. In doing so they may reveal information such as operating system (OS), network devices, or applications in use. (Citation: FunAndSun2012)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1257).\n\nTechnical blogs and forums provide a way for technical staff to ask for assistance or troubleshoot problems. In doing so they may reveal information such as operating system (OS), network devices, or applications in use. (Citation: FunAndSun2012)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b.json index e9a941409..f1366cb41 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", "name": "Phishing", - "description": "Adversaries may send phishing messages to elicit sensitive information and/or gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\n\nAdversaries may send victim\u2019s emails containing malicious attachments or links, typically to execute malicious code on victim systems or to gather credentials for use of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Phishing may also be conducted via third-party services, like social media platforms.", + "description": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\n\nAdversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems or to gather credentials for use of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Phishing may also be conducted via third-party services, like social media platforms.", "references": [ { "source_name": "mitre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a6557c75-798f-42e4-be70-ab4502e0a3bc.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a6557c75-798f-42e4-be70-ab4502e0a3bc.json new file mode 100644 index 000000000..15dfbf1fd --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a6557c75-798f-42e4-be70-ab4502e0a3bc.json @@ -0,0 +1,38 @@ +{ + "id": "attack-pattern--a6557c75-798f-42e4-be70-ab4502e0a3bc", + "name": "ROMMONkit", + "description": "Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)\n\n\nROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to [TFTP Boot](https://attack.mitre.org/techniques/T1542/005), an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1542.004", + "url": "https://attack.mitre.org/techniques/T1542/004" + }, + { + "source_name": "Cisco Synful Knock Evolution", + "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices", + "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." + } + ], + "platforms": [ + "Network" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "permissions": [ + "Administrator" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a757670d-d600-48d9-8ae9-601d42c184a5.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a757670d-d600-48d9-8ae9-601d42c184a5.json index c5359007b..7a9b40f27 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a757670d-d600-48d9-8ae9-601d42c184a5.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a757670d-d600-48d9-8ae9-601d42c184a5.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--a757670d-d600-48d9-8ae9-601d42c184a5", "name": "Conduct social engineering", - "description": "Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action. (Citation: SEAttackVectors) (Citation: BeachSE2003)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1279).\n\nSocial Engineering is the practice of manipulating people in order to get them to divulge information or take an action. (Citation: SEAttackVectors) (Citation: BeachSE2003)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d.json index 3a2c81f81..9c69ed932 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d.json @@ -1,18 +1,24 @@ { "id": "attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d", "name": "Multi-hop Proxy", - "description": "To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.", + "description": "To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing)\n\nIn the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise. By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001), adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization\u2019s WAN. Protocols such as ICMP may be used as a transport.", "references": [ { "source_name": "mitre-attack", "external_id": "T1090.003", "url": "https://attack.mitre.org/techniques/T1090/003" + }, + { + "source_name": "Onion Routing", + "url": "https://en.wikipedia.org/wiki/Onion_routing", + "description": "Wikipedia. (n.d.). Onion Routing. Retrieved October 20, 2020." } ], "platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "kill_chain": [ { diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a7c620e5-cbc9-41b2-9695-418ef560f16c.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a7c620e5-cbc9-41b2-9695-418ef560f16c.json index 2f8bfdfda..e60488cce 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a7c620e5-cbc9-41b2-9695-418ef560f16c.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a7c620e5-cbc9-41b2-9695-418ef560f16c.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--a7c620e5-cbc9-41b2-9695-418ef560f16c", "name": "Conduct passive scanning", - "description": "Passive scanning is the act of looking at existing network traffic in order to identify information about the communications system. (Citation: SurveyDetectionStrategies) (Citation: CyberReconPaper)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1253).\n\nPassive scanning is the act of looking at existing network traffic in order to identify information about the communications system. (Citation: SurveyDetectionStrategies) (Citation: CyberReconPaper)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a7dff5d5-99f9-4a7e-ac54-a64113c28121.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a7dff5d5-99f9-4a7e-ac54-a64113c28121.json index df1d48c88..ed28bbf0c 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a7dff5d5-99f9-4a7e-ac54-a64113c28121.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a7dff5d5-99f9-4a7e-ac54-a64113c28121.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--a7dff5d5-99f9-4a7e-ac54-a64113c28121", "name": "Determine centralization of IT management", - "description": "Determining if a \"corporate\" help desk exists, the degree of access and control it has, and whether there are \"edge\" units that may have different support processes and standards. (Citation: SANSCentratlizeManagement)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1285).\n\nDetermining if a \"corporate\" help desk exists, the degree of access and control it has, and whether there are \"edge\" units that may have different support processes and standards. (Citation: SANSCentratlizeManagement)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a86a21a4-6304-4df3-aa6d-08114c47d48f.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a86a21a4-6304-4df3-aa6d-08114c47d48f.json index 081d504f8..845cf1fb2 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a86a21a4-6304-4df3-aa6d-08114c47d48f.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--a86a21a4-6304-4df3-aa6d-08114c47d48f.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--a86a21a4-6304-4df3-aa6d-08114c47d48f", "name": "Assign KITs/KIQs into categories", - "description": "Leadership organizes Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) into three types of categories and creates more if necessary. An example of a description of key players KIT would be when an adversary assesses the cyber defensive capabilities of a nation-state threat actor. (Citation: Herring1999)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1228).\n\nLeadership organizes Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) into three types of categories and creates more if necessary. An example of a description of key players KIT would be when an adversary assesses the cyber defensive capabilities of a nation-state threat actor. (Citation: Herring1999)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--aadaee0d-794c-4642-8293-7ec22a99fb1a.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--aadaee0d-794c-4642-8293-7ec22a99fb1a.json index c225a9c9d..71f123f38 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--aadaee0d-794c-4642-8293-7ec22a99fb1a.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--aadaee0d-794c-4642-8293-7ec22a99fb1a.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--aadaee0d-794c-4642-8293-7ec22a99fb1a", "name": "Domain registration hijacking", - "description": "Domain Registration Hijacking is the act of changing the registration of a domain name without the permission of the original registrant. (Citation: ICANNDomainNameHijacking)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1326).\n\nDomain Registration Hijacking is the act of changing the registration of a domain name without the permission of the original registrant. (Citation: ICANNDomainNameHijacking)", "references": [ { "source_name": "mitre-pre-attack", @@ -10,7 +10,8 @@ }, { "source_name": "ICANNDomainNameHijacking", - "description": "ICANN Security and Stability Advisory Committee. (2005, July 12). DOMAIN NAME HIJACKING: INCIDENTS, THREATS, RISKS, AND REMEDIAL ACTIONS. Retrieved March 6, 2017." + "description": "ICANN Security and Stability Advisory Committee. (2005, July 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved March 6, 2017.", + "url": "https://www.icann.org/groups/ssac/documents/sac-007-en" } ], "kill_chain": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--abd5bed1-4c12-45de-a623-ab8dc4ff862a.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--abd5bed1-4c12-45de-a623-ab8dc4ff862a.json index d37545119..02552bde4 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--abd5bed1-4c12-45de-a623-ab8dc4ff862a.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--abd5bed1-4c12-45de-a623-ab8dc4ff862a.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--abd5bed1-4c12-45de-a623-ab8dc4ff862a", "name": "Research relevant vulnerabilities/CVEs", - "description": "Common Vulnerability Enumeration (CVE) is a dictionary of publicly known information about security vulnerabilities and exposures. An adversary can use this information to target specific software that may be vulnerable. (Citation: WeaponsVulnerable) (Citation: KasperskyCarbanak)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1291).\n\nCommon Vulnerability Enumeration (CVE) is a dictionary of publicly known information about security vulnerabilities and exposures. An adversary can use this information to target specific software that may be vulnerable. (Citation: WeaponsVulnerable) (Citation: KasperskyCarbanak)", "references": [ { "source_name": "mitre-pre-attack", @@ -14,7 +14,8 @@ }, { "source_name": "KasperskyCarbanak", - "description": "Kaspersky Lab's Global Research & Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved March 27, 2017." + "description": "Kaspersky Lab's Global Research & Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved March 27, 2017.", + "url": "https://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/" } ], "kill_chain": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--acfcbe7a-4dbc-4471-be2b-134faf479e3e.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--acfcbe7a-4dbc-4471-be2b-134faf479e3e.json index 71ff92505..c29660119 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--acfcbe7a-4dbc-4471-be2b-134faf479e3e.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--acfcbe7a-4dbc-4471-be2b-134faf479e3e.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--acfcbe7a-4dbc-4471-be2b-134faf479e3e", "name": "Receive KITs/KIQs and determine requirements", - "description": "Applicable agencies and/or personnel receive intelligence requirements and evaluate them to determine sub-requirements related to topics, questions, or requirements. For example, an adversary's nuclear energy requirements may be further divided into nuclear facilities versus nuclear warhead capabilities. (Citation: AnalystsAndPolicymaking)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1239).\n\nApplicable agencies and/or personnel receive intelligence requirements and evaluate them to determine sub-requirements related to topics, questions, or requirements. For example, an adversary's nuclear energy requirements may be further divided into nuclear facilities versus nuclear warhead capabilities. (Citation: AnalystsAndPolicymaking)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ad124f84-52d2-40e3-95dd-cfdd44eae6ef.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ad124f84-52d2-40e3-95dd-cfdd44eae6ef.json index 7913ab471..89aef2268 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ad124f84-52d2-40e3-95dd-cfdd44eae6ef.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ad124f84-52d2-40e3-95dd-cfdd44eae6ef.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--ad124f84-52d2-40e3-95dd-cfdd44eae6ef", "name": "Identify vulnerabilities in third-party software libraries", - "description": "Many applications use third-party software libraries, often without full knowledge of the behavior of the libraries by the application developer. For example, mobile applications often incorporate advertising libraries to generate revenue for the application developer. Vulnerabilities in these third-party libraries could potentially be exploited in any application that uses the library, and even if the vulnerabilities are fixed, many applications may still use older, vulnerable versions of the library. (Citation: Flexera News Vulnerabilities) (Citation: Android Security Review 2015) (Citation: Android Multidex RCE)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1389).\n\nMany applications use third-party software libraries, often without full knowledge of the behavior of the libraries by the application developer. For example, mobile applications often incorporate advertising libraries to generate revenue for the application developer. Vulnerabilities in these third-party libraries could potentially be exploited in any application that uses the library, and even if the vulnerabilities are fixed, many applications may still use older, vulnerable versions of the library. (Citation: Flexera News Vulnerabilities) (Citation: Android Security Review 2015) (Citation: Android Multidex RCE)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ae797531-3219-49a4-bccf-324ad7a4c7b2.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ae797531-3219-49a4-bccf-324ad7a4c7b2.json new file mode 100644 index 000000000..cb8ec3a29 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ae797531-3219-49a4-bccf-324ad7a4c7b2.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--ae797531-3219-49a4-bccf-324ad7a4c7b2", + "name": "Web Services", + "description": "Before compromising a victim, adversaries may compromise access to third-party web services\u00a0that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them.", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1584.006", + "url": "https://attack.mitre.org/techniques/T1584/006" + }, + { + "source_name": "Recorded Future Turla Infra 2020", + "url": "https://www.recordedfuture.com/turla-apt-infrastructure/", + "description": "Insikt Group. (2020, March 12). Swallowing the Snake\u2019s Tail: Tracking Turla Infrastructure. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754.json new file mode 100644 index 000000000..77bc8c7de --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754.json @@ -0,0 +1,34 @@ +{ + "id": "attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754", + "name": "Modify System Image", + "description": "Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.\n\nTo change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1601", + "url": "https://attack.mitre.org/techniques/T1601" + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Image File Verification", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#7", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Run-Time Memory Verification", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#13", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020." + } + ], + "platforms": [ + "Network" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "permissions": [ + "Administrator" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ae85ba2f-27ea-42d9-b42a-0fe89ee19ed5.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ae85ba2f-27ea-42d9-b42a-0fe89ee19ed5.json index 5c5244489..6faf8daa2 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ae85ba2f-27ea-42d9-b42a-0fe89ee19ed5.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ae85ba2f-27ea-42d9-b42a-0fe89ee19ed5.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--ae85ba2f-27ea-42d9-b42a-0fe89ee19ed5", "name": "Assess KITs/KIQs benefits", - "description": "Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) may be further subdivided to focus on political, economic, diplomatic, military, financial, or intellectual property categories. An adversary may specify KITs or KIQs in this manner in order to understand how the information they are pursuing can have multiple uses and to consider all aspects of the types of information they need to target for a particular purpose. (Citation: CompetitiveIntelligence) (Citation: CompetitiveIntelligence)KIT.", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1229).\n\nKey Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) may be further subdivided to focus on political, economic, diplomatic, military, financial, or intellectual property categories. An adversary may specify KITs or KIQs in this manner in order to understand how the information they are pursuing can have multiple uses and to consider all aspects of the types of information they need to target for a particular purpose. (Citation: CompetitiveIntelligence) (Citation: CompetitiveIntelligence)KIT.", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--af358cad-eb71-4e91-a752-236edc237dae.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--af358cad-eb71-4e91-a752-236edc237dae.json index fcfa13934..cf9f2946d 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--af358cad-eb71-4e91-a752-236edc237dae.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--af358cad-eb71-4e91-a752-236edc237dae.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--af358cad-eb71-4e91-a752-236edc237dae", "name": "Conduct social engineering", - "description": "Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action. (Citation: SEAttackVectors) (Citation: BeachSE2003)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1268).\n\nSocial Engineering is the practice of manipulating people in order to get them to divulge information or take an action. (Citation: SEAttackVectors) (Citation: BeachSE2003)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b14f6692-b613-44bb-9f30-8381a5ff10d5.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b14f6692-b613-44bb-9f30-8381a5ff10d5.json index 2f505bd06..12f334591 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b14f6692-b613-44bb-9f30-8381a5ff10d5.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b14f6692-b613-44bb-9f30-8381a5ff10d5.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--b14f6692-b613-44bb-9f30-8381a5ff10d5", "name": "Proxy/protocol relays", - "description": "Proxies act as an intermediary for clients seeking resources from other systems. Using a proxy may make it more difficult to track back the origin of a network communication. (Citation: APT1)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1304).\n\nProxies act as an intermediary for clients seeking resources from other systems. Using a proxy may make it more difficult to track back the origin of a network communication. (Citation: APT1)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b182f29c-2505-4b32-a000-0440ef189f59.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b182f29c-2505-4b32-a000-0440ef189f59.json index 973a5ed6a..1bb5cc981 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b182f29c-2505-4b32-a000-0440ef189f59.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b182f29c-2505-4b32-a000-0440ef189f59.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--b182f29c-2505-4b32-a000-0440ef189f59", "name": "Spearphishing for Information", - "description": "Spearphishing for information is a specific variant of spearphishing. Spearphishing for information is different from other forms of spearphishing in that it it doesn't leverage malicious code. All forms of spearphishing are elctronically delivered social engineering targeted at a specific individual, company, or industry. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials, without involving malicious code. Spearphishing for information frequently involves masquerading as a source with a reason to collect information (such as a system administrator or a bank) and providing a user with a website link to visit. The given website often closely resembles a legitimate site in appearance and has a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Spearphishing for information may also try to obtain information directly through the exchange of emails, instant messengers or other electronic conversation means. (Citation: ATTACKREF GRIZZLY STEPPE JAR)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1397).\n\nSpearphishing for information is a specific variant of spearphishing. Spearphishing for information is different from other forms of spearphishing in that it it doesn't leverage malicious code. All forms of spearphishing are elctronically delivered social engineering targeted at a specific individual, company, or industry. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials, without involving malicious code. Spearphishing for information frequently involves masquerading as a source with a reason to collect information (such as a system administrator or a bank) and providing a user with a website link to visit. The given website often closely resembles a legitimate site in appearance and has a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Spearphishing for information may also try to obtain information directly through the exchange of emails, instant messengers or other electronic conversation means. (Citation: ATTACKREF GRIZZLY STEPPE JAR)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928.json new file mode 100644 index 000000000..d71516bea --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928.json @@ -0,0 +1,31 @@ +{ + "id": "attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928", + "name": "Social Media Accounts", + "description": "Before compromising a victim, adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nFor operations incorporating social engineering, the utilization of a persona on social media may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single social media site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Establishing a persona on social media may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. \n\nOnce a persona has been developed an adversary can use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) These accounts may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1585.001", + "url": "https://attack.mitre.org/techniques/T1585/001" + }, + { + "source_name": "NEWSCASTER2014", + "description": "Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.", + "url": "https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation" + }, + { + "source_name": "BlackHatRobinSage", + "description": "Ryan, T. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017.", + "url": "http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf" + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b26babc7-9127-4bd5-9750-5e49748c9be3.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b26babc7-9127-4bd5-9750-5e49748c9be3.json index babe6d9ac..4abf3b933 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b26babc7-9127-4bd5-9750-5e49748c9be3.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b26babc7-9127-4bd5-9750-5e49748c9be3.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--b26babc7-9127-4bd5-9750-5e49748c9be3", "name": "Research visibility gap of security vendors", - "description": "If an adversary can identify which security tools a victim is using they may be able to identify ways around those tools. (Citation: CrowdStrike Putter Panda)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1290).\n\nIf an adversary can identify which security tools a victim is using they may be able to identify ways around those tools. (Citation: CrowdStrike Putter Panda)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b2d03cea-aec1-45ca-9744-9ee583c1e1cc.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b2d03cea-aec1-45ca-9744-9ee583c1e1cc.json index e62e33b4d..739522a9d 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b2d03cea-aec1-45ca-9744-9ee583c1e1cc.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b2d03cea-aec1-45ca-9744-9ee583c1e1cc.json @@ -8,6 +8,11 @@ "external_id": "T1110.004", "url": "https://attack.mitre.org/techniques/T1110/004" }, + { + "external_id": "CAPEC-600", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/600.html" + }, { "source_name": "US-CERT TA18-068A 2018", "url": "https://www.us-cert.gov/ncas/alerts/TA18-086A", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b.json new file mode 100644 index 000000000..cd58a9a58 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b.json @@ -0,0 +1,41 @@ +{ + "id": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "name": "SMS Control", + "description": "Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects.\n\nThis can be accomplished by requesting the `RECEIVE_SMS` or `SEND_SMS` permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the `SMS_DELIVER` broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device.(Citation: SMS KitKat)(Citation: Android SmsProvider)", + "references": [ + { + "source_name": "mitre-mobile-attack", + "external_id": "T1582", + "url": "https://attack.mitre.org/techniques/T1582" + }, + { + "external_id": "APP-16", + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-16.html" + }, + { + "external_id": "CEL-41", + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-41.html" + }, + { + "source_name": "SMS KitKat", + "url": "https://android-developers.googleblog.com/2013/10/getting-your-sms-apps-ready-for-kitkat.html", + "description": "S.Main, D. Braun. (2013, October 14). Getting Your SMS Apps Ready for KitKat. Retrieved September 11, 2020." + }, + { + "source_name": "Android SmsProvider", + "url": "https://android.googlesource.com/platform/packages/providers/TelephonyProvider/+/7e7c274/src/com/android/providers/telephony/SmsProvider.java", + "description": "Google. (n.d.). SmsProvider.java. Retrieved September 11, 2020." + } + ], + "platforms": [ + "Android" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b355817c-cf63-43b4-94a4-05e9645fa910.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b355817c-cf63-43b4-94a4-05e9645fa910.json index 736ae03fc..76279f053 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b355817c-cf63-43b4-94a4-05e9645fa910.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b355817c-cf63-43b4-94a4-05e9645fa910.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--b355817c-cf63-43b4-94a4-05e9645fa910", "name": "Create implementation plan", - "description": "Implementation plans specify how the goals of the strategic plan will be executed. (Citation: ChinaCollectionPlan) (Citation: OrderOfBattle)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1232).\n\nImplementation plans specify how the goals of the strategic plan will be executed. (Citation: ChinaCollectionPlan) (Citation: OrderOfBattle)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b3f36317-3940-4d71-968f-e11ac1bf6a31.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b3f36317-3940-4d71-968f-e11ac1bf6a31.json index 2e5007216..4b2fe5a02 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b3f36317-3940-4d71-968f-e11ac1bf6a31.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b3f36317-3940-4d71-968f-e11ac1bf6a31.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--b3f36317-3940-4d71-968f-e11ac1bf6a31", "name": "Aggregate individual's digital footprint", - "description": "In addition to a target's social media presence may exist a larger digital footprint, such as accounts and credentials on e-commerce sites or usernames and logins for email. An adversary familiar with a target's username can mine to determine the target's larger digital footprint via publicly available sources. (Citation: DigitalFootprint) (Citation: trendmicro-vtech)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1275).\n\nIn addition to a target's social media presence may exist a larger digital footprint, such as accounts and credentials on e-commerce sites or usernames and logins for email. An adversary familiar with a target's username can mine to determine the target's larger digital footprint via publicly available sources. (Citation: DigitalFootprint) (Citation: trendmicro-vtech)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b6075259-dba3-44e9-87c7-e954f37ec0d5.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b6075259-dba3-44e9-87c7-e954f37ec0d5.json index c65dba8cc..7be936c78 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b6075259-dba3-44e9-87c7-e954f37ec0d5.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b6075259-dba3-44e9-87c7-e954f37ec0d5.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--b6075259-dba3-44e9-87c7-e954f37ec0d5", "name": "Password Policy Discovery", - "description": "Adversaries may attempt to access detailed information about the password policy used within an enterprise network. Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).\n\nPassword policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies.(Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies)", + "description": "Adversaries may attempt to access detailed information about the password policy used within an enterprise network. Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).\n\nPassword policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies.(Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies)", "references": [ { "source_name": "mitre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db.json index 5cf3cae7e..ffa4b961d 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db.json @@ -1,12 +1,27 @@ { "id": "attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db", "name": "Event Triggered Execution", - "description": "Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. \n\nAdversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked. \n\nSince the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. ", + "description": "Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. \n\nAdversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)\n\nSince the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. ", "references": [ { "source_name": "mitre-attack", "external_id": "T1546", "url": "https://attack.mitre.org/techniques/T1546" + }, + { + "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", + "description": "Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.", + "source_name": "FireEye WMI 2015" + }, + { + "url": "https://www.rsaconference.com/writable/presentations/file_upload/ht-r03-malware-persistence-on-os-x-yosemite_final.pdf", + "description": "Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017.", + "source_name": "Malware Persistence on OS X" + }, + { + "url": "https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/", + "description": "Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.", + "source_name": "amnesia malware" } ], "platforms": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b79e8a3f-a109-47c2-a0e3-564955590a3d.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b79e8a3f-a109-47c2-a0e3-564955590a3d.json index baa7a49d1..38183101c 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b79e8a3f-a109-47c2-a0e3-564955590a3d.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b79e8a3f-a109-47c2-a0e3-564955590a3d.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--b79e8a3f-a109-47c2-a0e3-564955590a3d", "name": "Non-traditional or less attributable payment options", - "description": "Using alternative payment options allows an adversary to hide their activities. Options include crypto currencies, barter systems, pre-paid cards or shell accounts. (Citation: Goodin300InBitcoins)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1316).\n\nUsing alternative payment options allows an adversary to hide their activities. Options include crypto currencies, barter systems, pre-paid cards or shell accounts. (Citation: Goodin300InBitcoins)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b8017880-4b1e-42de-ad10-ae7ac6705166.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b8017880-4b1e-42de-ad10-ae7ac6705166.json new file mode 100644 index 000000000..45729639f --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b8017880-4b1e-42de-ad10-ae7ac6705166.json @@ -0,0 +1,24 @@ +{ + "id": "attack-pattern--b8017880-4b1e-42de-ad10-ae7ac6705166", + "name": "Network Boundary Bridging", + "description": "Adversaries may bridge network boundaries by compromising perimeter network devices. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\n\nDevices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks. They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections. Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications. To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.\n\nWhen an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance. By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1599", + "url": "https://attack.mitre.org/techniques/T1599" + } + ], + "platforms": [ + "Network" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "permissions": [ + "Administrator" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b85f6ce5-81e8-4f36-aff2-3df9d02a9c9d.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b85f6ce5-81e8-4f36-aff2-3df9d02a9c9d.json new file mode 100644 index 000000000..7fd8d5d97 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b85f6ce5-81e8-4f36-aff2-3df9d02a9c9d.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--b85f6ce5-81e8-4f36-aff2-3df9d02a9c9d", + "name": "Firmware", + "description": "Before compromising a victim, adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about host firmware may only be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices).(Citation: ArsTechnica Intel) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1592.003", + "url": "https://attack.mitre.org/techniques/T1592/003" + }, + { + "source_name": "ArsTechnica Intel", + "url": "https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/", + "description": "Goodin, D. & Salter, J. (2020, August 6). More than 20GB of Intel source code and proprietary data dumped online. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b9148981-152a-4a19-95c1-962803f5c9af.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b9148981-152a-4a19-95c1-962803f5c9af.json index 891e13319..7252a163a 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b9148981-152a-4a19-95c1-962803f5c9af.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b9148981-152a-4a19-95c1-962803f5c9af.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--b9148981-152a-4a19-95c1-962803f5c9af", "name": "Determine secondary level tactical element", - "description": "The secondary level tactical element the adversary seeks to attack is the specific network or area of a network that is vulnerable to attack. Within the corporate network example, the secondary level tactical element might be a SQL server or a domain controller with a known vulnerability. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1244).\n\nThe secondary level tactical element the adversary seeks to attack is the specific network or area of a network that is vulnerable to attack. Within the corporate network example, the secondary level tactical element might be a SQL server or a domain controller with a known vulnerability. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b93bd611-da4e-4c84-a40f-325b712bed67.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b93bd611-da4e-4c84-a40f-325b712bed67.json index 473db384f..fb2bf5380 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b93bd611-da4e-4c84-a40f-325b712bed67.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--b93bd611-da4e-4c84-a40f-325b712bed67.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--b93bd611-da4e-4c84-a40f-325b712bed67", "name": "Task requirements", - "description": "Once divided into the most granular parts, analysts work with collection managers to task the collection management system with requirements and sub-requirements. (Citation: Heffter) (Citation: JP2-01)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1240).\n\nOnce divided into the most granular parts, analysts work with collection managers to task the collection management system with requirements and sub-requirements. (Citation: Heffter) (Citation: JP2-01)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--baf60e1a-afe5-4d31-830f-1b1ba2351884.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--baf60e1a-afe5-4d31-830f-1b1ba2351884.json new file mode 100644 index 000000000..68ff237f0 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--baf60e1a-afe5-4d31-830f-1b1ba2351884.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--baf60e1a-afe5-4d31-830f-1b1ba2351884", + "name": "Software", + "description": "Before compromising a victim, adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or for initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1592.002", + "url": "https://attack.mitre.org/techniques/T1592/002" + }, + { + "source_name": "ATT ScanBox", + "url": "https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks", + "description": "Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2.json index 6464ded5f..6a5564c32 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2.json @@ -22,7 +22,8 @@ "platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "kill_chain": [ { diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--bbc3cba7-84ae-410d-b18b-16750731dfa2.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--bbc3cba7-84ae-410d-b18b-16750731dfa2.json new file mode 100644 index 000000000..d17d2c325 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--bbc3cba7-84ae-410d-b18b-16750731dfa2.json @@ -0,0 +1,31 @@ +{ + "id": "attack-pattern--bbc3cba7-84ae-410d-b18b-16750731dfa2", + "name": "Exploits", + "description": "Before compromising a victim, adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)\n\nAs with legitimate development efforts, different skill sets may be required for developing exploits. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's exploit development capabilities, provided the adversary plays a role in shaping requirements and maintains an initial degree of exclusivity to the exploit.\n\nAdversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1587.004", + "url": "https://attack.mitre.org/techniques/T1587/004" + }, + { + "source_name": "NYTStuxnet", + "description": "William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017.", + "url": "https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html" + }, + { + "source_name": "Irongeek Sims BSides 2017", + "url": "https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims", + "description": "Stephen Sims. (2017, April 30). Microsoft Patch Analysis for Exploitation. Retrieved October 16, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--bbe5b322-e2af-4a5e-9625-a4e62bf84ed3.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--bbe5b322-e2af-4a5e-9625-a4e62bf84ed3.json new file mode 100644 index 000000000..8e4999443 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--bbe5b322-e2af-4a5e-9625-a4e62bf84ed3.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--bbe5b322-e2af-4a5e-9625-a4e62bf84ed3", + "name": "Social Media", + "description": "Before compromising a victim, adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.\n\nAdversaries may search in different social media sites depending on what information they seek to gather. Threat actors may passively harvest data from these sites, as well as use information gathered to create fake profiles/groups to elicit victim\u2019s into revealing specific information (i.e. [Spearphishing Service](https://attack.mitre.org/techniques/T1598/001)).(Citation: Cyware Social Media) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1593.001", + "url": "https://attack.mitre.org/techniques/T1593/001" + }, + { + "source_name": "Cyware Social Media", + "url": "https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e", + "description": "Cyware Hacker News. (2019, October 2). How Hackers Exploit Social Media To Break Into Your Company. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161.json new file mode 100644 index 000000000..c0c04fc8c --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161.json @@ -0,0 +1,61 @@ +{ + "id": "attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161", + "name": "Credentials", + "description": "Before compromising a victim, adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.\n\nAdversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1589.001", + "url": "https://attack.mitre.org/techniques/T1589/001" + }, + { + "source_name": "ATT ScanBox", + "url": "https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks", + "description": "Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020." + }, + { + "source_name": "Register Deloitte", + "url": "https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/", + "description": "Thomson, I. (2017, September 26). Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy 'login details leaked'. Retrieved October 19, 2020." + }, + { + "source_name": "Register Uber", + "url": "https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/", + "description": "McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub into court to find who hacked database of 50,000 drivers. Retrieved October 19, 2020." + }, + { + "source_name": "Detectify Slack Tokens", + "url": "https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/", + "description": "Detectify. (2016, April 28). Slack bot token leakage exposing business critical information. Retrieved October 19, 2020." + }, + { + "source_name": "Forbes GitHub Creds", + "url": "https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196", + "description": "Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved October 19, 2020." + }, + { + "source_name": "GitHub truffleHog", + "url": "https://github.com/dxa4481/truffleHog", + "description": "Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October 19, 2020." + }, + { + "source_name": "GitHub Gitrob", + "url": "https://github.com/michenriksen/gitrob", + "description": "Michael Henriksen. (2018, June 9). Gitrob: Putting the Open Source in OSINT. Retrieved October 19, 2020." + }, + { + "source_name": "CNET Leaks", + "url": "https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/", + "description": "Ng, A. (2019, January 17). Massive breach leaks 773 million email addresses, 21 million passwords. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b.json index e4a9cbd9c..9a1e12128 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b.json @@ -9,9 +9,9 @@ "url": "https://attack.mitre.org/techniques/T1574/009" }, { - "external_id": "CAPEC-capec", + "external_id": "CAPEC-38", "source_name": "capec", - "url": "https://capec.mitre.org/data/definitions/capec.html" + "url": "https://capec.mitre.org/data/definitions/38.html" }, { "source_name": "Microsoft CurrentControlSet Services", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b.json index 1b9fbc04f..f9466b1c2 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b", "name": "Non-Application Layer Protocol", - "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\n\nICMP communication between hosts is one example. Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.", + "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\n\nICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution)\n Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.", "references": [ { "source_name": "mitre-attack", @@ -13,11 +13,21 @@ "description": "Wikipedia. (n.d.). List of network protocols (OSI model). Retrieved December 4, 2014.", "source_name": "Wikipedia OSI" }, + { + "source_name": "Cisco Synful Knock Evolution", + "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices", + "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020." + }, { "url": "http://support.microsoft.com/KB/170292", "description": "Microsoft. (n.d.). Internet Control Message Protocol (ICMP) Basics. Retrieved December 1, 2014.", "source_name": "Microsoft ICMP" }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." + }, { "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", @@ -27,7 +37,8 @@ "platforms": [ "Windows", "Linux", - "macOS" + "macOS", + "Network" ], "kill_chain": [ { diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916.json index 2fd4a5b59..2fc7d3bfa 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916.json @@ -8,6 +8,11 @@ "external_id": "T1027.003", "url": "https://attack.mitre.org/techniques/T1027/003" }, + { + "external_id": "CAPEC-636", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/636.html" + }, { "url": "https://en.wikipedia.org/wiki/Duqu", "description": "Wikipedia. (2017, December 29). Duqu. Retrieved April 10, 2018.", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c2f59d25-87fe-44aa-8f83-e8e59d077bf5.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c2f59d25-87fe-44aa-8f83-e8e59d077bf5.json new file mode 100644 index 000000000..aecd18b3c --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c2f59d25-87fe-44aa-8f83-e8e59d077bf5.json @@ -0,0 +1,41 @@ +{ + "id": "attack-pattern--c2f59d25-87fe-44aa-8f83-e8e59d077bf5", + "name": "DNS Server", + "description": "Before compromising a victim, adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.\n\nBy compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1584.002", + "url": "https://attack.mitre.org/techniques/T1584/002" + }, + { + "source_name": "Talos DNSpionage Nov 2018", + "url": "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html", + "description": "Mercer, W., Rascagneres, P. (2018, November 27). DNSpionage Campaign Targets Middle East. Retrieved October 9, 2020." + }, + { + "source_name": "FireEye DNS Hijack 2019", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html", + "description": "Hirani, M., Jones, S., Read, B. (2019, January 10). Global DNS Hijacking Campaign: DNS Record Manipulation at Scale. Retrieved October 9, 2020." + }, + { + "source_name": "CiscoAngler", + "description": "Nick Biasini. (2015, March 3). Threat Spotlight: Angler Lurking in the Domain Shadows. Retrieved March 6, 2017.", + "url": "https://blogs.cisco.com/security/talos/angler-domain-shadowing" + }, + { + "source_name": "Proofpoint Domain Shadowing", + "url": "https://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows", + "description": "Proofpoint Staff. (2015, December 15). The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK. Retrieved October 16, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c2ffd229-11bb-4fd8-9208-edbe97b14c93.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c2ffd229-11bb-4fd8-9208-edbe97b14c93.json index d75f17ef5..733a78f18 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c2ffd229-11bb-4fd8-9208-edbe97b14c93.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c2ffd229-11bb-4fd8-9208-edbe97b14c93.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--c2ffd229-11bb-4fd8-9208-edbe97b14c93", "name": "Obfuscation or cryptography", - "description": "Obfuscation is the act of creating communications that are more difficult to understand. Encryption transforms the communications such that it requires a key to reverse the encryption. (Citation: FireEyeAPT28)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1313).\n\nObfuscation is the act of creating communications that are more difficult to understand. Encryption transforms the communications such that it requires a key to reverse the encryption. (Citation: FireEyeAPT28)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c3c8c916-2f3c-4e71-94b2-240bdfc996f0.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c3c8c916-2f3c-4e71-94b2-240bdfc996f0.json index dce5cc564..03d330122 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c3c8c916-2f3c-4e71-94b2-240bdfc996f0.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c3c8c916-2f3c-4e71-94b2-240bdfc996f0.json @@ -8,6 +8,11 @@ "external_id": "T1550.004", "url": "https://attack.mitre.org/techniques/T1550/004" }, + { + "external_id": "CAPEC-60", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/60.html" + }, { "description": "Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019.", "url": "https://wunderwuzzi23.github.io/blog/passthecookie.html", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f.json index 16bed7f13..fff1a8254 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f.json @@ -8,6 +8,11 @@ "external_id": "T1078.002", "url": "https://attack.mitre.org/techniques/T1078/002" }, + { + "external_id": "CAPEC-560", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/560.html" + }, { "url": "https://technet.microsoft.com/en-us/library/dn535501.aspx", "description": "Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c721b235-679a-4d76-9ae9-e08921fccf84.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c721b235-679a-4d76-9ae9-e08921fccf84.json index 54226faf6..c4aea01c8 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c721b235-679a-4d76-9ae9-e08921fccf84.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c721b235-679a-4d76-9ae9-e08921fccf84.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--c721b235-679a-4d76-9ae9-e08921fccf84", "name": "Identify job postings and needs/gaps", - "description": "Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on technologies within the organization which could be valuable in attack or provide insight in to possible security weaknesses or limitations in detection or protection mechanisms. (Citation: JobPostingThreat)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1248).\n\nJob postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on technologies within the organization which could be valuable in attack or provide insight in to possible security weaknesses or limitations in detection or protection mechanisms. (Citation: JobPostingThreat)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c860af4a-376e-46d7-afbf-262c41012227.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c860af4a-376e-46d7-afbf-262c41012227.json index b8d889a83..2b21a740c 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c860af4a-376e-46d7-afbf-262c41012227.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c860af4a-376e-46d7-afbf-262c41012227.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--c860af4a-376e-46d7-afbf-262c41012227", "name": "Determine operational element", - "description": "If going from strategic down to tactical or vice versa, an adversary would next consider the operational element. For example, the specific company within an industry or agency within a government. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1242).\n\nIf going from strategic down to tactical or vice versa, an adversary would next consider the operational element. For example, the specific company within an industry or agency within a government. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b.json new file mode 100644 index 000000000..db62b44be --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b.json @@ -0,0 +1,56 @@ +{ + "id": "attack-pattern--c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b", + "name": "VBA Stomping", + "description": "Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)\n\nMS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the _VBA_PROJECT stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.(Citation: Evil Clippy May 2019)(Citation: Microsoft _VBA_PROJECT Stream)\n\nAn adversary may hide malicious VBA code by overwriting the VBA source code location with zero\u2019s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the _VBA_PROJECT stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.(Citation: Walmart Roberts Oct 2018)(Citation: FireEye VBA stomp Feb 2020)(Citation: pcodedmp Bontchev)", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1564.007", + "url": "https://attack.mitre.org/techniques/T1564/007" + }, + { + "source_name": "FireEye VBA stomp Feb 2020", + "url": "https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html", + "description": "Cole, R., Moore, A., Stark, G., Stancill, B. (2020, February 5). STOMP 2 DIS: Brilliance in the (Visual) Basics. Retrieved September 17, 2020." + }, + { + "source_name": "Evil Clippy May 2019", + "url": "https://outflank.nl/blog/2019/05/05/evil-clippy-ms-office-maldoc-assistant/", + "description": "Hegt, S. (2019, May 5). Evil Clippy: MS Office maldoc assistant. Retrieved September 17, 2020." + }, + { + "source_name": "Microsoft _VBA_PROJECT Stream", + "url": "https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-ovba/ef7087ac-3974-4452-aab2-7dba2214d239", + "description": "Microsoft. (2020, February 19). 2.3.4.1 _VBA_PROJECT Stream: Version Dependent Project Information. Retrieved September 18, 2020." + }, + { + "source_name": "Walmart Roberts Oct 2018", + "url": "https://medium.com/walmartglobaltech/vba-stomping-advanced-maldoc-techniques-612c484ab278", + "description": "Sayre, K., Ogden, H., Roberts, C. (2018, October 10). VBA Stomping \u2014 Advanced Maldoc Techniques. Retrieved September 17, 2020." + }, + { + "source_name": "pcodedmp Bontchev", + "url": "https://github.com/bontchev/pcodedmp", + "description": "Bontchev, V. (2019, July 30). pcodedmp.py - A VBA p-code disassembler. Retrieved September 17, 2020." + }, + { + "source_name": "oletools toolkit", + "url": "https://github.com/decalage2/oletools", + "description": "decalage2. (2019, December 3). python-oletools. Retrieved September 18, 2020." + } + ], + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "permissions": [ + "User" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c9ac5715-ee5c-4380-baf4-6f12e304ca93.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c9ac5715-ee5c-4380-baf4-6f12e304ca93.json index 6b5b793bd..4f262488d 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c9ac5715-ee5c-4380-baf4-6f12e304ca93.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c9ac5715-ee5c-4380-baf4-6f12e304ca93.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--c9ac5715-ee5c-4380-baf4-6f12e304ca93", "name": "Test signature detection for file upload/email filters", - "description": "An adversary can test their planned method of attack against existing security products such as email filters or intrusion detection sensors (IDS). (Citation: WiredVirusTotal)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1361).\n\nAn adversary can test their planned method of attack against existing security products such as email filters or intrusion detection sensors (IDS). (Citation: WiredVirusTotal)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c9e85b80-39e8-42df-b275-86a2afcea9e8.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c9e85b80-39e8-42df-b275-86a2afcea9e8.json index e4980fa35..67c2fdcd9 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c9e85b80-39e8-42df-b275-86a2afcea9e8.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c9e85b80-39e8-42df-b275-86a2afcea9e8.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--c9e85b80-39e8-42df-b275-86a2afcea9e8", "name": "Test ability to evade automated mobile application security analysis performed by app stores", - "description": "Many mobile devices are configured to only allow applications to be installed from the mainstream vendor app stores (e.g., Apple App Store and Google Play Store). An adversary can submit multiple code samples to these stores deliberately designed to probe the stores' security analysis capabilities, with the goal of determining effective techniques to place malicious applications in the stores that could then be delivered to targeted devices. (Citation: Android Bouncer) (Citation: Adventures in BouncerLand) (Citation: Jekyll on iOS) (Citation: Fruit vs Zombies)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1393).\n\nMany mobile devices are configured to only allow applications to be installed from the mainstream vendor app stores (e.g., Apple App Store and Google Play Store). An adversary can submit multiple code samples to these stores deliberately designed to probe the stores' security analysis capabilities, with the goal of determining effective techniques to place malicious applications in the stores that could then be delivered to targeted devices. (Citation: Android Bouncer) (Citation: Adventures in BouncerLand) (Citation: Jekyll on iOS) (Citation: Fruit vs Zombies)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c9fb4451-729d-4771-b205-52c1829f949c.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c9fb4451-729d-4771-b205-52c1829f949c.json index 42c160158..180adeced 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c9fb4451-729d-4771-b205-52c1829f949c.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--c9fb4451-729d-4771-b205-52c1829f949c.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--c9fb4451-729d-4771-b205-52c1829f949c", "name": "Identify resources required to build capabilities", - "description": "As with legitimate development efforts, different skill sets may be required for different phases of an attack. The skills needed may be located in house, can be developed, or may need to be contracted out. (Citation: APT1)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1348).\n\nAs with legitimate development efforts, different skill sets may be required for different phases of an attack. The skills needed may be located in house, can be developed, or may need to be contracted out. (Citation: APT1)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ca9d3402-ada3-484d-876a-d717bd6e05f2.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ca9d3402-ada3-484d-876a-d717bd6e05f2.json index f64196b73..e9cb8a32d 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ca9d3402-ada3-484d-876a-d717bd6e05f2.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ca9d3402-ada3-484d-876a-d717bd6e05f2.json @@ -8,6 +8,11 @@ "external_id": "T1090.004", "url": "https://attack.mitre.org/techniques/T1090/004" }, + { + "external_id": "CAPEC-481", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/481.html" + }, { "url": "http://www.icir.org/vern/papers/meek-PETS-2015.pdf", "description": "David Fifield, Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson. (2015). Blocking-resistant communication through domain fronting. Retrieved November 20, 2017.", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cabe189c-a0e3-4965-a473-dcff00f17213.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cabe189c-a0e3-4965-a473-dcff00f17213.json new file mode 100644 index 000000000..85a112cfe --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cabe189c-a0e3-4965-a473-dcff00f17213.json @@ -0,0 +1,45 @@ +{ + "id": "attack-pattern--cabe189c-a0e3-4965-a473-dcff00f17213", + "name": "ARP Cache Poisoning", + "description": "Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).\n\nThe ARP protocol is used to resolve IPv4 addresses to link layer addresses, such as a media access control (MAC) address.(Citation: RFC826 ARP) Devices in a local network segment communicate with each other by using link layer addresses. If a networked device does not have the link layer address of a particular networked device, it may send out a broadcast ARP request to the local network to translate the IP address to a MAC address. The device with the associated IP address directly replies with its MAC address. The networked device that made the ARP request will then use as well as store that information in its ARP cache.\n\nAn adversary may passively wait for an ARP request to poison the ARP cache of the requesting device. The adversary may reply with their MAC address, thus deceiving the victim by making them believe that they are communicating with the intended networked device. For the adversary to poison the ARP cache, their reply must be faster than the one made by the legitimate IP address owner. Adversaries may also send a gratuitous ARP reply that maliciously announces the ownership of a particular IP address to all the devices in the local network segment.\n\nThe ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)\n\nAdversaries may use ARP cache poisoning as a means to man-in-the-middle (MiTM) network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)\n", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1557.002", + "url": "https://attack.mitre.org/techniques/T1557/002" + }, + { + "source_name": "RFC826 ARP", + "url": "https://tools.ietf.org/html/rfc826", + "description": "Plummer, D. (1982, November). An Ethernet Address Resolution Protocol. Retrieved October 15, 2020." + }, + { + "source_name": "Sans ARP Spoofing Aug 2003", + "url": "https://pen-testing.sans.org/resources/papers/gcih/real-world-arp-spoofing-105411", + "description": "Siles, R. (2003, August). Real World ARP Spoofing. Retrieved October 15, 2020." + }, + { + "source_name": "Cylance Cleaver", + "description": "Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.", + "url": "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + } + ], + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "permissions": [ + "User" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cacc40da-4c9e-462c-80d5-fd70a178b12d.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cacc40da-4c9e-462c-80d5-fd70a178b12d.json new file mode 100644 index 000000000..2145ce427 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cacc40da-4c9e-462c-80d5-fd70a178b12d.json @@ -0,0 +1,46 @@ +{ + "id": "attack-pattern--cacc40da-4c9e-462c-80d5-fd70a178b12d", + "name": "Disable Cloud Logs", + "description": "An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. \n\nCloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an attacker has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic)", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1562.008", + "url": "https://attack.mitre.org/techniques/T1562/008" + }, + { + "source_name": "Following the CloudTrail: Generating strong AWS security signals with Sumo Logic", + "url": "https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/", + "description": "Dan Whalen. (2019, September 10). Following the CloudTrail: Generating strong AWS security signals with Sumo Logic. Retrieved October 16, 2020." + }, + { + "source_name": "Stopping CloudTrail from Sending Events to CloudWatch Logs", + "url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html", + "description": "Amazon Web Services. (n.d.). Stopping CloudTrail from Sending Events to CloudWatch Logs. Retrieved October 16, 2020." + }, + { + "source_name": "Configuring Data Access audit logs", + "url": "https://cloud.google.com/logging/docs/audit/configure-data-access", + "description": "Google. (n.d.). Configuring Data Access audit logs. Retrieved October 16, 2020." + }, + { + "source_name": "az monitor diagnostic-settings", + "url": "https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest#az_monitor_diagnostic_settings_delete", + "description": "Microsoft. (n.d.). az monitor diagnostic-settings. Retrieved October 16, 2020." + } + ], + "platforms": [ + "GCP", + "Azure", + "AWS" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "permissions": [ + "User" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384.json index 9a9b636c3..4b8102802 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384.json @@ -8,10 +8,15 @@ "external_id": "T1518.001", "url": "https://attack.mitre.org/techniques/T1518/001" }, + { + "external_id": "CAPEC-581", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/581.html" + }, { "source_name": "Expel IO Evil in AWS", "url": "https://expel.io/blog/finding-evil-in-aws/", - "description": "Anthony Randazzo, Britton Manahan and Sam Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020." + "description": "A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020." } ], "platforms": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cc0faf66-4df2-4328-9c9c-b0ca5de915ad.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cc0faf66-4df2-4328-9c9c-b0ca5de915ad.json index 2ffbe5924..369e03e68 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cc0faf66-4df2-4328-9c9c-b0ca5de915ad.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cc0faf66-4df2-4328-9c9c-b0ca5de915ad.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--cc0faf66-4df2-4328-9c9c-b0ca5de915ad", "name": "Secure and protect infrastructure", - "description": "An adversary may secure and protect their infrastructure just as defenders do. This could include the use of VPNs, security software, logging and monitoring, passwords, or other defensive measures. (Citation: KrebsTerracottaVPN)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1317).\n\nAn adversary may secure and protect their infrastructure just as defenders do. This could include the use of VPNs, security software, logging and monitoring, passwords, or other defensive measures. (Citation: KrebsTerracottaVPN)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cc723aff-ec88-40e3-a224-5af9fd983cc4.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cc723aff-ec88-40e3-a224-5af9fd983cc4.json new file mode 100644 index 000000000..4069f1074 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cc723aff-ec88-40e3-a224-5af9fd983cc4.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--cc723aff-ec88-40e3-a224-5af9fd983cc4", + "name": "Identify Roles", + "description": "Before compromising a victim, adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business roles may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1591.004", + "url": "https://attack.mitre.org/techniques/T1591/004" + }, + { + "source_name": "ThreatPost Broadvoice Leak", + "url": "https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/", + "description": "Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, Personal Voicemail Transcripts. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cca0ccb6-a068-4574-a722-b1556f86833a.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cca0ccb6-a068-4574-a722-b1556f86833a.json new file mode 100644 index 000000000..06843703d --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cca0ccb6-a068-4574-a722-b1556f86833a.json @@ -0,0 +1,56 @@ +{ + "id": "attack-pattern--cca0ccb6-a068-4574-a722-b1556f86833a", + "name": "Phishing for Information", + "description": "Before compromising a victim, adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code.\n\nAll forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.\n\nAdversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1598", + "url": "https://attack.mitre.org/techniques/T1598" + }, + { + "source_name": "ThreatPost Social Media Phishing", + "url": "https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/", + "description": "O'Donnell, L. (2020, October 20). Facebook: A Top Launching Pad For Phishing Attacks. Retrieved October 20, 2020." + }, + { + "source_name": "TrendMictro Phishing", + "url": "https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html", + "description": "Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved October 20, 2020." + }, + { + "source_name": "PCMag FakeLogin", + "url": "https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages", + "description": "Kan, M. (2019, October 24). Hackers Try to Phish United Nations Staffers With Fake Login Pages. Retrieved October 20, 2020." + }, + { + "source_name": "Sophos Attachment", + "url": "https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/", + "description": "Ducklin, P. (2020, October 2). Serious Security: Phishing without links \u2013 when phishers bring along their own web pages. Retrieved October 20, 2020." + }, + { + "source_name": "GitHub Phishery", + "url": "https://github.com/ryhanson/phishery", + "description": "Ryan Hanson. (2016, September 24). phishery. Retrieved October 23, 2020." + }, + { + "source_name": "Microsoft Anti Spoofing", + "url": "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide", + "description": "Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020." + }, + { + "source_name": "ACSC Email Spoofing", + "url": "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf", + "description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8.json new file mode 100644 index 000000000..e4c7646fe --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8.json @@ -0,0 +1,36 @@ +{ + "id": "attack-pattern--cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8", + "name": "Establish Accounts", + "description": "Before compromising a victim, adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nFor operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nEstablishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1)", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1585", + "url": "https://attack.mitre.org/techniques/T1585" + }, + { + "source_name": "NEWSCASTER2014", + "description": "Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.", + "url": "https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation" + }, + { + "source_name": "BlackHatRobinSage", + "description": "Ryan, T. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017.", + "url": "http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf" + }, + { + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "source_name": "Mandiant APT1" + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cdfdb0cd-a839-403c-9dd6-8a85d8c5c73d.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cdfdb0cd-a839-403c-9dd6-8a85d8c5c73d.json index 313be713a..cec8ef09b 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cdfdb0cd-a839-403c-9dd6-8a85d8c5c73d.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cdfdb0cd-a839-403c-9dd6-8a85d8c5c73d.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--cdfdb0cd-a839-403c-9dd6-8a85d8c5c73d", "name": "Map network topology", - "description": "A network topology is the arrangement of the various elements of a network (e.g., servers, workstations, printers, routers, firewalls, etc.). Mapping a network allows an adversary to understand how the elements are connected or related. (Citation: man traceroute) (Citation: Shodan Tutorial)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1252).\n\nA network topology is the arrangement of the various elements of a network (e.g., servers, workstations, printers, routers, firewalls, etc.). Mapping a network allows an adversary to understand how the elements are connected or related. (Citation: man traceroute) (Citation: Shodan Tutorial)", "references": [ { "external_id": "T1252", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1.json new file mode 100644 index 000000000..415a340b7 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1.json @@ -0,0 +1,36 @@ +{ + "id": "attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1", + "name": "Obtain Capabilities", + "description": "Before compromising a victim, adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.\n\nIn addition to downloading free malware, software, and exploits from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware and exploits, criminal marketplaces, or from individuals.(Citation: NationsBuying)(Citation: PegasusCitizenLab)\n\nIn addition to purchasing capabilities, adversaries may steal capabilities from third-party entities (including other adversaries). This can include stealing software licenses, malware, SSL/TLS and code-signing certificates, or raiding closed databases of vulnerabilities or exploits.(Citation: DiginotarCompromise)", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1588", + "url": "https://attack.mitre.org/techniques/T1588" + }, + { + "source_name": "NationsBuying", + "description": "Nicole Perlroth and David E. Sanger. (2013, July 12). Nations Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.", + "url": "https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html" + }, + { + "url": "https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/", + "description": "Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group\u2019s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.", + "source_name": "PegasusCitizenLab" + }, + { + "description": "Fisher, D. (2012, October 31). Final Report on DigiNotar Hack Shows Total Compromise of CA Servers. Retrieved March 6, 2017.", + "source_name": "DiginotarCompromise", + "url": "https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/" + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c.json index 46c75f0c5..77a8a3983 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c.json @@ -11,7 +11,7 @@ { "source_name": "Mandiant M-Trends 2020", "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." + "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." }, { "source_name": "AWS CloudTrail Search", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d245808a-7086-4310-984a-a84aaaa43f8f.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d245808a-7086-4310-984a-a84aaaa43f8f.json new file mode 100644 index 000000000..d91b8947e --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d245808a-7086-4310-984a-a84aaaa43f8f.json @@ -0,0 +1,59 @@ +{ + "id": "attack-pattern--d245808a-7086-4310-984a-a84aaaa43f8f", + "name": "Patch System Image", + "description": "Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.(Citation: Killing the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth) (Citation: Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation: Juniper Netscreen of the Dead) Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file. Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.\n\nTo change the operating system in storage, the adversary will typically use the standard procedures available to device operators. This may involve downloading a new file via typical protocols used on network devices, such as TFTP, FTP, SCP, or a console connection. The original file may be overwritten, or a new file may be written alongside of it and the device reconfigured to boot to the compromised image.\n\nTo change the operating system in memory, the adversary typically can use one of two methods. In the first, the adversary would make use of native debug commands in the original, unaltered running operating system that allow them to directly modify the relevant memory addresses containing the running operating system. This method typically requires administrative level access to the device.\n\nIn the second method for changing the operating system in memory, the adversary would make use of the boot loader. The boot loader is the first piece of software that loads when the device starts that, in turn, will launch the operating system. Adversaries may use malicious code previously implanted in the boot loader, such as through the [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) method, to directly manipulate running operating system code in memory. This malicious code in the bootloader provides the capability of direct memory manipulation to the adversary, allowing them to patch the live operating system during runtime.\n\nBy modifying the instructions stored in the system image file, adversaries may either weaken existing defenses or provision new capabilities that the device did not have before. Examples of existing defenses that can be impeded include encryption, via [Weaken Encryption](https://attack.mitre.org/techniques/T1600), authentication, via [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004), and perimeter defenses, via [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599). Adding new capabilities for the adversary\u2019s purpose include [Keylogging](https://attack.mitre.org/techniques/T1056/001), [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003), and [Port Knocking](https://attack.mitre.org/techniques/T1205/001).\n\nAdversaries may also compromise existing commands in the operating system to produce false output to mislead defenders. When this method is used in conjunction with [Downgrade System Image](https://attack.mitre.org/techniques/T1601/002), one example of a compromised system command may include changing the output of the command that shows the version of the currently running operating system. By patching the operating system, the adversary can change this command to instead display the original, higher revision number that they replaced through the system downgrade. \n\nWhen the operating system is patched in storage, this can be achieved in either the resident storage (typically a form of flash memory, which is non-volatile) or via [TFTP Boot](https://attack.mitre.org/techniques/T1542/005). \n\nWhen the technique is performed on the running operating system in memory and not on the stored copy, this technique will not survive across reboots. However, live memory modification of the operating system can be combined with [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) to achieve persistence. ", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1601.001", + "url": "https://attack.mitre.org/techniques/T1601/001" + }, + { + "source_name": "Killing the myth of Cisco IOS rootkits", + "url": "https://drwho.virtadpt.net/images/killing_the_myth_of_cisco_ios_rootkits.pdf", + "description": "Sebastian 'topo' Mu\u00f1iz. (2008, May). Killing the myth of Cisco IOS rootkits. Retrieved October 20, 2020." + }, + { + "source_name": "Killing IOS diversity myth", + "url": "https://www.usenix.org/legacy/event/woot/tech/final_files/Cui.pdf", + "description": "Ang Cui, Jatin Kataria, Salvatore J. Stolfo. (2011, August). Killing the myth of Cisco IOS diversity: recent advances in reliable shellcode design. Retrieved October 20, 2020." + }, + { + "source_name": "Cisco IOS Shellcode", + "url": "http://2015.zeronights.org/assets/files/05-Nosenko.pdf", + "description": "George Nosenko. (2015). CISCO IOS SHELLCODE: ALL-IN-ONE. Retrieved October 21, 2020." + }, + { + "source_name": "Cisco IOS Forensics Developments", + "url": "https://www.recurity-labs.com/research/RecurityLabs_Developments_in_IOS_Forensics.pdf", + "description": "Felix 'FX' Lindner. (2008, February). Developments in Cisco IOS Forensics. Retrieved October 21, 2020." + }, + { + "source_name": "Juniper Netscreen of the Dead", + "url": "https://www.blackhat.com/presentations/bh-usa-09/NEILSON/BHUSA09-Neilson-NetscreenDead-SLIDES.pdf", + "description": "Graeme Neilson . (2009, August). Juniper Netscreen of the Dead. Retrieved October 20, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Image File Verification", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#7", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Run-Time Memory Verification", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#13", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020." + } + ], + "platforms": [ + "Network" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "permissions": [ + "Administrator" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d28ef391-8ed4-45dc-bc4a-2f43abf54416.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d28ef391-8ed4-45dc-bc4a-2f43abf54416.json index e0789f48b..a2e19d608 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d28ef391-8ed4-45dc-bc4a-2f43abf54416.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d28ef391-8ed4-45dc-bc4a-2f43abf54416.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--d28ef391-8ed4-45dc-bc4a-2f43abf54416", "name": "Data from Information Repositories", - "description": "Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information.\n\nAdversaries may also collect information from shared storage repositories hosted on cloud infrastructure or in software-as-a-service (SaaS) applications, as storage is one of the more fundamental requirements for cloud services and systems.\n\nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n\nInformation stored in a repository may vary based on the specific instance or environment. Specific common information repositories include [Sharepoint](https://attack.mitre.org/techniques/T1213/002), [Confluence](https://attack.mitre.org/techniques/T1213/001), and enterprise databases such as SQL Server.", + "description": "Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information.\n\nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n\nInformation stored in a repository may vary based on the specific instance or environment. Specific common information repositories include [Sharepoint](https://attack.mitre.org/techniques/T1213/002), [Confluence](https://attack.mitre.org/techniques/T1213/001), and enterprise databases such as SQL Server.", "references": [ { "source_name": "mitre-attack", @@ -24,9 +24,6 @@ "Windows", "macOS", "SaaS", - "AWS", - "GCP", - "Azure", "Office 365" ], "kill_chain": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d2c4206a-a431-4494-834d-52944a79e9f4.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d2c4206a-a431-4494-834d-52944a79e9f4.json index 057d63414..c2699026c 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d2c4206a-a431-4494-834d-52944a79e9f4.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d2c4206a-a431-4494-834d-52944a79e9f4.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--d2c4206a-a431-4494-834d-52944a79e9f4", "name": "Distribute malicious software development tools", - "description": "An adversary could distribute malicious software development tools (e.g., compiler) that hide malicious behavior in software built using the tools. (Citation: PA XcodeGhost) (Citation: Reflections on Trusting Trust)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1394).\n\nAn adversary could distribute malicious software development tools (e.g., compiler) that hide malicious behavior in software built using the tools. (Citation: PA XcodeGhost) (Citation: Reflections on Trusting Trust)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d3999268-740f-467e-a075-c82e2d04be62.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d3999268-740f-467e-a075-c82e2d04be62.json index 37f4d626e..8f0c5c7d3 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d3999268-740f-467e-a075-c82e2d04be62.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d3999268-740f-467e-a075-c82e2d04be62.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--d3999268-740f-467e-a075-c82e2d04be62", "name": "Assess leadership areas of interest", - "description": "Leadership assesses the areas of most interest to them and generates Key Intelligence Topics (KIT) or Key Intelligence Questions (KIQ). For example, an adversary knows from open and closed source reporting that cyber is of interest, resulting in it being a KIT. (Citation: ODNIIntegration)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1224).\n\nLeadership assesses the areas of most interest to them and generates Key Intelligence Topics (KIT) or Key Intelligence Questions (KIQ). For example, an adversary knows from open and closed source reporting that cyber is of interest, resulting in it being a KIT. (Citation: ODNIIntegration)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d3dca536-8bf0-4e43-97c1-44a2353c3d69.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d3dca536-8bf0-4e43-97c1-44a2353c3d69.json index f69f77cc4..4dfe9951b 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d3dca536-8bf0-4e43-97c1-44a2353c3d69.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d3dca536-8bf0-4e43-97c1-44a2353c3d69.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--d3dca536-8bf0-4e43-97c1-44a2353c3d69", "name": "Anonymity services", - "description": "Anonymity services reduce the amount of information available that can be used to track an adversary's activities. Multiple options are available to hide activity, limit tracking, and increase anonymity. (Citation: TOR Design) (Citation: Stratfor2012)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1306).\n\nAnonymity services reduce the amount of information available that can be used to track an adversary's activities. Multiple options are available to hide activity, limit tracking, and increase anonymity. (Citation: TOR Design) (Citation: Stratfor2012)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d40239b3-05ff-46d8-9bdd-b46d13463ef9.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d40239b3-05ff-46d8-9bdd-b46d13463ef9.json index bec145a82..336bdb7ce 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d40239b3-05ff-46d8-9bdd-b46d13463ef9.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d40239b3-05ff-46d8-9bdd-b46d13463ef9.json @@ -5,8 +5,13 @@ "references": [ { "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1200", - "external_id": "T1200" + "external_id": "T1200", + "url": "https://attack.mitre.org/techniques/T1200" + }, + { + "external_id": "CAPEC-440", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/440.html" }, { "url": "https://ossmann.blogspot.com/2011/02/throwing-star-lan-tap.html", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d45fe3c2-0688-43b9-ac07-7eb86f575e93.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d45fe3c2-0688-43b9-ac07-7eb86f575e93.json index 5ff1dcb48..b653cd744 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d45fe3c2-0688-43b9-ac07-7eb86f575e93.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d45fe3c2-0688-43b9-ac07-7eb86f575e93.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--d45fe3c2-0688-43b9-ac07-7eb86f575e93", "name": "Determine approach/attack vector", - "description": "The approach or attack vector outlines the specifics behind how the adversary would like to attack the target. As additional information is known through the other phases of PRE-ATT&CK, an adversary may update the approach or attack vector. (Citation: CyberAdversaryBehavior) (Citation: WITCHCOVEN2015) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1245).\n\nThe approach or attack vector outlines the specifics behind how the adversary would like to attack the target. As additional information is known through the other phases of PRE-ATT&CK, an adversary may update the approach or attack vector. (Citation: CyberAdversaryBehavior) (Citation: WITCHCOVEN2015) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605.json index c1c33f7d4..56e3f5330 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605", "name": "Domain Controller Authentication", - "description": "Adversaries may patch the authentication process on a domain control to bypass the typical authentication mechanisms and enable access to accounts. \n\nMalware may be used to inject false credentials into the authentication process on a domain control with the intent of creating a backdoor used to access any user\u2019s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)", + "description": "Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. \n\nMalware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user\u2019s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)", "references": [ { "source_name": "mitre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d58f3996-e293-4f69-a2c8-0e1851cb8297.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d58f3996-e293-4f69-a2c8-0e1851cb8297.json index b88fd3109..07140d757 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d58f3996-e293-4f69-a2c8-0e1851cb8297.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d58f3996-e293-4f69-a2c8-0e1851cb8297.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--d58f3996-e293-4f69-a2c8-0e1851cb8297", "name": "Obtain Apple iOS enterprise distribution key pair and certificate", - "description": "The adversary can obtain an Apple iOS enterprise distribution key pair and certificate and use it to distribute malicious apps directly to Apple iOS devices without the need to publish the apps to the Apple App Store (where the apps could potentially be detected). (Citation: Apple Developer Enterprise Porgram Apps) (Citation: Fruit vs Zombies) (Citation: WIRELURKER) (Citation: Sideloading Change)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1392).\n\nThe adversary can obtain an Apple iOS enterprise distribution key pair and certificate and use it to distribute malicious apps directly to Apple iOS devices without the need to publish the apps to the Apple App Store (where the apps could potentially be detected). (Citation: Apple Developer Enterprise Porgram Apps) (Citation: Fruit vs Zombies) (Citation: WIRELURKER) (Citation: Sideloading Change)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d69c3e06-8311-4093-8e3e-0a8e06b15d92.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d69c3e06-8311-4093-8e3e-0a8e06b15d92.json index b0ead2b0e..63db3e35c 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d69c3e06-8311-4093-8e3e-0a8e06b15d92.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d69c3e06-8311-4093-8e3e-0a8e06b15d92.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--d69c3e06-8311-4093-8e3e-0a8e06b15d92", "name": "Assess targeting options", - "description": "An adversary may assess a target's operational security (OPSEC) practices in order to identify targeting options. A target may share different information in different settings or be more of less cautious in different environments. (Citation: Scasny2015) (Citation: EverstineAirStrikes)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1296).\n\nAn adversary may assess a target's operational security (OPSEC) practices in order to identify targeting options. A target may share different information in different settings or be more of less cautious in different environments. (Citation: Scasny2015) (Citation: EverstineAirStrikes)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d778cb83-2292-4995-b006-d38f52bc1e64.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d778cb83-2292-4995-b006-d38f52bc1e64.json index 8efc8b137..ff758d0c6 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d778cb83-2292-4995-b006-d38f52bc1e64.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--d778cb83-2292-4995-b006-d38f52bc1e64.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--d778cb83-2292-4995-b006-d38f52bc1e64", "name": "Identify gap areas", - "description": "Leadership identifies gap areas that generate a compelling need to generate a Key Intelligence Topic (KIT) or Key Intelligence Question (KIQ). (Citation: ODNIIntegration) (Citation: ICD115)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1225).\n\nLeadership identifies gap areas that generate a compelling need to generate a Key Intelligence Topic (KIT) or Key Intelligence Question (KIQ). (Citation: ODNIIntegration) (Citation: ICD115)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120.json new file mode 100644 index 000000000..1d702dbbb --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120", + "name": "Scanning IP Blocks", + "description": "Before compromising a victim, adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.\n\nAdversaries may scan IP blocks in order to [Gather Victim Network Information](https://attack.mitre.org/techniques/T1590), such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts.(Citation: Botnet Scan) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1595.001", + "url": "https://attack.mitre.org/techniques/T1595/001" + }, + { + "source_name": "Botnet Scan", + "url": "https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf", + "description": "Dainotti, A. et al. (2012). Analysis of a \u201c/0\u201d Stealth Scan from a Botnet. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--dc7dfc9f-be1b-4e6e-a2e6-9a9bb2400ec9.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--dc7dfc9f-be1b-4e6e-a2e6-9a9bb2400ec9.json index a183960ff..48dc39ddf 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--dc7dfc9f-be1b-4e6e-a2e6-9a9bb2400ec9.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--dc7dfc9f-be1b-4e6e-a2e6-9a9bb2400ec9.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--dc7dfc9f-be1b-4e6e-a2e6-9a9bb2400ec9", "name": "Determine highest level tactical element", - "description": "From a tactical viewpoint, an adversary could potentially have a primary and secondary level target. The primary target represents the highest level tactical element the adversary wishes to attack. For example, the corporate network within a corporation or the division within an agency. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1243).\n\nFrom a tactical viewpoint, an adversary could potentially have a primary and secondary level target. The primary target represents the highest level tactical element the adversary wishes to attack. For example, the corporate network within a corporation or the division within an agency. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--df42286d-dfbd-4455-bc9d-aef52ac29aa7.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--df42286d-dfbd-4455-bc9d-aef52ac29aa7.json index 841e0a410..083f5027d 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--df42286d-dfbd-4455-bc9d-aef52ac29aa7.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--df42286d-dfbd-4455-bc9d-aef52ac29aa7.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--df42286d-dfbd-4455-bc9d-aef52ac29aa7", "name": "Post compromise tool development", - "description": "After compromise, an adversary may utilize additional tools to facilitate their end goals. This may include tools to further explore the system, move laterally within a network, exfiltrate data, or destroy data. (Citation: SofacyHits)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1353).\n\nAfter compromise, an adversary may utilize additional tools to facilitate their end goals. This may include tools to further explore the system, move laterally within a network, exfiltrate data, or destroy data. (Citation: SofacyHits)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--dfa4eaf4-50d9-49de-89e9-d33f579f3e05.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--dfa4eaf4-50d9-49de-89e9-d33f579f3e05.json index 94fa1b6d0..263e76b6b 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--dfa4eaf4-50d9-49de-89e9-d33f579f3e05.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--dfa4eaf4-50d9-49de-89e9-d33f579f3e05.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--dfa4eaf4-50d9-49de-89e9-d33f579f3e05", "name": "Determine 3rd party infrastructure services", - "description": "A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available as 3rd party infrastructure services. These services could provide an adversary with another avenue of approach or compromise. (Citation: LUCKYCAT2012) (Citation: Schneier-cloud) (Citation: Computerworld-suppliers)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1284).\n\nA wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available as 3rd party infrastructure services. These services could provide an adversary with another avenue of approach or compromise. (Citation: LUCKYCAT2012) (Citation: Schneier-cloud) (Citation: Computerworld-suppliers)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67.json index 3a34a3d5e..2976f06fd 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "name": "Visual Basic", - "description": "Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)\n\nDerivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Office applications.(Citation: Microsoft VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)\n\nAdversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads.", + "description": "Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)\n\nDerivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)\n\nAdversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads.", "references": [ { "source_name": "mitre-attack", @@ -23,6 +23,11 @@ "url": "https://docs.microsoft.com/office/vba/api/overview/", "description": "Microsoft. (2019, June 11). Office VBA Reference. Retrieved June 23, 2020." }, + { + "source_name": "Wikipedia VBA", + "url": "https://en.wikipedia.org/wiki/Visual_Basic_for_Applications", + "description": "Wikipedia. (n.d.). Visual Basic for Applications. Retrieved August 13, 2020." + }, { "source_name": "Microsoft VBScript", "url": "https://docs.microsoft.com/previous-versions//1kw29xwf(v=vs.85)", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b.json index aca138046..9c3deac6e 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b.json @@ -1,13 +1,23 @@ { "id": "attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b", "name": "Systemd Service", - "description": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.\n\nSystemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands:\n\n* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. \n* ExecReload directive covers when a service restarts. \n* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at recurring intervals, such as at system boot.(Citation: Anomali Rocke March 2019)(Citation: gist Arch package compromise 10JUL2018)(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018)\n\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)", + "description": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.\n\nSystemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands:\n\n* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. \n* ExecReload directive covers when a service restarts. \n* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019)\n\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)", "references": [ { "source_name": "mitre-attack", "external_id": "T1543.002", "url": "https://attack.mitre.org/techniques/T1543/002" }, + { + "external_id": "CAPEC-550", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/550.html" + }, + { + "external_id": "CAPEC-551", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/551.html" + }, { "source_name": "Linux man-pages: systemd January 2014", "url": "http://man7.org/linux/man-pages/man1/systemd.1.html", @@ -23,21 +33,6 @@ "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang", "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019." }, - { - "source_name": "gist Arch package compromise 10JUL2018", - "url": "https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a", - "description": "Catalin Cimpanu. (2018, July 10). ~x file downloaded in public Arch package compromise. Retrieved April 23, 2019." - }, - { - "source_name": "Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018", - "url": "https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/", - "description": "Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux AUR Package Repository. Retrieved April 23, 2019." - }, - { - "source_name": "acroread package compromised Arch Linux Mail 8JUL2018", - "url": "https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html", - "description": "Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved April 23, 2019." - }, { "source_name": "Rapid7 Service Persistence 22JUNE2016", "url": "https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e042a41b-5ecf-4f3a-8f1f-1b528c534772.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e042a41b-5ecf-4f3a-8f1f-1b528c534772.json index b434465fb..b706fd46b 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e042a41b-5ecf-4f3a-8f1f-1b528c534772.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e042a41b-5ecf-4f3a-8f1f-1b528c534772.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--e042a41b-5ecf-4f3a-8f1f-1b528c534772", "name": "Test malware in various execution environments", - "description": "Malware may perform differently on different platforms (computer vs handheld) and different operating systems ([Ubuntu](http://www.ubuntu.com) vs [OS X](http://www.apple.com/osx)), and versions ([Windows](http://windows.microsoft.com) 7 vs 10) so malicious actors will test their malware in the environment(s) where they most expect it to be executed. (Citation: BypassMalwareDefense)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1357).\n\nMalware may perform differently on different platforms (computer vs handheld) and different operating systems ([Ubuntu](http://www.ubuntu.com) vs [OS X](http://www.apple.com/osx)), and versions ([Windows](http://windows.microsoft.com) 7 vs 10) so malicious actors will test their malware in the environment(s) where they most expect it to be executed. (Citation: BypassMalwareDefense)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e196b5c5-8118-4a1c-ab8a-936586ce3db5.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e196b5c5-8118-4a1c-ab8a-936586ce3db5.json new file mode 100644 index 000000000..d31ab585b --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e196b5c5-8118-4a1c-ab8a-936586ce3db5.json @@ -0,0 +1,21 @@ +{ + "id": "attack-pattern--e196b5c5-8118-4a1c-ab8a-936586ce3db5", + "name": "Server", + "description": "Before compromising a victim, adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.\n\nAdversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1584.004", + "url": "https://attack.mitre.org/techniques/T1584/004" + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e2aa077d-60c9-4de5-b015-a9c382877cd9.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e2aa077d-60c9-4de5-b015-a9c382877cd9.json index 1e378043a..eaee64f84 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e2aa077d-60c9-4de5-b015-a9c382877cd9.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e2aa077d-60c9-4de5-b015-a9c382877cd9.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--e2aa077d-60c9-4de5-b015-a9c382877cd9", "name": "Assess opportunities created by business deals", - "description": "During mergers, divestitures, or other period of change in joint infrastructure or business processes there may be an opportunity for exploitation. During this type of churn, unusual requests, or other non standard practices may not be as noticeable. (Citation: RossiMergers) (Citation: MeidlHealthMergers)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1299).\n\nDuring mergers, divestitures, or other period of change in joint infrastructure or business processes there may be an opportunity for exploitation. During this type of churn, unusual requests, or other non standard practices may not be as noticeable. (Citation: RossiMergers) (Citation: MeidlHealthMergers)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e34b9ca1-8778-41a3-bba5-8edaab4076dc.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e34b9ca1-8778-41a3-bba5-8edaab4076dc.json index 4d6aa81b2..44457376c 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e34b9ca1-8778-41a3-bba5-8edaab4076dc.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e34b9ca1-8778-41a3-bba5-8edaab4076dc.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--e34b9ca1-8778-41a3-bba5-8edaab4076dc", "name": "SSL certificate acquisition for domain", - "description": "Certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. Acquiring a certificate for a domain name similar to one that is expected to be trusted may allow an adversary to trick a user in to trusting the domain (e.g., vvachovia instead of [Wachovia](https://www.wellsfargo.com/about/corporate/wachovia) -- homoglyphs). (Citation: SubvertSSL) (Citation: PaypalScam)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1337).\n\nCertificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. Acquiring a certificate for a domain name similar to one that is expected to be trusted may allow an adversary to trick a user in to trusting the domain (e.g., vvachovia instead of [Wachovia](https://www.wellsfargo.com/about/corporate/wachovia) -- homoglyphs). (Citation: SubvertSSL) (Citation: PaypalScam)", "references": [ { "source_name": "mitre-pre-attack", @@ -14,7 +14,8 @@ }, { "source_name": "PaypalScam", - "description": "Bob Sullivan. (2000, July 24). PayPal alert! Beware the 'PaypaI' scam. Retrieved March 2, 2017." + "description": "Bob Sullivan. (2000, July 24). PayPal alert! Beware the 'PaypaI' scam. Retrieved March 2, 2017.", + "url": "https://www.zdnet.com/article/paypal-alert-beware-the-paypai-scam-5000109103/" } ], "kill_chain": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735.json index 9a76df7dc..49c184fbb 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735", "name": "Remote System Discovery", - "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\\Windows\\System32\\Drivers\\etc\\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems. \n\nSpecific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast domain.\n\nWithin IaaS (Infrastructure as a Service) environments, remote systems include instances and virtual machines in various states, including the running or stopped state. Cloud providers have created methods to serve information about remote systems, such as APIs and CLIs. For example, AWS provides a DescribeInstances API within the Amazon EC2 API and a describe-instances command within the AWS CLI that can return information about all instances within an account.(Citation: Amazon Describe Instances API)(Citation: Amazon Describe Instances CLI) Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project, and Azure's CLI az vm list lists details of virtual machines.(Citation: Google Compute Instances)(Citation: Azure VM List)", + "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\\Windows\\System32\\Drivers\\etc\\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems. \n\nSpecific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast domain.", "references": [ { "source_name": "mitre-attack", @@ -12,35 +12,12 @@ "external_id": "CAPEC-292", "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/292.html" - }, - { - "source_name": "Amazon Describe Instances API", - "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html", - "description": "Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020." - }, - { - "source_name": "Amazon Describe Instances CLI", - "url": "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-instances.html", - "description": "Amazon. (n.d.). describe-instances. Retrieved May 26, 2020." - }, - { - "source_name": "Google Compute Instances", - "url": "https://cloud.google.com/sdk/gcloud/reference/compute/instances/list", - "description": "Google. (n.d.). gcloud compute instances list. Retrieved May 26, 2020." - }, - { - "source_name": "Azure VM List", - "url": "https://docs.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest", - "description": "Microsoft. (n.d.). az vm. Retrieved May 26, 2020." } ], "platforms": [ "Linux", "macOS", - "Windows", - "GCP", - "Azure", - "AWS" + "Windows" ], "kill_chain": [ { diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e3b168bd-fcd7-439e-9382-2e6c2f63514d.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e3b168bd-fcd7-439e-9382-2e6c2f63514d.json new file mode 100644 index 000000000..46e503c13 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e3b168bd-fcd7-439e-9382-2e6c2f63514d.json @@ -0,0 +1,36 @@ +{ + "id": "attack-pattern--e3b168bd-fcd7-439e-9382-2e6c2f63514d", + "name": "Domain Properties", + "description": "Before compromising a victim, adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victim domains and their properties may also be exposed to adversaries via online or other accessible data sets (ex: [WHOIS](https://attack.mitre.org/techniques/T1596/002)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1590.001", + "url": "https://attack.mitre.org/techniques/T1590/001" + }, + { + "source_name": "WHOIS", + "url": "https://www.whois.net/", + "description": "NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020." + }, + { + "source_name": "DNS Dumpster", + "url": "https://dnsdumpster.com/", + "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020." + }, + { + "source_name": "Circl Passive DNS", + "url": "https://www.circl.lu/services/passive-dns/", + "description": "CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58.json index 4c2e4087f..23f9d8270 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58.json @@ -4,9 +4,14 @@ "description": "Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nAdversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).", "references": [ { - "external_id": "T1518", "source_name": "mitre-attack", + "external_id": "T1518", "url": "https://attack.mitre.org/techniques/T1518" + }, + { + "external_id": "CAPEC-580", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/580.html" } ], "platforms": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e51398e6-53dc-4e9f-a323-e54683d8672b.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e51398e6-53dc-4e9f-a323-e54683d8672b.json index f83157996..ce6a36b76 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e51398e6-53dc-4e9f-a323-e54683d8672b.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e51398e6-53dc-4e9f-a323-e54683d8672b.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--e51398e6-53dc-4e9f-a323-e54683d8672b", "name": "Compromise 3rd party infrastructure to support delivery", - "description": "Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle. (Citation: WateringHole2014) (Citation: FireEye Operation SnowMan)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1334).\n\nInstead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle. (Citation: WateringHole2014) (Citation: FireEye Operation SnowMan)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1417e59.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1417e59.json index 2ca80ac79..de48b5898 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1417e59.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1417e59.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1417e59", "name": "Acquire or compromise 3rd party signing certificates", - "description": "Code signing is the process of digitally signing executables or scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. (Citation: Adobe Code Signing Cert)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1310).\n\nCode signing is the process of digitally signing executables or scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. (Citation: Adobe Code Signing Cert)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b.json index c81068c3d..1bae35927 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b.json @@ -9,9 +9,9 @@ "url": "https://attack.mitre.org/techniques/T1574/002" }, { - "external_id": "CAPEC-capec", + "external_id": "CAPEC-641", "source_name": "capec", - "url": "https://capec.mitre.org/data/definitions/capec.html" + "url": "https://capec.mitre.org/data/definitions/641.html" }, { "source_name": "About Side by Side Assemblies", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e6ca2820-a564-4b74-b42a-b6bdf052e5b6.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e6ca2820-a564-4b74-b42a-b6bdf052e5b6.json index 771fb8580..1dbfa0e8c 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e6ca2820-a564-4b74-b42a-b6bdf052e5b6.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e6ca2820-a564-4b74-b42a-b6bdf052e5b6.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--e6ca2820-a564-4b74-b42a-b6bdf052e5b6", "name": "Obfuscate infrastructure", - "description": "Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. (Citation: LUCKYCAT2012)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1309).\n\nObfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. (Citation: LUCKYCAT2012)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e754fa49-2db1-416b-92db-7f886decd099.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e754fa49-2db1-416b-92db-7f886decd099.json index 580f15374..1f83dfcab 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e754fa49-2db1-416b-92db-7f886decd099.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e754fa49-2db1-416b-92db-7f886decd099.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--e754fa49-2db1-416b-92db-7f886decd099", "name": "Generate analyst intelligence requirements", - "description": "Analysts may receive Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) from leadership or key decision makers and generate intelligence requirements to articulate intricacies of information required on a topic or question. (Citation: Herring1999)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1234).\n\nAnalysts may receive Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) from leadership or key decision makers and generate intelligence requirements to articulate intricacies of information required on a topic or question. (Citation: Herring1999)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e7cbc1de-1f79-48ee-abfd-da1241c65a15.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e7cbc1de-1f79-48ee-abfd-da1241c65a15.json new file mode 100644 index 000000000..a192bc903 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e7cbc1de-1f79-48ee-abfd-da1241c65a15.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--e7cbc1de-1f79-48ee-abfd-da1241c65a15", + "name": "Code Signing Certificates", + "description": "Before compromising a victim, adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.\n\nPrior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may purchase or steal code signing certificates for use in operations. The purchase of code signing certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal code signing materials directly from a compromised third-party.", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1588.003", + "url": "https://attack.mitre.org/techniques/T1588/003" + }, + { + "url": "https://en.wikipedia.org/wiki/Code_signing", + "description": "Wikipedia. (2015, November 10). Code Signing. Retrieved March 31, 2016.", + "source_name": "Wikipedia Code Signing" + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37.json index f9d542b0c..cfbb65f03 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37", "name": "Upload, install, and configure software/tools", - "description": "An adversary may stage software and tools for use during later stages of an attack. The software and tools may be placed on systems legitimately in use by the adversary or may be placed on previously compromised infrastructure. (Citation: APT1) (Citation: RedOctober)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1362).\n\nAn adversary may stage software and tools for use during later stages of an attack. The software and tools may be placed on systems legitimately in use by the adversary or may be placed on previously compromised infrastructure. (Citation: APT1) (Citation: RedOctober)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--eacadff4-164b-451c-bacc-7b29ebfd0c3f.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--eacadff4-164b-451c-bacc-7b29ebfd0c3f.json index 606563b74..e7025d3a0 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--eacadff4-164b-451c-bacc-7b29ebfd0c3f.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--eacadff4-164b-451c-bacc-7b29ebfd0c3f.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--eacadff4-164b-451c-bacc-7b29ebfd0c3f", "name": "Create infected removable media", - "description": "Use of removable media as part of the Launch phase requires an adversary to determine type, format, and content of the media and associated malware. (Citation: BadUSB)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1355).\n\nUse of removable media as part of the Launch phase requires an adversary to determine type, format, and content of the media and associated malware. (Citation: BadUSB)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--eacd1efe-ee30-4b03-b58f-5b3b1adfe45d.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--eacd1efe-ee30-4b03-b58f-5b3b1adfe45d.json index 4dde53497..51b7ffde0 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--eacd1efe-ee30-4b03-b58f-5b3b1adfe45d.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--eacd1efe-ee30-4b03-b58f-5b3b1adfe45d.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--eacd1efe-ee30-4b03-b58f-5b3b1adfe45d", "name": "Friend/Follow/Connect to targets of interest", - "description": "A form of social engineering designed build trust and to lay the foundation for future interactions or attacks. (Citation: BlackHatRobinSage)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1364).\n\nA form of social engineering designed build trust and to lay the foundation for future interactions or attacks. (Citation: BlackHatRobinSage)", "references": [ { "source_name": "mitre-pre-attack", @@ -10,7 +10,8 @@ }, { "source_name": "BlackHatRobinSage", - "description": "Thomas Ryan. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017." + "description": "Ryan, T. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017.", + "url": "http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf" } ], "kill_chain": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ec4be82f-940c-4dcb-87fe-2bbdd17c692f.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ec4be82f-940c-4dcb-87fe-2bbdd17c692f.json new file mode 100644 index 000000000..4ae61f040 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ec4be82f-940c-4dcb-87fe-2bbdd17c692f.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--ec4be82f-940c-4dcb-87fe-2bbdd17c692f", + "name": "Scan Databases", + "description": "Before compromising a victim, adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)\n\nAdversaries may search scan databases to gather actionable information. Threat actors can use online resources and lookup tools to harvest information from these services. Adversaries may seek information about their already identified targets, or use these datasets to discover opportunities for successful breaches. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1596.005", + "url": "https://attack.mitre.org/techniques/T1596/005" + }, + { + "source_name": "Shodan", + "url": "https://shodan.io", + "description": "Shodan. (n.d.). Shodan. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ec739e26-d097-4804-b04a-54dd81ff11e0.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ec739e26-d097-4804-b04a-54dd81ff11e0.json index 0162a39e1..3cb889d99 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ec739e26-d097-4804-b04a-54dd81ff11e0.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ec739e26-d097-4804-b04a-54dd81ff11e0.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--ec739e26-d097-4804-b04a-54dd81ff11e0", "name": "Create strategic plan", - "description": "Strategic plans outline the mission, vision, and goals for an adversary at a high level in relation to the key partners, topics, and functions the adversary carries out. (Citation: KPMGChina5Year) (Citation: China5YearPlans) (Citation: ChinaUN)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1231).\n\nStrategic plans outline the mission, vision, and goals for an adversary at a high level in relation to the key partners, topics, and functions the adversary carries out. (Citation: KPMGChina5Year) (Citation: China5YearPlans) (Citation: ChinaUN)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1.json index 850099002..3b4f3c65c 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1.json @@ -11,7 +11,7 @@ { "source_name": "Mandiant M-Trends 2020", "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." + "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." }, { "source_name": "AWS Cloud Trail Backup API", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ed730f20-0e44-48b9-85f8-0e2adeb76867.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ed730f20-0e44-48b9-85f8-0e2adeb76867.json new file mode 100644 index 000000000..7df8ac12c --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ed730f20-0e44-48b9-85f8-0e2adeb76867.json @@ -0,0 +1,31 @@ +{ + "id": "attack-pattern--ed730f20-0e44-48b9-85f8-0e2adeb76867", + "name": "Determine Physical Locations", + "description": "Before compromising a victim, adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Physical locations of a target organization may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Social Media](https://attack.mitre.org/techniques/T1593/001)).(Citation: ThreatPost Broadvoice Leak)(Citation: DOB Business Lookup) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1591.001", + "url": "https://attack.mitre.org/techniques/T1591/001" + }, + { + "source_name": "ThreatPost Broadvoice Leak", + "url": "https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/", + "description": "Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, Personal Voicemail Transcripts. Retrieved October 20, 2020." + }, + { + "source_name": "DOB Business Lookup", + "url": "https://www.dobsearch.com/business-lookup/", + "description": "Concert Technologies . (n.d.). Business Lookup - Company Name Search. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf.json new file mode 100644 index 000000000..8ffc9aa18 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf.json @@ -0,0 +1,41 @@ +{ + "id": "attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf", + "name": "Develop Capabilities", + "description": "Before compromising a victim, adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)\n\nAs with legitimate development efforts, different skill sets may be required for developing capabilities. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the capability.", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1587", + "url": "https://attack.mitre.org/techniques/T1587" + }, + { + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "source_name": "Mandiant APT1" + }, + { + "source_name": "Kaspersky Sofacy", + "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.", + "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" + }, + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + }, + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ee40d054-6e83-4302-88dc-a3af98821d8d.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ee40d054-6e83-4302-88dc-a3af98821d8d.json index 32184a4f4..29c7e0bf9 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ee40d054-6e83-4302-88dc-a3af98821d8d.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ee40d054-6e83-4302-88dc-a3af98821d8d.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--ee40d054-6e83-4302-88dc-a3af98821d8d", "name": "Analyze social and business relationships, interests, and affiliations", - "description": "Social media provides insight into the target's affiliations with groups and organizations. Certification information can explain their technical associations and professional associations. Personal information can provide data for exploitation or even blackmail. (Citation: Scasny2015)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1295).\n\nSocial media provides insight into the target's affiliations with groups and organizations. Certification information can explain their technical associations and professional associations. Personal information can provide data for exploitation or even blackmail. (Citation: Scasny2015)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ee7ff928-801c-4f34-8a99-3df965e581a5.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ee7ff928-801c-4f34-8a99-3df965e581a5.json new file mode 100644 index 000000000..20793eb19 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ee7ff928-801c-4f34-8a99-3df965e581a5.json @@ -0,0 +1,44 @@ +{ + "id": "attack-pattern--ee7ff928-801c-4f34-8a99-3df965e581a5", + "name": "SNMP (MIB Dump)", + "description": "Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).\n\nThe MIB is a configuration repository that stores variable information accessible via SNMP in the form of object identifiers (OID). Each OID identifies a variable that can be read or set and permits active management tasks, such as configuration changes, through remote modification of these variables. SNMP can give administrators great insight in their systems, such as, system information, description of hardware, physical location, and software packages(Citation: SANS Information Security Reading Room Securing SNMP Securing SNMP). The MIB may also contain device operational information, including running configuration, routing table, and interface details.\n\nAdversaries may use SNMP queries to collect MIB content directly from SNMP-managed devices in order to collect network information that allows the adversary to build network maps and facilitate future targeted exploitation.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) ", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1602.001", + "url": "https://attack.mitre.org/techniques/T1602/001" + }, + { + "source_name": "SANS Information Security Reading Room Securing SNMP Securing SNMP", + "url": "https://www.sans.org/reading-room/whitepapers/networkdevs/securing-snmp-net-snmp-snmpv3-1051", + "description": "Michael Stump. (2003). Information Security Reading Room Securing SNMP: A Look atNet-SNMP (SNMPv3). Retrieved October 19, 2020." + }, + { + "source_name": "US-CERT-TA18-106A", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A", + "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." + }, + { + "source_name": "Cisco Advisory SNMP v3 Authentication Vulnerabilities", + "url": "https://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20080610-SNMPv3", + "description": "Cisco. (2008, June 10). Identifying and Mitigating Exploitation of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October 19, 2020." + } + ], + "platforms": [ + "Network" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "permissions": [ + "Administrator" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ef0f816a-d561-4953-84c6-2a2936c96957.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ef0f816a-d561-4953-84c6-2a2936c96957.json index 8d764831f..e0ca078b9 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ef0f816a-d561-4953-84c6-2a2936c96957.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ef0f816a-d561-4953-84c6-2a2936c96957.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--ef0f816a-d561-4953-84c6-2a2936c96957", "name": "Discover target logon/email address format", - "description": "Email addresses, logon credentials, and other forms of online identification typically share a common format. This makes guessing other credentials within the same domain easier. For example if a known email address is first.last@company.com it is likely that others in the company will have an email in the same format. (Citation: RSA-APTRecon)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1255).\n\nEmail addresses, logon credentials, and other forms of online identification typically share a common format. This makes guessing other credentials within the same domain easier. For example if a known email address is first.last@company.com it is likely that others in the company will have an email in the same format. (Citation: RSA-APTRecon)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ef6197fd-a58a-4006-bfd6-1d7765d8409d.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ef6197fd-a58a-4006-bfd6-1d7765d8409d.json index 331fff0af..122091966 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ef6197fd-a58a-4006-bfd6-1d7765d8409d.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ef6197fd-a58a-4006-bfd6-1d7765d8409d.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--ef6197fd-a58a-4006-bfd6-1d7765d8409d", "name": "Enumerate externally facing software applications technologies, languages, and dependencies", - "description": "Software applications will be built using different technologies, languages, and dependencies. This information may reveal vulnerabilities or opportunities to an adversary. (Citation: CommonApplicationAttacks) (Citation: WebApplicationSecurity) (Citation: SANSTop25)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1261).\n\nSoftware applications will be built using different technologies, languages, and dependencies. This information may reveal vulnerabilities or opportunities to an adversary. (Citation: CommonApplicationAttacks) (Citation: WebApplicationSecurity) (Citation: SANSTop25)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f005e783-57d4-4837-88ad-dbe7faee1c51.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f005e783-57d4-4837-88ad-dbe7faee1c51.json index 0534d0d8b..733c2d71c 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f005e783-57d4-4837-88ad-dbe7faee1c51.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f005e783-57d4-4837-88ad-dbe7faee1c51.json @@ -8,25 +8,30 @@ "external_id": "T1550.001", "url": "https://attack.mitre.org/techniques/T1550/001" }, + { + "external_id": "CAPEC-593", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/593.html" + }, { "description": "Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019.", "url": "https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/", "source_name": "Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019" }, { - "source_name": "okta", + "description": "okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved September 12, 2019.", "url": "https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen", - "description": "okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved September 12, 2019." + "source_name": "okta" }, { - "source_name": "Microsoft Identity Platform Access 2019", + "description": "Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019.", "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens", - "description": "Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019." + "source_name": "Microsoft Identity Platform Access 2019" }, { - "source_name": "Staaldraad Phishing with OAuth 2017", + "description": "Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure. Retrieved October 4, 2019.", "url": "https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/", - "description": "Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure. Retrieved October 4, 2019." + "source_name": "Staaldraad Phishing with OAuth 2017" } ], "platforms": [ diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65.json index 6f3cb5769..584ef2764 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65", "name": "Cloud Accounts", - "description": "Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\n\nCompromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.", + "description": "Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\n\nCompromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.", "references": [ { "source_name": "mitre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee.json index 170eb55f2..081db37e8 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee.json @@ -8,6 +8,11 @@ "external_id": "T1558.003", "url": "https://attack.mitre.org/techniques/T1558/003" }, + { + "external_id": "CAPEC-509", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/509.html" + }, { "url": "https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1", "description": "EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved March 22, 2018.", @@ -35,7 +40,8 @@ }, { "description": "Medin, T. (2014, November). Attacking Kerberos - Kicking the Guard Dog of Hades. Retrieved March 22, 2018.", - "source_name": "SANS Attacking Kerberos Nov 2014" + "source_name": "SANS Attacking Kerberos Nov 2014", + "url": "https://redsiege.com/kerberoast-slides" }, { "url": "https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f4b843c1-7e92-4701-8fed-ce82f8be2636.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f4b843c1-7e92-4701-8fed-ce82f8be2636.json new file mode 100644 index 000000000..dab301712 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f4b843c1-7e92-4701-8fed-ce82f8be2636.json @@ -0,0 +1,46 @@ +{ + "id": "attack-pattern--f4b843c1-7e92-4701-8fed-ce82f8be2636", + "name": "Exploits", + "description": "Before compromising a victim, adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)\n\nIn addition to downloading free exploits from the internet, adversaries may purchase exploits from third-party entities. Third-party entities can include technology companies that specialize in exploit development, criminal marketplaces (including exploit kits), or from individuals.(Citation: PegasusCitizenLab)(Citation: Wired SandCat Oct 2019) In addition to purchasing exploits, adversaries may steal and repurpose exploits from third-party entities (including other adversaries).(Citation: TempertonDarkHotel)\n\nAn adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. There is usually a delay between when an exploit is discovered and when it is made public. An adversary may target the systems of those known to conduct exploit research and development in order to gain that knowledge for use during a subsequent operation.\n\nAdversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1588.005", + "url": "https://attack.mitre.org/techniques/T1588/005" + }, + { + "source_name": "Exploit Database", + "url": "https://www.exploit-db.com/", + "description": "Offensive Security. (n.d.). Exploit Database. Retrieved October 15, 2020." + }, + { + "source_name": "TempertonDarkHotel", + "description": "Temperton, J. (2015, August 10). Hacking Team zero-day used in new Darkhotel attacks. Retrieved March 9, 2017.", + "url": "https://www.wired.co.uk/article/darkhotel-hacking-team-cyber-espionage" + }, + { + "source_name": "NationsBuying", + "description": "Nicole Perlroth and David E. Sanger. (2013, July 12). Nations Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.", + "url": "https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html" + }, + { + "url": "https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/", + "description": "Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group\u2019s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.", + "source_name": "PegasusCitizenLab" + }, + { + "source_name": "Wired SandCat Oct 2019", + "url": "https://www.vice.com/en/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec", + "description": "Zetter, K. (2019, October 3). Researchers Say They Uncovered Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC. Retrieved October 15, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f4c1826f-a322-41cd-9557-562100848c84.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f4c1826f-a322-41cd-9557-562100848c84.json index 0c0847f56..bd60d8973 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f4c1826f-a322-41cd-9557-562100848c84.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f4c1826f-a322-41cd-9557-562100848c84.json @@ -27,7 +27,8 @@ "platforms": [ "Windows", "Linux", - "macOS" + "macOS", + "Network" ], "kill_chain": [ { diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f6ad61ee-65f3-4bd0-a3f5-2f0accb36317.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f6ad61ee-65f3-4bd0-a3f5-2f0accb36317.json index e2ea189e1..17c325265 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f6ad61ee-65f3-4bd0-a3f5-2f0accb36317.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f6ad61ee-65f3-4bd0-a3f5-2f0accb36317.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", "name": "Spearphishing via Service", - "description": "Adversaries may send spearphishing messages via third-party services in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. \n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.\n\nA common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.", + "description": "Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. \n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.\n\nA common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.", "references": [ { "source_name": "mitre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f870408c-b1cd-49c7-a5c7-0ef0fc496cc6.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f870408c-b1cd-49c7-a5c7-0ef0fc496cc6.json new file mode 100644 index 000000000..d1b273ea6 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f870408c-b1cd-49c7-a5c7-0ef0fc496cc6.json @@ -0,0 +1,26 @@ +{ + "id": "attack-pattern--f870408c-b1cd-49c7-a5c7-0ef0fc496cc6", + "name": "Spearphishing Service", + "description": "Before compromising a victim, adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.(Citation: ThreatPost Social Media Phishing) These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries may create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and information about their environment. Adversaries may also use information from previous reconnaissance efforts (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1598.001", + "url": "https://attack.mitre.org/techniques/T1598/001" + }, + { + "source_name": "ThreatPost Social Media Phishing", + "url": "https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/", + "description": "O'Donnell, L. (2020, October 20). Facebook: A Top Launching Pad For Phishing Attacks. Retrieved October 20, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f9cc4d06-775f-4ee1-b401-4e2cc0da30ba.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f9cc4d06-775f-4ee1-b401-4e2cc0da30ba.json new file mode 100644 index 000000000..ee2e3ff82 --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--f9cc4d06-775f-4ee1-b401-4e2cc0da30ba.json @@ -0,0 +1,31 @@ +{ + "id": "attack-pattern--f9cc4d06-775f-4ee1-b401-4e2cc0da30ba", + "name": "Domains", + "description": "Before compromising a victim, adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) An adversary may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.\n\nSubdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1584.001", + "url": "https://attack.mitre.org/techniques/T1584/001" + }, + { + "source_name": "ICANNDomainNameHijacking", + "description": "ICANN Security and Stability Advisory Committee. (2005, July 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved March 6, 2017.", + "url": "https://www.icann.org/groups/ssac/documents/sac-007-en" + }, + { + "source_name": "Microsoft Sub Takeover 2020", + "url": "https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover", + "description": "Microsoft. (2020, September 29). Prevent dangling DNS entries and avoid subdomain takeover. Retrieved October 12, 2020." + } + ], + "platforms": [ + "PRE" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--fa44a152-ac48-441e-a524-dd7b04b8adcd.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--fa44a152-ac48-441e-a524-dd7b04b8adcd.json new file mode 100644 index 000000000..26f3180ef --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--fa44a152-ac48-441e-a524-dd7b04b8adcd.json @@ -0,0 +1,43 @@ +{ + "id": "attack-pattern--fa44a152-ac48-441e-a524-dd7b04b8adcd", + "name": "Network Device Authentication", + "description": "Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.\n\n[Modify System Image](https://attack.mitre.org/techniques/T1601) may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: FireEye - Synful Knock)", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1556.004", + "url": "https://attack.mitre.org/techniques/T1556/004" + }, + { + "source_name": "FireEye - Synful Knock", + "url": "https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html", + "description": "Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Image File Verification", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#7", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Run-Time Memory Verification", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#13", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020." + } + ], + "platforms": [ + "Network" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "permissions": [ + "Administrator" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--fb39384c-00e4-414a-88af-e80c4904e0b8.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--fb39384c-00e4-414a-88af-e80c4904e0b8.json index 59f5e3946..f559d7a47 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--fb39384c-00e4-414a-88af-e80c4904e0b8.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--fb39384c-00e4-414a-88af-e80c4904e0b8.json @@ -9,8 +9,9 @@ "url": "https://attack.mitre.org/techniques/T1385" }, { - "description": "PETER BRIGHT. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.", - "source_name": "AnonHBGary" + "source_name": "AnonHBGary", + "description": "Bright, P. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.", + "url": "https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/" }, { "description": "Taylor Armerding. (2012, October 25). Line blurs between insider, outsider attacks. Retrieved March 9, 2017.", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490.json index 13bfd4116..51a469827 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490.json @@ -9,9 +9,9 @@ "url": "https://attack.mitre.org/techniques/T1574/004" }, { - "external_id": "CAPEC-CAPEC", + "external_id": "CAPEC-471", "source_name": "capec", - "url": "https://capec.mitre.org/data/definitions/CAPEC.html" + "url": "https://capec.mitre.org/data/definitions/471.html" }, { "url": "https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d.json new file mode 100644 index 000000000..f348097da --- /dev/null +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d.json @@ -0,0 +1,29 @@ +{ + "id": "attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d", + "name": "Downgrade System Image", + "description": "Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. (Citation: Cisco Synful Knock Evolution)\n\nOn embedded devices, downgrading the version typically only requires replacing the operating system file in storage. With most embedded devices, this can be achieved by downloading a copy of the desired version of the operating system file and reconfiguring the device to boot from that file on next system restart. The adversary could then restart the device to implement the change immediately or they could wait until the next time the system restarts.\n\nDowngrading the system image to an older versions may allow an adversary to evade defenses by enabling behaviors such as [Weaken Encryption](https://attack.mitre.org/techniques/T1600). Downgrading of a system image can be done on its own, or it can be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001). ", + "references": [ + { + "source_name": "mitre-attack", + "external_id": "T1601.002", + "url": "https://attack.mitre.org/techniques/T1601/002" + }, + { + "source_name": "Cisco Synful Knock Evolution", + "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices", + "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020." + } + ], + "platforms": [ + "Network" + ], + "kill_chain": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "permissions": [ + "Administrator" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--fddd81e9-dd3d-477e-9773-4fb8ae227234.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--fddd81e9-dd3d-477e-9773-4fb8ae227234.json index ffe4fb3fe..a1673d947 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--fddd81e9-dd3d-477e-9773-4fb8ae227234.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--fddd81e9-dd3d-477e-9773-4fb8ae227234.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--fddd81e9-dd3d-477e-9773-4fb8ae227234", "name": "Create custom payloads", - "description": "A payload is the part of the malware which performs a malicious action. The adversary may create custom payloads when none exist with the needed capability or when targeting a specific environment. (Citation: APT1)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1345).\n\nA payload is the part of the malware which performs a malicious action. The adversary may create custom payloads when none exist with the needed capability or when targeting a specific environment. (Citation: APT1)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--fe421ab9-c8f3-42f7-9ae1-5d6c324cc925.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--fe421ab9-c8f3-42f7-9ae1-5d6c324cc925.json index 54f1a830b..866d16158 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--fe421ab9-c8f3-42f7-9ae1-5d6c324cc925.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--fe421ab9-c8f3-42f7-9ae1-5d6c324cc925.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--fe421ab9-c8f3-42f7-9ae1-5d6c324cc925", "name": "Analyze application security posture", - "description": "An adversary can probe a victim's network to determine configurations. The configurations may provide opportunities to route traffic through the network in an undetected or less detectable way. (Citation: Li2014ExploitKits) (Citation: RecurlyGHOST)", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1293).\n\nAn adversary can probe a victim's network to determine configurations. The configurations may provide opportunities to route traffic through the network in an undetected or less detectable way. (Citation: Li2014ExploitKits) (Citation: RecurlyGHOST)", "references": [ { "source_name": "mitre-pre-attack", diff --git a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335.json b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335.json index e3954862f..38441380c 100644 --- a/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335.json +++ b/cdas/assets/mitre_cti/attack-patterns/attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335.json @@ -1,7 +1,7 @@ { "id": "attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335", "name": "COR_PROFILER", - "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)\n\nThe COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)\n\nAdversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)", + "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)\n\nThe COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)\n\nAdversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)", "references": [ { "source_name": "mitre-attack", diff --git a/cdas/assets/mitre_cti/malware/malware--0626c181-93cb-4860-9cb0-dff3b1c13063.json b/cdas/assets/mitre_cti/malware/malware--0626c181-93cb-4860-9cb0-dff3b1c13063.json index 3528ab051..c15343023 100644 --- a/cdas/assets/mitre_cti/malware/malware--0626c181-93cb-4860-9cb0-dff3b1c13063.json +++ b/cdas/assets/mitre_cti/malware/malware--0626c181-93cb-4860-9cb0-dff3b1c13063.json @@ -9,9 +9,9 @@ "url": "https://attack.mitre.org/software/S0411" }, { - "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", + "source_name": "securelist rotexy 2018", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", - "source_name": "securelist rotexy 2018" + "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019." } ], "aliases": [ diff --git a/cdas/assets/mitre_cti/malware/malware--085eb36d-697d-4d9a-bac3-96eb879fe73c.json b/cdas/assets/mitre_cti/malware/malware--085eb36d-697d-4d9a-bac3-96eb879fe73c.json index b0b064603..962bdaea1 100644 --- a/cdas/assets/mitre_cti/malware/malware--085eb36d-697d-4d9a-bac3-96eb879fe73c.json +++ b/cdas/assets/mitre_cti/malware/malware--085eb36d-697d-4d9a-bac3-96eb879fe73c.json @@ -13,9 +13,9 @@ "description": "(Citation: Lookout-StealthMango)" }, { - "source_name": "Lookout-StealthMango", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", - "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" + "source_name": "Lookout-StealthMango" } ], "aliases": [ diff --git a/cdas/assets/mitre_cti/malware/malware--1cdbbcab-903a-414d-8eb0-439a97343737.json b/cdas/assets/mitre_cti/malware/malware--1cdbbcab-903a-414d-8eb0-439a97343737.json new file mode 100644 index 000000000..d5ab83987 --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--1cdbbcab-903a-414d-8eb0-439a97343737.json @@ -0,0 +1,25 @@ +{ + "id": "malware--1cdbbcab-903a-414d-8eb0-439a97343737", + "name": "FrameworkPOS", + "description": "[FrameworkPOS](https://attack.mitre.org/software/S0503) is a point of sale (POS) malware used by [FIN6](https://attack.mitre.org/groups/G0037) to steal payment card data from sytems that run physical POS devices.(Citation: SentinelOne FrameworkPOS September 2019)", + "references": [ + { + "external_id": "S0503", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0503" + }, + { + "source_name": "Trinity", + "description": "(Citation: SentinelOne FrameworkPOS September 2019)" + }, + { + "source_name": "SentinelOne FrameworkPOS September 2019", + "url": "https://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/", + "description": "Kremez, V. (2019, September 19). FIN6 \u201cFrameworkPOS\u201d: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020." + } + ], + "aliases": [ + "FrameworkPOS", + "Trinity" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--1d808f62-cf63-4063-9727-ff6132514c22.json b/cdas/assets/mitre_cti/malware/malware--1d808f62-cf63-4063-9727-ff6132514c22.json index 9e1a2d109..4a3ddb395 100644 --- a/cdas/assets/mitre_cti/malware/malware--1d808f62-cf63-4063-9727-ff6132514c22.json +++ b/cdas/assets/mitre_cti/malware/malware--1d808f62-cf63-4063-9727-ff6132514c22.json @@ -1,7 +1,7 @@ { "id": "malware--1d808f62-cf63-4063-9727-ff6132514c22", "name": "WEBC2", - "description": "[WEBC2](https://attack.mitre.org/software/S0109) is a backdoor used by [APT1](https://attack.mitre.org/groups/G0006) to retrieve a Web page from a predetermined C2 server. (Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1)", + "description": "[WEBC2](https://attack.mitre.org/software/S0109) is a family of backdoor malware used by [APT1](https://attack.mitre.org/groups/G0006) as early as July 2006. [WEBC2](https://attack.mitre.org/software/S0109) backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. (Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1)", "references": [ { "source_name": "mitre-attack", @@ -13,14 +13,14 @@ "description": "(Citation: Mandiant APT1)" }, { - "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip", + "source_name": "Mandiant APT1 Appendix", "description": "Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.", - "source_name": "Mandiant APT1 Appendix" + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip" }, { - "source_name": "Mandiant APT1", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", - "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + "source_name": "Mandiant APT1" } ], "aliases": [ diff --git a/cdas/assets/mitre_cti/malware/malware--20945359-3b39-4542-85ef-08ecb4e1c174.json b/cdas/assets/mitre_cti/malware/malware--20945359-3b39-4542-85ef-08ecb4e1c174.json new file mode 100644 index 000000000..48c12a09f --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--20945359-3b39-4542-85ef-08ecb4e1c174.json @@ -0,0 +1,28 @@ +{ + "id": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "name": "StrongPity", + "description": "[StrongPity](https://attack.mitre.org/software/S0491) is an information stealing malware used by [PROMETHIUM](https://attack.mitre.org/groups/G0056).(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)", + "references": [ + { + "external_id": "S0491", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0491" + }, + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + }, + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + } + ], + "aliases": [ + "StrongPity" + ], + "platforms": [ + "Windows" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--22faaa56-a8ac-4292-9be6-b571b255ee40.json b/cdas/assets/mitre_cti/malware/malware--22faaa56-a8ac-4292-9be6-b571b255ee40.json new file mode 100644 index 000000000..79c9b55c1 --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--22faaa56-a8ac-4292-9be6-b571b255ee40.json @@ -0,0 +1,23 @@ +{ + "id": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", + "name": "Zen", + "description": "[Zen](https://attack.mitre.org/software/S0494) is Android malware that was first seen in 2013.(Citation: Google Security Zen)", + "references": [ + { + "external_id": "S0494", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0494" + }, + { + "source_name": "Google Security Zen", + "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html", + "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020." + } + ], + "aliases": [ + "Zen" + ], + "platforms": [ + "Android" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c.json b/cdas/assets/mitre_cti/malware/malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c.json index 31a01f23c..79ef59d59 100644 --- a/cdas/assets/mitre_cti/malware/malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c.json +++ b/cdas/assets/mitre_cti/malware/malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c.json @@ -1,7 +1,7 @@ { "id": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", - "name": "XLoader", - "description": "[XLoader](https://attack.mitre.org/software/S0318) is a malicious Android app that was observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. (Citation: TrendMicro-XLoader)", + "name": "XLoader for Android", + "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.(Citation: TrendMicro-XLoader-FakeSpy)(Citation: TrendMicro-XLoader) It is tracked separately from the [XLoader for iOS](https://attack.mitre.org/software/S0490).", "references": [ { "source_name": "mitre-mobile-attack", @@ -9,9 +9,14 @@ "external_id": "S0318" }, { - "source_name": "XLoader", + "source_name": "XLoader for Android", "description": "(Citation: TrendMicro-XLoader)" }, + { + "source_name": "TrendMicro-XLoader-FakeSpy", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/", + "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020." + }, { "source_name": "TrendMicro-XLoader", "description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.", @@ -19,7 +24,7 @@ } ], "aliases": [ - "XLoader" + "XLoader for Android" ], "platforms": [ "Android" diff --git a/cdas/assets/mitre_cti/malware/malware--29944858-da52-4d3d-b428-f8a6eb8dde6f.json b/cdas/assets/mitre_cti/malware/malware--29944858-da52-4d3d-b428-f8a6eb8dde6f.json new file mode 100644 index 000000000..99cada069 --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--29944858-da52-4d3d-b428-f8a6eb8dde6f.json @@ -0,0 +1,23 @@ +{ + "id": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", + "name": "XLoader for iOS", + "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) is a malicious iOS application that is capable of gathering system information.(Citation: TrendMicro-XLoader-FakeSpy) It is tracked separately from the [XLoader for Android](https://attack.mitre.org/software/S0318).", + "references": [ + { + "external_id": "S0490", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0490" + }, + { + "source_name": "TrendMicro-XLoader-FakeSpy", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/", + "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020." + } + ], + "aliases": [ + "XLoader for iOS" + ], + "platforms": [ + "iOS" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--317a2c10-d489-431e-b6b2-f0251fddc88e.json b/cdas/assets/mitre_cti/malware/malware--317a2c10-d489-431e-b6b2-f0251fddc88e.json index 309abafa6..4dee5f17a 100644 --- a/cdas/assets/mitre_cti/malware/malware--317a2c10-d489-431e-b6b2-f0251fddc88e.json +++ b/cdas/assets/mitre_cti/malware/malware--317a2c10-d489-431e-b6b2-f0251fddc88e.json @@ -1,7 +1,7 @@ { "id": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "name": "Dendroid", - "description": "[Dendroid](https://attack.mitre.org/software/S0301) is an Android malware family. (Citation: Lookout-Dendroid)", + "description": "[Dendroid](https://attack.mitre.org/software/S0301) is an Android remote access tool (RAT) primarily targeting Western countries. The RAT was available for purchase for $300 and came bundled with a utility to inject the RAT into legitimate applications.(Citation: Lookout-Dendroid)", "references": [ { "source_name": "mitre-mobile-attack", diff --git a/cdas/assets/mitre_cti/malware/malware--32066e94-3112-48ca-b9eb-ba2b59d2f023.json b/cdas/assets/mitre_cti/malware/malware--32066e94-3112-48ca-b9eb-ba2b59d2f023.json index 764adb2ae..b1dc3eb1e 100644 --- a/cdas/assets/mitre_cti/malware/malware--32066e94-3112-48ca-b9eb-ba2b59d2f023.json +++ b/cdas/assets/mitre_cti/malware/malware--32066e94-3112-48ca-b9eb-ba2b59d2f023.json @@ -1,7 +1,7 @@ { "id": "malware--32066e94-3112-48ca-b9eb-ba2b59d2f023", "name": "Emotet", - "description": "[Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector. (Citation: Trend Micro Banking Malware Jan 2019)", + "description": "[Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and [IcedID](https://attack.mitre.org/software/S0483). Emotet first emerged in June 2014 and has been primarily used to target the banking sector. (Citation: Trend Micro Banking Malware Jan 2019)", "references": [ { "external_id": "S0367", diff --git a/cdas/assets/mitre_cti/malware/malware--3271c107-92c4-442e-9506-e76d62230ee8.json b/cdas/assets/mitre_cti/malware/malware--3271c107-92c4-442e-9506-e76d62230ee8.json new file mode 100644 index 000000000..e6165919b --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--3271c107-92c4-442e-9506-e76d62230ee8.json @@ -0,0 +1,23 @@ +{ + "id": "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "name": "Desert Scorpion", + "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. [Desert Scorpion](https://attack.mitre.org/software/S0505) is suspected to have been operated by the threat actor APT-C-23.(Citation: Lookout Desert Scorpion) ", + "references": [ + { + "external_id": "S0505", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0505" + }, + { + "source_name": "Lookout Desert Scorpion", + "url": "https://blog.lookout.com/desert-scorpion-google-play", + "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." + } + ], + "aliases": [ + "Desert Scorpion" + ], + "platforms": [ + "Android" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--35cd1d01-1ede-44d2-b073-a264d727bc04.json b/cdas/assets/mitre_cti/malware/malware--35cd1d01-1ede-44d2-b073-a264d727bc04.json index 640eebca0..b6258861d 100644 --- a/cdas/assets/mitre_cti/malware/malware--35cd1d01-1ede-44d2-b073-a264d727bc04.json +++ b/cdas/assets/mitre_cti/malware/malware--35cd1d01-1ede-44d2-b073-a264d727bc04.json @@ -13,14 +13,14 @@ "description": "(Citation: Securelist Machete Aug 2014)" }, { - "description": "ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.", + "source_name": "ESET Machete July 2019", "url": "https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf", - "source_name": "ESET Machete July 2019" + "description": "ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019." }, { - "description": "Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.", + "source_name": "Securelist Machete Aug 2014", "url": "https://securelist.com/el-machete/66108/", - "source_name": "Securelist Machete Aug 2014" + "description": "Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019." } ], "aliases": [ diff --git a/cdas/assets/mitre_cti/malware/malware--3a4197ae-ec63-4162-907b-9a073d1157e4.json b/cdas/assets/mitre_cti/malware/malware--3a4197ae-ec63-4162-907b-9a073d1157e4.json new file mode 100644 index 000000000..64365c75c --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--3a4197ae-ec63-4162-907b-9a073d1157e4.json @@ -0,0 +1,33 @@ +{ + "id": "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", + "name": "WellMess", + "description": "[WellMess](https://attack.mitre.org/software/S0514) is lightweight malware family with variants written in .NET and Golang that has been in use since at least 2018 by [APT29](https://attack.mitre.org/groups/G0016).(Citation: CISA WellMess July 2020)(Citation: PWC WellMess July 2020)(Citation: NCSC APT29 July 2020)", + "references": [ + { + "external_id": "S0514", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0514" + }, + { + "source_name": "CISA WellMess July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b", + "description": "CISA. (2020, July 16). MAR-10296782-2.v1 \u2013 WELLMESS. Retrieved September 24, 2020." + }, + { + "source_name": "PWC WellMess July 2020", + "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", + "description": "PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020." + }, + { + "source_name": "NCSC APT29 July 2020", + "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf", + "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020." + } + ], + "aliases": [ + "WellMess" + ], + "platforms": [ + "Windows" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128.json b/cdas/assets/mitre_cti/malware/malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128.json new file mode 100644 index 000000000..2226e54b4 --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128.json @@ -0,0 +1,30 @@ +{ + "id": "malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", + "name": "Dacls", + "description": "[Dacls](https://attack.mitre.org/software/S0497) is a multi-platform remote access tool used by [Lazarus Group](https://attack.mitre.org/groups/G0032) since at least December 2019.(Citation: TrendMicro macOS Dacls May 2020)(Citation: SentinelOne Lazarus macOS July 2020)", + "references": [ + { + "external_id": "S0497", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0497" + }, + { + "source_name": "TrendMicro macOS Dacls May 2020", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/", + "description": "Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus\u2019 Multi-Platform Attack Capability. Retrieved August 10, 2020." + }, + { + "source_name": "SentinelOne Lazarus macOS July 2020", + "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020." + } + ], + "aliases": [ + "Dacls" + ], + "platforms": [ + "macOS", + "Linux", + "Windows" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--3d57dcc4-be99-4613-9482-d5218f5ec13e.json b/cdas/assets/mitre_cti/malware/malware--3d57dcc4-be99-4613-9482-d5218f5ec13e.json new file mode 100644 index 000000000..2cbfb7d74 --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--3d57dcc4-be99-4613-9482-d5218f5ec13e.json @@ -0,0 +1,23 @@ +{ + "id": "malware--3d57dcc4-be99-4613-9482-d5218f5ec13e", + "name": "PolyglotDuke", + "description": "[PolyglotDuke](https://attack.mitre.org/software/S0518) is a downloader that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2013. [PolyglotDuke](https://attack.mitre.org/software/S0518) has been used to drop [MiniDuke](https://attack.mitre.org/software/S0051).(Citation: ESET Dukes October 2019)", + "references": [ + { + "external_id": "S0518", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0518" + }, + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "aliases": [ + "PolyglotDuke" + ], + "platforms": [ + "Windows" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c.json b/cdas/assets/mitre_cti/malware/malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c.json index 6d8b84ed5..2a7ca1bb2 100644 --- a/cdas/assets/mitre_cti/malware/malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c.json +++ b/cdas/assets/mitre_cti/malware/malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c.json @@ -1,7 +1,7 @@ { "id": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", "name": "Twitoor", - "description": "[Twitoor](https://attack.mitre.org/software/S0302) is an Android malware family that likely spreads by SMS or via malicious URLs. (Citation: ESET-Twitoor)", + "description": "[Twitoor](https://attack.mitre.org/software/S0302) is a dropper application capable of receiving commands from social media.(Citation: ESET-Twitoor)", "references": [ { "source_name": "mitre-mobile-attack", diff --git a/cdas/assets/mitre_cti/malware/malware--47124daf-44be-4530-9c63-038bc64318dd.json b/cdas/assets/mitre_cti/malware/malware--47124daf-44be-4530-9c63-038bc64318dd.json new file mode 100644 index 000000000..a5fd197b2 --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--47124daf-44be-4530-9c63-038bc64318dd.json @@ -0,0 +1,23 @@ +{ + "id": "malware--47124daf-44be-4530-9c63-038bc64318dd", + "name": "RegDuke", + "description": "[RegDuke](https://attack.mitre.org/software/S0511) is a first stage implant written in .NET and used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2017. [RegDuke](https://attack.mitre.org/software/S0511) has been used to control a compromised machine when control of other implants on the machine was lost.(Citation: ESET Dukes October 2019)", + "references": [ + { + "external_id": "S0511", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0511" + }, + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "aliases": [ + "RegDuke" + ], + "platforms": [ + "Windows" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--47afe41c-4c08-485e-b062-c3bd209a1cce.json b/cdas/assets/mitre_cti/malware/malware--47afe41c-4c08-485e-b062-c3bd209a1cce.json index 0b5f0f850..c07197293 100644 --- a/cdas/assets/mitre_cti/malware/malware--47afe41c-4c08-485e-b062-c3bd209a1cce.json +++ b/cdas/assets/mitre_cti/malware/malware--47afe41c-4c08-485e-b062-c3bd209a1cce.json @@ -1,7 +1,7 @@ { "id": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "name": "InvisiMole", - "description": "[InvisiMole](https://attack.mitre.org/software/S0260) is a modular spyware program that has been used by threat actors since at least 2013. [InvisiMole](https://attack.mitre.org/software/S0260) has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. (Citation: ESET InvisiMole June 2018)", + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) is a modular spyware program that has been used by the InvisiMole Group since at least 2013. [InvisiMole](https://attack.mitre.org/software/S0260) has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. [Gamaredon Group](https://attack.mitre.org/groups/G0047) infrastructure has been used to download and execute [InvisiMole](https://attack.mitre.org/software/S0260) against a small number of victims.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "references": [ { "source_name": "mitre-attack", @@ -16,6 +16,11 @@ "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", "source_name": "ESET InvisiMole June 2018" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." } ], "aliases": [ diff --git a/cdas/assets/mitre_cti/malware/malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b.json b/cdas/assets/mitre_cti/malware/malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b.json new file mode 100644 index 000000000..722297478 --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b.json @@ -0,0 +1,24 @@ +{ + "id": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "name": "RDAT", + "description": "[RDAT](https://attack.mitre.org/software/S0495) is a backdoor used by the suspected Iranian threat group [OilRig](https://attack.mitre.org/groups/G0049). [RDAT](https://attack.mitre.org/software/S0495) was originally identified in 2017 and targeted companies in the telecommunications sector.(Citation: Unit42 RDAT July 2020)", + "references": [ + { + "external_id": "S0495", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0495" + }, + { + "source_name": "Unit42 RDAT July 2020", + "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", + "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020." + } + ], + "aliases": [ + "RDAT", + "RDAT " + ], + "platforms": [ + "Windows" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328.json b/cdas/assets/mitre_cti/malware/malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328.json new file mode 100644 index 000000000..307ca35ed --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328.json @@ -0,0 +1,23 @@ +{ + "id": "malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328", + "name": "Bonadan", + "description": "[Bonadan](https://attack.mitre.org/software/S0486) is a malicious version of OpenSSH which acts as a custom backdoor. [Bonadan](https://attack.mitre.org/software/S0486) has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.(Citation: ESET ForSSHe December 2018)", + "references": [ + { + "external_id": "S0486", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0486" + }, + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "aliases": [ + "Bonadan" + ], + "platforms": [ + "Linux" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d.json b/cdas/assets/mitre_cti/malware/malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d.json new file mode 100644 index 000000000..05ced5b7f --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d.json @@ -0,0 +1,28 @@ +{ + "id": "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "name": "IcedID", + "description": "[IcedID](https://attack.mitre.org/software/S0483) is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. [IcedID](https://attack.mitre.org/software/S0483) has been downloaded by [Emotet](https://attack.mitre.org/software/S0367) in multiple campaigns.(Citation: IBM IcedID November 2017)(Citation: Juniper IcedID June 2020)", + "references": [ + { + "external_id": "S0483", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0483" + }, + { + "source_name": "IBM IcedID November 2017", + "url": "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", + "description": "Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020." + }, + { + "source_name": "Juniper IcedID June 2020", + "url": "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware", + "description": "Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020." + } + ], + "aliases": [ + "IcedID" + ], + "platforms": [ + "Windows" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--52c994fa-b6c8-45a8-9586-a4275cf19307.json b/cdas/assets/mitre_cti/malware/malware--52c994fa-b6c8-45a8-9586-a4275cf19307.json new file mode 100644 index 000000000..fb1321308 --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--52c994fa-b6c8-45a8-9586-a4275cf19307.json @@ -0,0 +1,43 @@ +{ + "id": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "name": "Mandrake", + "description": "[Mandrake](https://attack.mitre.org/software/S0485) is a sophisticated Android espionage platform that has been active in the wild since at least 2016. [Mandrake](https://attack.mitre.org/software/S0485) is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.\n\n[Mandrake](https://attack.mitre.org/software/S0485) has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.(Citation: Bitdefender Mandrake)", + "references": [ + { + "external_id": "S0485", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0485" + }, + { + "source_name": "oxide", + "description": "(Citation: Bitdefender Mandrake)" + }, + { + "source_name": "briar", + "description": "(Citation: Bitdefender Mandrake)" + }, + { + "source_name": "ricinus", + "description": "(Citation: Bitdefender Mandrake)" + }, + { + "source_name": "darkmatter", + "description": "(Citation: Bitdefender Mandrake)" + }, + { + "source_name": "Bitdefender Mandrake", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." + } + ], + "aliases": [ + "Mandrake", + "oxide", + "briar", + "ricinus", + "darkmatter" + ], + "platforms": [ + "Android" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--54a01db0-9fab-4d5f-8209-53cef8425f4a.json b/cdas/assets/mitre_cti/malware/malware--54a01db0-9fab-4d5f-8209-53cef8425f4a.json new file mode 100644 index 000000000..0373e094e --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--54a01db0-9fab-4d5f-8209-53cef8425f4a.json @@ -0,0 +1,23 @@ +{ + "id": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "name": "FatDuke", + "description": "[FatDuke](https://attack.mitre.org/software/S0512) is a backdoor used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2016.(Citation: ESET Dukes October 2019)", + "references": [ + { + "external_id": "S0512", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0512" + }, + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "aliases": [ + "FatDuke" + ], + "platforms": [ + "Windows" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c.json b/cdas/assets/mitre_cti/malware/malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c.json index 24f5ead70..8ed3fedd5 100644 --- a/cdas/assets/mitre_cti/malware/malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c.json +++ b/cdas/assets/mitre_cti/malware/malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c.json @@ -9,9 +9,9 @@ "external_id": "S0051" }, { - "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", + "source_name": "F-Secure The Dukes", "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", - "source_name": "F-Secure The Dukes" + "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" } ], "aliases": [ diff --git a/cdas/assets/mitre_cti/malware/malware--5f1d4579-4e8f-48e7-860e-2da773ae432e.json b/cdas/assets/mitre_cti/malware/malware--5f1d4579-4e8f-48e7-860e-2da773ae432e.json new file mode 100644 index 000000000..251282330 --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--5f1d4579-4e8f-48e7-860e-2da773ae432e.json @@ -0,0 +1,34 @@ +{ + "id": "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "name": "Anchor", + "description": "[Anchor](https://attack.mitre.org/software/S0504) is one of a family of backdoor malware that has been used in conjunction with [TrickBot](https://attack.mitre.org/software/S0266) on selected high profile targets since at least 2018.(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020)", + "references": [ + { + "external_id": "S0504", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0504" + }, + { + "source_name": "Anchor_DNS", + "description": "(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020)" + }, + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + }, + { + "source_name": "Medium Anchor DNS July 2020", + "url": "https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30", + "description": "Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020." + } + ], + "aliases": [ + "Anchor", + "Anchor_DNS" + ], + "platforms": [ + "Linux", + "Windows" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--680f680c-eef9-4f8a-b5f5-f451bf47e403.json b/cdas/assets/mitre_cti/malware/malware--680f680c-eef9-4f8a-b5f5-f451bf47e403.json new file mode 100644 index 000000000..34a4686fe --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--680f680c-eef9-4f8a-b5f5-f451bf47e403.json @@ -0,0 +1,24 @@ +{ + "id": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", + "name": "eSurv", + "description": "[eSurv](https://attack.mitre.org/software/S0507) is mobile surveillanceware designed for the lawful intercept market that was developed over the course of many years.(Citation: Lookout eSurv)", + "references": [ + { + "external_id": "S0507", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0507" + }, + { + "source_name": "Lookout eSurv", + "url": "https://blog.lookout.com/esurv-research", + "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020." + } + ], + "aliases": [ + "eSurv" + ], + "platforms": [ + "Android", + "iOS" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2.json b/cdas/assets/mitre_cti/malware/malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2.json index 8cadcf906..9b0ea75b1 100644 --- a/cdas/assets/mitre_cti/malware/malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2.json +++ b/cdas/assets/mitre_cti/malware/malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2.json @@ -1,7 +1,7 @@ { "id": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", "name": "Metamorfo", - "description": "[Metamorfo](https://attack.mitre.org/software/S0455) is a banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting mostly brazilian users.(Citation: Medium Metamorfo Apr 2020)", + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) is a banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting mostly Brazilian users.(Citation: Medium Metamorfo Apr 2020)", "references": [ { "external_id": "S0455", diff --git a/cdas/assets/mitre_cti/malware/malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d.json b/cdas/assets/mitre_cti/malware/malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d.json index bd1a6fda8..302429a0b 100644 --- a/cdas/assets/mitre_cti/malware/malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d.json +++ b/cdas/assets/mitre_cti/malware/malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d.json @@ -1,7 +1,7 @@ { "id": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", "name": "Trojan.Karagany", - "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) is a backdoor primarily used for recon. The source code for it was leaked in 2010 and it is sold on underground forums. (Citation: Symantec Dragonfly)", + "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) is a modular remote access tool used for recon and linked to [Dragonfly](https://attack.mitre.org/groups/G0035) and [Dragonfly 2.0](https://attack.mitre.org/groups/G0074). The source code for [Trojan.Karagany](https://attack.mitre.org/software/S0094) originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. (Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)(Citation: Dragos DYMALLOY )", "references": [ { "source_name": "mitre-attack", @@ -9,13 +9,33 @@ "external_id": "S0094" }, { - "url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf", + "source_name": "xFrost", + "description": "(Citation: Secureworks Karagany July 2019)" + }, + { + "source_name": "Karagany", + "description": "(Citation: Secureworks Karagany July 2019)" + }, + { + "source_name": "Symantec Dragonfly", "description": "Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", - "source_name": "Symantec Dragonfly" + "url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf" + }, + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." + }, + { + "source_name": "Dragos DYMALLOY ", + "url": "https://www.dragos.com/threat/dymalloy/", + "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020." } ], "aliases": [ - "Trojan.Karagany" + "Trojan.Karagany", + "xFrost", + "Karagany" ], "platforms": [ "Windows" diff --git a/cdas/assets/mitre_cti/malware/malware--838f647e-8ff8-48bd-bbd5-613cee7736cb.json b/cdas/assets/mitre_cti/malware/malware--838f647e-8ff8-48bd-bbd5-613cee7736cb.json new file mode 100644 index 000000000..aaacdc2b0 --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--838f647e-8ff8-48bd-bbd5-613cee7736cb.json @@ -0,0 +1,23 @@ +{ + "id": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "name": "FakeSpy", + "description": "[FakeSpy](https://attack.mitre.org/software/S0509) is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.(Citation: Cybereason FakeSpy)", + "references": [ + { + "external_id": "S0509", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0509" + }, + { + "source_name": "Cybereason FakeSpy", + "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world", + "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020." + } + ], + "aliases": [ + "FakeSpy" + ], + "platforms": [ + "Android" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--8393dac0-0583-456a-9372-fd81691bca20.json b/cdas/assets/mitre_cti/malware/malware--8393dac0-0583-456a-9372-fd81691bca20.json new file mode 100644 index 000000000..b6f2bfab9 --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--8393dac0-0583-456a-9372-fd81691bca20.json @@ -0,0 +1,23 @@ +{ + "id": "malware--8393dac0-0583-456a-9372-fd81691bca20", + "name": "PipeMon", + "description": "[PipeMon](https://attack.mitre.org/software/S0501) is a multi-stage modular backdoor used by [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: ESET PipeMon May 2020)", + "references": [ + { + "external_id": "S0501", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0501" + }, + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "aliases": [ + "PipeMon" + ], + "platforms": [ + "Windows" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053.json b/cdas/assets/mitre_cti/malware/malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053.json new file mode 100644 index 000000000..6ab7d1ba0 --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053.json @@ -0,0 +1,28 @@ +{ + "id": "malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053", + "name": "SYNful Knock", + "description": "[SYNful Knock](https://attack.mitre.org/software/S0519) is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.(Citation: FireEye - Synful Knock)(Citation: Cisco Synful Knock Evolution)", + "references": [ + { + "external_id": "S0519", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0519" + }, + { + "source_name": "FireEye - Synful Knock", + "url": "https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html", + "description": "Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco Synful Knock Evolution", + "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices", + "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020." + } + ], + "aliases": [ + "SYNful Knock" + ], + "platforms": [ + "Network" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--911fe4c3-444d-4e92-83b8-cc761ac5fd3b.json b/cdas/assets/mitre_cti/malware/malware--911fe4c3-444d-4e92-83b8-cc761ac5fd3b.json new file mode 100644 index 000000000..0293d788f --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--911fe4c3-444d-4e92-83b8-cc761ac5fd3b.json @@ -0,0 +1,33 @@ +{ + "id": "malware--911fe4c3-444d-4e92-83b8-cc761ac5fd3b", + "name": "Ngrok", + "description": "[Ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [Ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)", + "references": [ + { + "external_id": "S0508", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0508" + }, + { + "source_name": "Zdnet Ngrok September 2018", + "url": "https://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/", + "description": "Cimpanu, C. (2018, September 13). Sly malware author hides cryptomining botnet behind ever-shifting proxy service. Retrieved September 15, 2020." + }, + { + "source_name": "FireEye Maze May 2020", + "url": "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "description": "Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020." + }, + { + "source_name": "Cyware Ngrok May 2019", + "url": "https://cyware.com/news/cyber-attackers-leverage-tunneling-service-to-drop-lokibot-onto-victims-systems-6f610e44", + "description": "Cyware. (2019, May 29). Cyber attackers leverage tunneling service to drop Lokibot onto victims\u2019 systems. Retrieved September 15, 2020." + } + ], + "aliases": [ + "Ngrok" + ], + "platforms": [ + "Windows" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--959f3b19-2dc8-48d5-8942-c66813a5101a.json b/cdas/assets/mitre_cti/malware/malware--959f3b19-2dc8-48d5-8942-c66813a5101a.json new file mode 100644 index 000000000..ff56332d0 --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--959f3b19-2dc8-48d5-8942-c66813a5101a.json @@ -0,0 +1,28 @@ +{ + "id": "malware--959f3b19-2dc8-48d5-8942-c66813a5101a", + "name": "WellMail", + "description": "[WellMail](https://attack.mitre.org/software/S0515) is a lightweight malware written in Golang used by [APT29](https://attack.mitre.org/groups/G0016), similar in design and structure to [WellMess](https://attack.mitre.org/software/S0514).(Citation: CISA WellMail July 2020)(Citation: NCSC APT29 July 2020)", + "references": [ + { + "external_id": "S0515", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0515" + }, + { + "source_name": "CISA WellMail July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c", + "description": "CISA. (2020, July 16). MAR-10296782-3.v1 \u2013 WELLMAIL. Retrieved September 29, 2020." + }, + { + "source_name": "NCSC APT29 July 2020", + "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf", + "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020." + } + ], + "aliases": [ + "WellMail" + ], + "platforms": [ + "Windows" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--99164b38-1775-40bc-b77b-a2373b14540a.json b/cdas/assets/mitre_cti/malware/malware--99164b38-1775-40bc-b77b-a2373b14540a.json new file mode 100644 index 000000000..86a7b87bf --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--99164b38-1775-40bc-b77b-a2373b14540a.json @@ -0,0 +1,23 @@ +{ + "id": "malware--99164b38-1775-40bc-b77b-a2373b14540a", + "name": "Drovorub", + "description": "[Drovorub](https://attack.mitre.org/software/S0502) is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that has been used by [APT28](https://attack.mitre.org/groups/G0007).(Citation: NSA/FBI Drovorub August 2020)", + "references": [ + { + "external_id": "S0502", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0502" + }, + { + "source_name": "NSA/FBI Drovorub August 2020", + "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF", + "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020." + } + ], + "aliases": [ + "Drovorub" + ], + "platforms": [ + "Linux" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c.json b/cdas/assets/mitre_cti/malware/malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c.json index 0f101f9cb..6598e684b 100644 --- a/cdas/assets/mitre_cti/malware/malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c.json +++ b/cdas/assets/mitre_cti/malware/malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c.json @@ -10,7 +10,8 @@ }, { "source_name": "RATANKBA", - "description": "Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018." + "description": "Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.", + "url": "https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" }, { "source_name": "Lazarus RATANKBA", diff --git a/cdas/assets/mitre_cti/malware/malware--a04d9a4c-bb52-40bf-98ec-e350c2d6a862.json b/cdas/assets/mitre_cti/malware/malware--a04d9a4c-bb52-40bf-98ec-e350c2d6a862.json new file mode 100644 index 000000000..412e32a93 --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--a04d9a4c-bb52-40bf-98ec-e350c2d6a862.json @@ -0,0 +1,23 @@ +{ + "id": "malware--a04d9a4c-bb52-40bf-98ec-e350c2d6a862", + "name": "Cryptoistic", + "description": "[Cryptoistic](https://attack.mitre.org/software/S0498) is a backdoor, written in Swift, that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032).(Citation: SentinelOne Lazarus macOS July 2020)", + "references": [ + { + "external_id": "S0498", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0498" + }, + { + "source_name": "SentinelOne Lazarus macOS July 2020", + "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020." + } + ], + "aliases": [ + "Cryptoistic" + ], + "platforms": [ + "macOS" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/tools/tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39.json b/cdas/assets/mitre_cti/malware/malware--a7881f21-e978-4fe4-af56-92c9416a2616.json similarity index 84% rename from cdas/assets/mitre_cti/tools/tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39.json rename to cdas/assets/mitre_cti/malware/malware--a7881f21-e978-4fe4-af56-92c9416a2616.json index 02edaf2ff..cd43bbb7a 100644 --- a/cdas/assets/mitre_cti/tools/tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39.json +++ b/cdas/assets/mitre_cti/malware/malware--a7881f21-e978-4fe4-af56-92c9416a2616.json @@ -1,17 +1,17 @@ { - "id": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "id": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "name": "Cobalt Strike", "description": "[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, penetration testing tool which bills itself as \u201cadversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors\u201d. Cobalt Strike\u2019s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, [Cobalt Strike](https://attack.mitre.org/software/S0154) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https://attack.mitre.org/software/S0002). (Citation: cobaltstrike manual)", "references": [ { + "external_id": "S0154", "source_name": "mitre-attack", - "url": "https://attack.mitre.org/software/S0154", - "external_id": "S0154" + "url": "https://attack.mitre.org/software/S0154" }, { - "url": "https://cobaltstrike.com/downloads/csmanual38.pdf", + "source_name": "cobaltstrike manual", "description": "Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.", - "source_name": "cobaltstrike manual" + "url": "https://cobaltstrike.com/downloads/csmanual38.pdf" } ], "aliases": [ diff --git a/cdas/assets/mitre_cti/malware/malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5.json b/cdas/assets/mitre_cti/malware/malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5.json new file mode 100644 index 000000000..ffb657169 --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5.json @@ -0,0 +1,83 @@ +{ + "id": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "name": "REvil", + "description": "[REvil](https://attack.mitre.org/software/S0496) is a ransomware family that has been linked to the [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) group and operated as ransomware-as-a-service (RaaS) since at least April 2019. [REvil](https://attack.mitre.org/software/S0496) is highly configurable and shares code similarities with the GandCrab RaaS.(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)", + "references": [ + { + "external_id": "S0496", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0496" + }, + { + "source_name": "Sodin", + "description": "(Citation: Intel 471 REvil March 2020)(Citation: Kaspersky Sodin July 2019)" + }, + { + "source_name": "Sodinokibi", + "description": "(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: G Data Sodinokibi June 2019)(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Talos Sodinokibi April 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: McAfee REvil October 2019)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)" + }, + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + }, + { + "source_name": "Intel 471 REvil March 2020", + "url": "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", + "description": "Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service \u2013 An analysis of a ransomware affiliate operation. Retrieved August 4, 2020." + }, + { + "source_name": "Group IB Ransomware May 2020", + "url": "https://www.group-ib.com/whitepapers/ransomware-uncovered.html", + "description": "Group IB. (2020, May). Ransomware Uncovered: Attackers\u2019 Latest Methods. Retrieved August 5, 2020." + }, + { + "source_name": "Kaspersky Sodin July 2019", + "url": "https://securelist.com/sodin-ransomware/91473/", + "description": "Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020." + }, + { + "source_name": "G Data Sodinokibi June 2019", + "url": "https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data", + "description": "Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020." + }, + { + "source_name": "Cylance Sodinokibi July 2019", + "url": "https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html", + "description": "Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020." + }, + { + "source_name": "Secureworks GandCrab and REvil September 2019", + "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection", + "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020." + }, + { + "source_name": "Talos Sodinokibi April 2019", + "url": "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html", + "description": "Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020." + }, + { + "source_name": "McAfee Sodinokibi October 2019", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", + "description": "McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 What The Code Tells Us. Retrieved August 4, 2020." + }, + { + "source_name": "McAfee REvil October 2019", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/", + "description": "Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 Crescendo. Retrieved August 5, 2020." + }, + { + "source_name": "Picus Sodinokibi January 2020", + "url": "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware", + "description": "Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020." + } + ], + "aliases": [ + "REvil", + "Sodin", + "Sodinokibi" + ], + "platforms": [ + "Windows" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--ade37ada-14af-4b44-b36c-210eec255d53.json b/cdas/assets/mitre_cti/malware/malware--ade37ada-14af-4b44-b36c-210eec255d53.json index 80afd6081..86f9d012d 100644 --- a/cdas/assets/mitre_cti/malware/malware--ade37ada-14af-4b44-b36c-210eec255d53.json +++ b/cdas/assets/mitre_cti/malware/malware--ade37ada-14af-4b44-b36c-210eec255d53.json @@ -1,7 +1,7 @@ { "id": "malware--ade37ada-14af-4b44-b36c-210eec255d53", "name": "Valak", - "description": "[Valak](https://attack.mitre.org/software/S0476) is a multi-stage modular malware that can function as a standalone or downloader, first observed in 2019 targeting enterprises in the US and Germany.(Citation: Cybereason Valak May 2020)", + "description": "[Valak](https://attack.mitre.org/software/S0476) is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)", "references": [ { "external_id": "S0476", @@ -12,6 +12,11 @@ "source_name": "Cybereason Valak May 2020", "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye", "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020." + }, + { + "source_name": "Unit 42 Valak July 2020", + "url": "https://unit42.paloaltonetworks.com/valak-evolution/", + "description": "Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020." } ], "aliases": [ diff --git a/cdas/assets/mitre_cti/malware/malware--b136d088-a829-432c-ac26-5529c26d4c7e.json b/cdas/assets/mitre_cti/malware/malware--b136d088-a829-432c-ac26-5529c26d4c7e.json index d5a30dbfb..611795fae 100644 --- a/cdas/assets/mitre_cti/malware/malware--b136d088-a829-432c-ac26-5529c26d4c7e.json +++ b/cdas/assets/mitre_cti/malware/malware--b136d088-a829-432c-ac26-5529c26d4c7e.json @@ -9,9 +9,9 @@ "external_id": "S0052" }, { - "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", + "source_name": "F-Secure The Dukes", "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", - "source_name": "F-Secure The Dukes" + "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" } ], "aliases": [ diff --git a/cdas/assets/mitre_cti/malware/malware--b9704a7d-feef-4af9-8898-5280f1686326.json b/cdas/assets/mitre_cti/malware/malware--b9704a7d-feef-4af9-8898-5280f1686326.json new file mode 100644 index 000000000..14f65324a --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--b9704a7d-feef-4af9-8898-5280f1686326.json @@ -0,0 +1,23 @@ +{ + "id": "malware--b9704a7d-feef-4af9-8898-5280f1686326", + "name": "GoldenSpy", + "description": "[GoldenSpy](https://attack.mitre.org/software/S0493) is a backdoor malware which has been packaged with legitimate tax preparation software. [GoldenSpy](https://attack.mitre.org/software/S0493) was discovered targeting organizations in China, being delivered with the \"Intelligent Tax\" software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes.(Citation: Trustwave GoldenSpy June 2020) ", + "references": [ + { + "external_id": "S0493", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0493" + }, + { + "source_name": "Trustwave GoldenSpy June 2020", + "url": "https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/", + "description": "Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020." + } + ], + "aliases": [ + "GoldenSpy" + ], + "platforms": [ + "Windows" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--bbcd7a02-ef24-4171-ac94-a93540173b94.json b/cdas/assets/mitre_cti/malware/malware--bbcd7a02-ef24-4171-ac94-a93540173b94.json new file mode 100644 index 000000000..0b727f48d --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--bbcd7a02-ef24-4171-ac94-a93540173b94.json @@ -0,0 +1,33 @@ +{ + "id": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "name": "Carberp", + "description": "[Carberp](https://attack.mitre.org/software/S0484) is a credential and information stealing malware that has been active since at least 2009. [Carberp](https://attack.mitre.org/software/S0484)'s source code was leaked online in 2013, and subsequently used as the foundation for the [Carbanak](https://attack.mitre.org/software/S0030) backdoor.(Citation: Trend Micro Carberp February 2014)(Citation: KasperskyCarbanak)(Citation: RSA Carbanak November 2017)", + "references": [ + { + "external_id": "S0484", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0484" + }, + { + "source_name": "Trend Micro Carberp February 2014", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/carberp", + "description": "Trend Micro. (2014, February 27). CARBERP. Retrieved July 29, 2020." + }, + { + "source_name": "KasperskyCarbanak", + "description": "Kaspersky Lab's Global Research & Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved March 27, 2017.", + "url": "https://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/" + }, + { + "source_name": "RSA Carbanak November 2017", + "url": "https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf", + "description": "RSA. (2017, November 21). THE CARBANAK/FIN7 SYNDICATE A HISTORICAL OVERVIEW OF AN EVOLVING THREAT. Retrieved July 29, 2020." + } + ], + "aliases": [ + "Carberp" + ], + "platforms": [ + "Windows" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2.json b/cdas/assets/mitre_cti/malware/malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2.json new file mode 100644 index 000000000..d286e3d88 --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2.json @@ -0,0 +1,23 @@ +{ + "id": "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", + "name": "Pillowmint", + "description": "[Pillowmint](https://attack.mitre.org/software/S0517) is a point-of-sale malware used by [FIN7](https://attack.mitre.org/groups/G0046) designed to capture credit card information.(Citation: Trustwave Pillowmint June 2020)", + "references": [ + { + "external_id": "S0517", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0517" + }, + { + "source_name": "Trustwave Pillowmint June 2020", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", + "description": "Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7\u2019s Monkey Thief . Retrieved July 27, 2020." + } + ], + "aliases": [ + "Pillowmint" + ], + "platforms": [ + "Windows" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--c984b414-b766-44c5-814a-2fe96c913c12.json b/cdas/assets/mitre_cti/malware/malware--c984b414-b766-44c5-814a-2fe96c913c12.json new file mode 100644 index 000000000..9615b2018 --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--c984b414-b766-44c5-814a-2fe96c913c12.json @@ -0,0 +1,23 @@ +{ + "id": "malware--c984b414-b766-44c5-814a-2fe96c913c12", + "name": "Kessel", + "description": "[Kessel](https://attack.mitre.org/software/S0487) is an advanced version of OpenSSH which acts as a custom backdoor, mainly acting to steal credentials and function as a bot. [Kessel](https://attack.mitre.org/software/S0487) has been active since its C2 domain began resolving in August 2018.(Citation: ESET ForSSHe December 2018)", + "references": [ + { + "external_id": "S0487", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0487" + }, + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "aliases": [ + "Kessel" + ], + "platforms": [ + "Linux" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--d9f7383c-95ec-4080-bbce-121c9384457b.json b/cdas/assets/mitre_cti/malware/malware--d9f7383c-95ec-4080-bbce-121c9384457b.json index 9caa255b1..3cb126c14 100644 --- a/cdas/assets/mitre_cti/malware/malware--d9f7383c-95ec-4080-bbce-121c9384457b.json +++ b/cdas/assets/mitre_cti/malware/malware--d9f7383c-95ec-4080-bbce-121c9384457b.json @@ -1,7 +1,7 @@ { "id": "malware--d9f7383c-95ec-4080-bbce-121c9384457b", - "name": "MAZE", - "description": "[MAZE](https://attack.mitre.org/software/S0449) ransomware, previously known as \"ChaCha\", was discovered in May 2019. In addition to encrypting files on victim machines for impact, [MAZE](https://attack.mitre.org/software/S0449) operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.(Citation: FireEye Maze May 2020)(Citation: McAfee Maze March 2020)", + "name": "Maze", + "description": "[Maze](https://attack.mitre.org/software/S0449) ransomware, previously known as \"ChaCha\", was discovered in May 2019. In addition to encrypting files on victim machines for impact, [Maze](https://attack.mitre.org/software/S0449) operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.(Citation: FireEye Maze May 2020)(Citation: McAfee Maze March 2020)(Citation: Sophos Maze VM September 2020)", "references": [ { "external_id": "S0449", @@ -17,10 +17,15 @@ "source_name": "McAfee Maze March 2020", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/", "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020." + }, + { + "source_name": "Sophos Maze VM September 2020", + "url": "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/", + "description": "Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020." } ], "aliases": [ - "MAZE" + "Maze" ], "platforms": [ "Windows" diff --git a/cdas/assets/mitre_cti/malware/malware--dfdac962-9461-47f0-a212-36dfce2a97e6.json b/cdas/assets/mitre_cti/malware/malware--dfdac962-9461-47f0-a212-36dfce2a97e6.json new file mode 100644 index 000000000..c902b894d --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--dfdac962-9461-47f0-a212-36dfce2a97e6.json @@ -0,0 +1,23 @@ +{ + "id": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "name": "WolfRAT", + "description": "[WolfRAT](https://attack.mitre.org/software/S0489) is malware based on a leaked version of [Dendroid](https://attack.mitre.org/software/S0301) that has primarily targeted Thai users. [WolfRAT](https://attack.mitre.org/software/S0489) has most likely been operated by the now defunct organization Wolf Research.(Citation: Talos-WolfRAT) ", + "references": [ + { + "external_id": "S0489", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0489" + }, + { + "source_name": "Talos-WolfRAT", + "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", + "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020." + } + ], + "aliases": [ + "WolfRAT" + ], + "platforms": [ + "Android" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--e33e4603-afab-402d-b2a1-248d435b5fe0.json b/cdas/assets/mitre_cti/malware/malware--e33e4603-afab-402d-b2a1-248d435b5fe0.json new file mode 100644 index 000000000..af242c1c4 --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--e33e4603-afab-402d-b2a1-248d435b5fe0.json @@ -0,0 +1,28 @@ +{ + "id": "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", + "name": "SoreFang", + "description": "[SoreFang](https://attack.mitre.org/software/S0516) is first stage downloader used by [APT29](https://attack.mitre.org/groups/G0016) for exfiltration and to load other malware.(Citation: NCSC APT29 July 2020)(Citation: CISA SoreFang July 2016)", + "references": [ + { + "external_id": "S0516", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0516" + }, + { + "source_name": "NCSC APT29 July 2020", + "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf", + "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020." + }, + { + "source_name": "CISA SoreFang July 2016", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a", + "description": "CISA. (2020, July 16). MAR-10296782-1.v1 \u2013 SOREFANG. Retrieved September 29, 2020." + } + ], + "aliases": [ + "SoreFang" + ], + "platforms": [ + "Windows" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586.json b/cdas/assets/mitre_cti/malware/malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586.json new file mode 100644 index 000000000..45471b96b --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586.json @@ -0,0 +1,23 @@ +{ + "id": "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", + "name": "CookieMiner", + "description": "[CookieMiner](https://attack.mitre.org/software/S0492) is mac-based malware that targets information associated with cryptocurrency exchanges as well as enabling cryptocurrency mining on the victim system itself. It was first discovered in the wild in 2019.(Citation: Unit42 CookieMiner Jan 2019)", + "references": [ + { + "external_id": "S0492", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0492" + }, + { + "source_name": "Unit42 CookieMiner Jan 2019", + "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", + "description": "Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved July 22, 2020." + } + ], + "aliases": [ + "CookieMiner" + ], + "platforms": [ + "macOS" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--ef2247bf-8062-404b-894f-d65d00564817.json b/cdas/assets/mitre_cti/malware/malware--ef2247bf-8062-404b-894f-d65d00564817.json new file mode 100644 index 000000000..f8d9b79f9 --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--ef2247bf-8062-404b-894f-d65d00564817.json @@ -0,0 +1,33 @@ +{ + "id": "malware--ef2247bf-8062-404b-894f-d65d00564817", + "name": "Hancitor", + "description": "[Hancitor](https://attack.mitre.org/software/S0499) is a downloader that has been used by [Pony](https://attack.mitre.org/software/S0453) and other information stealing malware.(Citation: Threatpost Hancitor)(Citation: FireEye Hancitor)", + "references": [ + { + "external_id": "S0499", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0499" + }, + { + "source_name": "Chanitor", + "description": "(Citation: FireEye Hancitor)" + }, + { + "source_name": "Threatpost Hancitor", + "url": "https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/", + "description": "Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020." + }, + { + "source_name": "FireEye Hancitor", + "url": "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", + "description": "Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020." + } + ], + "aliases": [ + "Hancitor", + "Chanitor" + ], + "platforms": [ + "Windows" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--f1314e75-ada8-49f4-b281-b1fb8b48f2a7.json b/cdas/assets/mitre_cti/malware/malware--f1314e75-ada8-49f4-b281-b1fb8b48f2a7.json index 4cd96afb6..f15de728b 100644 --- a/cdas/assets/mitre_cti/malware/malware--f1314e75-ada8-49f4-b281-b1fb8b48f2a7.json +++ b/cdas/assets/mitre_cti/malware/malware--f1314e75-ada8-49f4-b281-b1fb8b48f2a7.json @@ -17,9 +17,9 @@ "description": "(Citation: Intego Shlayer Apr 2018)(Citation: Malwarebytes Crossrider Apr 2018)" }, { - "description": "Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.", + "source_name": "Carbon Black Shlayer Feb 2019", "url": "https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/", - "source_name": "Carbon Black Shlayer Feb 2019" + "description": "Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019." }, { "source_name": "Intego Shlayer Feb 2018", diff --git a/cdas/assets/mitre_cti/malware/malware--f666e17c-b290-43b3-8947-b96bd5148fbb.json b/cdas/assets/mitre_cti/malware/malware--f666e17c-b290-43b3-8947-b96bd5148fbb.json new file mode 100644 index 000000000..227b2107a --- /dev/null +++ b/cdas/assets/mitre_cti/malware/malware--f666e17c-b290-43b3-8947-b96bd5148fbb.json @@ -0,0 +1,23 @@ +{ + "id": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "name": "ViperRAT", + "description": "[ViperRAT](https://attack.mitre.org/software/S0506) is sophisticated surveillanceware that has been in operation since at least 2015 and was used to target the Israeli Defense Force.(Citation: Lookout ViperRAT) ", + "references": [ + { + "external_id": "S0506", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0506" + }, + { + "source_name": "Lookout ViperRAT", + "url": "https://blog.lookout.com/viperrat-mobile-apt", + "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020." + } + ], + "aliases": [ + "ViperRAT" + ], + "platforms": [ + "Android" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/malware/malware--fc774af4-533b-4724-96d2-ac1026316794.json b/cdas/assets/mitre_cti/malware/malware--fc774af4-533b-4724-96d2-ac1026316794.json index 1b4c50aaf..0f960c9b6 100644 --- a/cdas/assets/mitre_cti/malware/malware--fc774af4-533b-4724-96d2-ac1026316794.json +++ b/cdas/assets/mitre_cti/malware/malware--fc774af4-533b-4724-96d2-ac1026316794.json @@ -1,7 +1,7 @@ { "id": "malware--fc774af4-533b-4724-96d2-ac1026316794", "name": "HiddenWasp", - "description": "[HiddenWasp](https://attack.mitre.org/software/S0394) is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statistically linked ELF binary with stdlibc++.(Citation: Intezer HiddenWasp Map 2019)", + "description": "[HiddenWasp](https://attack.mitre.org/software/S0394) is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.(Citation: Intezer HiddenWasp Map 2019)", "references": [ { "external_id": "S0394", diff --git a/cdas/assets/mitre_cti/relationships.json b/cdas/assets/mitre_cti/relationships.json index 8eb12638a..90c2ef4a8 100644 --- a/cdas/assets/mitre_cti/relationships.json +++ b/cdas/assets/mitre_cti/relationships.json @@ -9,11 +9,6 @@ "uses", "attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc" ], - [ - "intrusion-set--c47f937f-1022-4f42-8525-e7a4779a14cb", - "uses", - "malware--8beac7c2-48d2-4cd9-9b15-6c452f38ac06" - ], [ "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "uses", @@ -34,21 +29,6 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022", - "uses", - "tool--9de2308e-7bed-43a3-8e58-f194b3586700" - ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "malware--e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4" - ], - [ - "intrusion-set--6b9ebeb5-20bf-48b0-afb7-988d769a2f01", - "uses", - "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0" - ], [ "malware--a4f57468-fbd5-49e4-8476-52088220b92d", "uses", @@ -69,16 +49,6 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--5636b7b3-d99b-4edd-aa05-ee649c1d4ef1", - "uses", - "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541" - ], - [ - "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064", - "uses", - "attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab" - ], [ "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "subtechnique-of", @@ -89,6 +59,11 @@ "uses", "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" ], + [ + "attack-pattern--bbe5b322-e2af-4a5e-9625-a4e62bf84ed3", + "subtechnique-of", + "attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365" + ], [ "attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825", "subtechnique-of", @@ -119,20 +94,15 @@ "uses", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], - [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "uses", - "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf" - ], [ "malware--a0ebedca-d558-4e48-8ff7-4bf76208d90c", "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", "uses", - "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" + "attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830" ], [ "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", @@ -144,11 +114,6 @@ "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--9fa07bef-9c81-421e-a8e5-ad4366c5a925" - ], [ "tool--13cd9151-83b7-410d-9f98-25d0f0d1d80d", "uses", @@ -159,21 +124,6 @@ "uses", "attack-pattern--c8e87b83-edbb-48d4-9295-4974897525b7" ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "tool--5a63f900-5e7e-4928-a746-dd4558e1df71" - ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "attack-pattern--e624264c-033a-424d-9fd7-fc9c3bbdb03e" - ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c" - ], [ "malware--8ae43c46-57ef-47d5-a77a-eebb35628db2", "uses", @@ -224,11 +174,6 @@ "uses", "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5" - ], [ "attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4", "subtechnique-of", @@ -239,6 +184,11 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], + [ + "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "uses", + "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" + ], [ "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "uses", @@ -254,16 +204,6 @@ "uses", "attack-pattern--c8e87b83-edbb-48d4-9295-4974897525b7" ], - [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "uses", - "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea" - ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af" - ], [ "malware--73a4793a-ce55-4159-b2a6-208ef29b326f", "uses", @@ -279,11 +219,6 @@ "uses", "attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4" ], - [ - "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd", - "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" - ], [ "malware--6b62e336-176f-417b-856a-8552dd8c44e1", "uses", @@ -304,26 +239,11 @@ "uses", "attack-pattern--cc89ecbd-3d33-4a41-bcca-001e702d18fd" ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "malware--8dbadf80-468c-4a62-b817-4e4d8b606887" - ], - [ - "intrusion-set--f40eb8ce-2a74-4e56-89a1-227021410142", - "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" - ], [ "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2", "uses", "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ], - [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", - "uses", - "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541" - ], [ "malware--b51797f7-57da-4210-b8ac-b8632ee75d70", "uses", @@ -344,11 +264,6 @@ "uses", "attack-pattern--b6075259-dba3-44e9-87c7-e954f37ec0d5" ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" - ], [ "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", "uses", @@ -360,20 +275,15 @@ "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", + "malware--99164b38-1775-40bc-b77b-a2373b14540a", "uses", - "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" + "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", "uses", "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" ], - [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", - "uses", - "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062" - ], [ "malware--79499993-a8d6-45eb-b343-bf58dea5bdde", "uses", @@ -404,20 +314,15 @@ "uses", "tool--7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1" ], - [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" - ], [ "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "uses", "malware--17b40f60-729f-4fe8-8aea-cc9ee44a95d5" ], [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "uses", - "tool--b07c2c47-fefb-4d7c-a69e-6a3296171f54" + "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055" ], [ "malware--32066e94-3112-48ca-b9eb-ba2b59d2f023", @@ -430,7 +335,7 @@ "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" ], @@ -439,21 +344,11 @@ "uses", "attack-pattern--d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c" ], - [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783" - ], [ "malware--92b55426-109f-4d93-899f-1833ce91ff90", "uses", "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], - [ - "intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" - ], [ "malware--f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e", "uses", @@ -485,14 +380,14 @@ "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], [ - "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", + "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", "uses", - "attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48" + "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", + "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", "uses", - "attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3" + "attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48" ], [ "malware--cfc75b0d-e579-40ae-ad07-a1ce00d49a6c", @@ -509,16 +404,6 @@ "uses", "attack-pattern--b200542e-e877-4395-875b-cf1a44537ca4" ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" - ], - [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "uses", - "attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d" - ], [ "malware--43155329-3edf-47a6-9a14-7dac899b01e4", "uses", @@ -529,16 +414,16 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" - ], [ "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "uses", "attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27" ], + [ + "attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161", + "subtechnique-of", + "attack-pattern--5282dd9a-d26d-4e16-88b7-7c0f4553daf4" + ], [ "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe", "uses", @@ -549,16 +434,6 @@ "uses", "tool--13cd9151-83b7-410d-9f98-25d0f0d1d80d" ], - [ - "intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], - [ - "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd", - "uses", - "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c" - ], [ "malware--f1314e75-ada8-49f4-b281-b1fb8b48f2a7", "uses", @@ -570,14 +445,14 @@ "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88" ], [ - "intrusion-set--f9c06633-dcff-48a1-8588-759e7cec5694", + "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "uses", - "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" + "attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6" ], [ - "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", + "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "uses", - "attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6" + "attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00" ], [ "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4", @@ -594,16 +469,6 @@ "uses", "attack-pattern--7007935a-a8a7-4c0b-bd98-4e85be8ed197" ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" - ], - [ - "intrusion-set--c416b28c-103b-4df1-909e-78089a7e0e5f", - "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" - ], [ "malware--d1b7830a-fced-4be3-a99c-f495af9d9e1b", "uses", @@ -639,6 +504,16 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], + [ + "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "uses", + "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" + ], + [ + "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "uses", + "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b" + ], [ "malware--d69c8146-ab35-4d50-8382-6fc80e641d43", "uses", @@ -664,11 +539,6 @@ "uses", "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "malware--aad11e34-02ca-4220-91cd-2ed420af4db3" - ], [ "malware--06d735e7-1db1-4dbe-ab4b-acbe419f902b", "uses", @@ -689,21 +559,11 @@ "uses", "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "malware--7343e208-7cab-45f2-a47b-41ba5e2f0fab" - ], [ "malware--f9b05f33-d45d-4e4d-aafe-c208d38a0080", "uses", "attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc" ], - [ - "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", - "uses", - "attack-pattern--c92e3d68-2349-49e4-a341-7edca2deff96" - ], [ "malware--9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", "uses", @@ -714,11 +574,6 @@ "uses", "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" - ], [ "malware--f99f3dcc-683f-4936-8791-075ac5e58f10", "uses", @@ -729,21 +584,11 @@ "uses", "malware--d69c8146-ab35-4d50-8382-6fc80e641d43" ], - [ - "intrusion-set--88489675-d216-4884-a98f-49a89fcc1643", - "uses", - "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" - ], [ "malware--071d5d65-83ec-4a55-acfa-be7d5f28ba9a", "uses", "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5" ], - [ - "malware--f1314e75-ada8-49f4-b281-b1fb8b48f2a7", - "uses", - "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" - ], [ "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", "uses", @@ -754,6 +599,11 @@ "uses", "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055" ], + [ + "malware--b9704a7d-feef-4af9-8898-5280f1686326", + "uses", + "attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0" + ], [ "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83", "uses", @@ -779,11 +629,6 @@ "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b" - ], [ "malware--73a4793a-ce55-4159-b2a6-208ef29b326f", "uses", @@ -794,20 +639,30 @@ "uses", "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa" ], + [ + "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "uses", + "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c" + ], + [ + "malware--99164b38-1775-40bc-b77b-a2373b14540a", + "uses", + "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b" + ], [ "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", "uses", "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c" ], [ - "malware--b9eec47e-98f4-4b3c-b574-3fa8a87ebe05", + "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" + "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], [ - "intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383", + "malware--b9eec47e-98f4-4b3c-b574-3fa8a87ebe05", "uses", - "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" + "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ "malware--72f54d66-675d-4587-9bd3-4ed09f9522e4", @@ -820,14 +675,19 @@ "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ - "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", "uses", - "attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470" + "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" ], [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "malware--47124daf-44be-4530-9c63-038bc64318dd", "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" + "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" + ], + [ + "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "uses", + "attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470" ], [ "malware--53a42597-1974-4b8e-84fd-3675e8992053", @@ -835,29 +695,24 @@ "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "uses", - "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" + "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], [ "malware--72f54d66-675d-4587-9bd3-4ed09f9522e4", "uses", "attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7" ], - [ - "intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], [ "malware--8d9e758b-735f-4cbc-ba7c-32cd15138b2a", "uses", "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" ], [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", + "malware--ade37ada-14af-4b44-b36c-210eec255d53", "uses", - "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60" + "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" ], [ "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", @@ -884,6 +739,11 @@ "uses", "attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179" ], + [ + "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "uses", + "attack-pattern--7c0f17c9-1af6-4628-9cbd-9e45482dd605" + ], [ "tool--b76b2d94-60e4-4107-a903-4a3a7622fb3b", "uses", @@ -894,11 +754,6 @@ "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0" - ], [ "malware--17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "uses", @@ -924,11 +779,6 @@ "uses", "attack-pattern--29be378d-262d-4e99-b00d-852d573628e6" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], [ "malware--09b2cd76-c674-47cc-9f57-d2f2ad150a46", "uses", @@ -959,11 +809,6 @@ "uses", "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945" ], - [ - "intrusion-set--55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "uses", - "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" - ], [ "malware--8beac7c2-48d2-4cd9-9b15-6c452f38ac06", "uses", @@ -979,11 +824,6 @@ "uses", "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--4fe28b27-b13c-453e-a386-c2ef362a573b" - ], [ "malware--0852567d-7958-4f4b-8947-4f840ec8d57d", "uses", @@ -1000,14 +840,14 @@ "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" ], [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", - "malware--eff1a885-6f90-42a1-901f-eef6e7a1905e" + "attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc" ], [ "malware--f0fc920e-57a3-4af5-89be-9ea594c8b1ea", @@ -1024,11 +864,6 @@ "uses", "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" ], - [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--5372c5fe-f424-4def-bcd5-d3a8e770f07b" - ], [ "malware--7ba0fc46-197d-466d-8b9f-f1c64d5d81e5", "uses", @@ -1055,22 +890,17 @@ "attack-pattern--5372c5fe-f424-4def-bcd5-d3a8e770f07b" ], [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe", "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" + "attack-pattern--29be378d-262d-4e99-b00d-852d573628e6" ], [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "uses", - "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" + "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0" ], [ - "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe", - "uses", - "attack-pattern--29be378d-262d-4e99-b00d-852d573628e6" - ], - [ - "malware--94379dec-5c87-49db-b36e-66abc0b81344", + "malware--94379dec-5c87-49db-b36e-66abc0b81344", "uses", "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18" ], @@ -1080,9 +910,9 @@ "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a" ], [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", + "malware--3d57dcc4-be99-4613-9482-d5218f5ec13e", "uses", - "malware--36ede314-7db4-4d09-b53d-81bbfbe5f6f8" + "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], [ "malware--54895630-efd2-4608-9c24-319de972a9eb", @@ -1105,14 +935,19 @@ "attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830" ], [ - "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0", + "tool--c4810609-7da6-48ec-8057-1b70a7814db0", "uses", - "attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c" + "attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af" ], [ - "intrusion-set--5636b7b3-d99b-4edd-aa05-ee649c1d4ef1", + "attack-pattern--51e54974-a541-4fb6-a61b-0518e4c6de41", + "subtechnique-of", + "attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4" + ], + [ + "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0", "uses", - "tool--294e2560-bd48-44b2-9da2-833b5588ad11" + "attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c" ], [ "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", @@ -1134,11 +969,6 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - ], [ "malware--6b62e336-176f-417b-856a-8552dd8c44e1", "uses", @@ -1155,9 +985,9 @@ "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" ], [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", + "malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", "uses", - "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" + "attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd" ], [ "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", @@ -1169,6 +999,11 @@ "subtechnique-of", "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6" ], + [ + "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", + "uses", + "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" + ], [ "malware--a8a778f5-0035-4870-bb25-53dc05029586", "uses", @@ -1209,21 +1044,11 @@ "uses", "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662" ], - [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60" - ], [ "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0", "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], - [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "uses", - "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" - ], [ "malware--95047f03-4811-4300-922e-1ba937d53a61", "uses", @@ -1239,20 +1064,25 @@ "uses", "attack-pattern--635cbe30-392d-4e27-978e-66774357c762" ], + [ + "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "uses", + "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" + ], [ "malware--e9595678-d269-469e-ae6b-75e49259de63", "uses", "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ], [ - "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", - "uses", - "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" + "attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf7dd7fd", + "subtechnique-of", + "attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74" ], [ - "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411", + "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", "uses", - "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9" + "attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336" ], [ "malware--21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b", @@ -1264,11 +1094,6 @@ "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0", - "uses", - "attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec" - ], [ "attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "subtechnique-of", @@ -1280,7 +1105,7 @@ "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], @@ -1289,16 +1114,6 @@ "uses", "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81" - ], - [ - "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd", - "uses", - "malware--53486bc7-7748-4716-8190-e4f1fde04c53" - ], [ "malware--43213480-78f7-4fb3-976f-d48f5f6a4c2a", "uses", @@ -1310,34 +1125,29 @@ "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "malware--20945359-3b39-4542-85ef-08ecb4e1c174", "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" + "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18" ], [ "malware--56e6b6c2-e573-4969-8bab-783205cebbbf", "uses", "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], - [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", - "uses", - "attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0" - ], [ "malware--f1314e75-ada8-49f4-b281-b1fb8b48f2a7", "uses", "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], [ - "intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0", + "malware--e9e9bfe2-76f4-4870-a2a1-b7af89808613", "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" + "attack-pattern--4eeaf8a9-c86b-4954-a663-9555fb406466" ], [ - "malware--e9e9bfe2-76f4-4870-a2a1-b7af89808613", + "malware--c984b414-b766-44c5-814a-2fe96c913c12", "uses", - "attack-pattern--4eeaf8a9-c86b-4954-a663-9555fb406466" + "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b" ], [ "malware--ecc2f65a-b452-4eaf-9689-7e181f17f7a5", @@ -1355,30 +1165,15 @@ "attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4" ], [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", - "uses", - "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81" - ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179" - ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "tool--975737f1-b10d-476f-8bda-3ec26ea57172", "uses", - "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839" + "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ "malware--17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "uses", "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475" ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "malware--b42378e0-f147-496f-992a-26a49705395b" - ], [ "malware--56e6b6c2-e573-4969-8bab-783205cebbbf", "uses", @@ -1394,21 +1189,11 @@ "uses", "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec" - ], [ "malware--069af411-9b24-4e85-b26c-623d035bbe84", "uses", "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], - [ - "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], [ "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "uses", @@ -1439,21 +1224,11 @@ "uses", "attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c" ], - [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "uses", - "attack-pattern--dc31fe1e-d722-49da-8f5f-92c7b5aff534" - ], [ "malware--67e6d66b-1b82-4699-b47a-e2efb6268d14", "uses", "attack-pattern--b4694861-542c-48ea-9eb1-10d356e7140a" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" - ], [ "malware--b57f419e-8b12-49d3-886b-145383725dcd", "uses", @@ -1464,11 +1239,6 @@ "uses", "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" - ], [ "malware--af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "uses", @@ -1510,14 +1280,14 @@ "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60" ], [ - "malware--edb24a93-1f7a-4bbf-a738-1397a14662c6", + "tool--975737f1-b10d-476f-8bda-3ec26ea57172", "uses", - "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" + "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], [ - "intrusion-set--f40eb8ce-2a74-4e56-89a1-227021410142", + "malware--edb24a93-1f7a-4bbf-a738-1397a14662c6", "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" + "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], [ "malware--f25aab1a-0cef-4910-a85d-bb38b32ea41a", @@ -1549,11 +1319,6 @@ "uses", "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" ], - [ - "intrusion-set--c5947e1c-1cbc-434c-94b8-27c7e3be0fff", - "uses", - "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" - ], [ "malware--6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", "uses", @@ -1564,31 +1329,16 @@ "uses", "attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f" ], - [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "uses", - "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - ], [ "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "uses", "tool--03342581-f790-4f03-ba41-e82e67392e23" ], - [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" - ], [ "tool--2e45723a-31da-4a7e-aaa6-e01998a6788f", "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6" - ], [ "malware--432555de-63bf-4f2a-a3fa-f720a4561078", "uses", @@ -1612,7 +1362,12 @@ [ "malware--e9595678-d269-469e-ae6b-75e49259de63", "uses", - "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" + "attack-pattern--b4b7458f-81f2-4d38-84be-1c5ba0167a52" + ], + [ + "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "uses", + "attack-pattern--d28ef391-8ed4-45dc-bc4a-2f43abf54416" ], [ "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4", @@ -1645,14 +1400,9 @@ "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541" ], [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "malware--d5268dfb-ae2b-4e0e-ac07-02a460613d8a" - ], - [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", + "malware--35cd1d01-1ede-44d2-b073-a264d727bc04", "uses", - "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" + "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], [ "malware--efece7e8-e40b-49c2-9f84-c55c5c93d05c", @@ -1694,11 +1444,6 @@ "uses", "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" ], - [ - "intrusion-set--c5574ca0-d5a4-490a-b207-e4658e5fd1d7", - "uses", - "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4" - ], [ "malware--32066e94-3112-48ca-b9eb-ba2b59d2f023", "uses", @@ -1709,11 +1454,6 @@ "uses", "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "tool--03342581-f790-4f03-ba41-e82e67392e23" - ], [ "tool--c9703cd3-141c-43a0-a926-380082be5d04", "uses", @@ -1724,6 +1464,11 @@ "uses", "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58" ], + [ + "attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156", + "subtechnique-of", + "attack-pattern--5282dd9a-d26d-4e16-88b7-7c0f4553daf4" + ], [ "attack-pattern--8f504411-cb96-4dac-a537-8d2bb7679c59", "subtechnique-of", @@ -1745,14 +1490,14 @@ "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], [ - "malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", + "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" + "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", + "malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ "malware--2cfe8a26-5be7-4a09-8915-ea3d9e787513", @@ -1764,11 +1509,6 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" - ], [ "malware--efece7e8-e40b-49c2-9f84-c55c5c93d05c", "uses", @@ -1779,11 +1519,6 @@ "uses", "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], [ "malware--32066e94-3112-48ca-b9eb-ba2b59d2f023", "uses", @@ -1794,11 +1529,6 @@ "uses", "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--a6937325-9321-4e2e-bb2b-3ed2d40b2a9d" - ], [ "malware--049ff071-0b3c-4712-95d2-d21c6aa54501", "uses", @@ -1810,20 +1540,15 @@ "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", + "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", "uses", - "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" + "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" ], [ "malware--3161d76a-e2b2-4b97-9906-24909b735386", "uses", "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], - [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", - "uses", - "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18" - ], [ "malware--2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "uses", @@ -1849,11 +1574,6 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", - "uses", - "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6" - ], [ "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997", "uses", @@ -1869,11 +1589,6 @@ "uses", "attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" - ], [ "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", "uses", @@ -1884,11 +1599,21 @@ "uses", "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0" ], + [ + "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "uses", + "attack-pattern--f3d95a1f-bba2-44ce-9af7-37866cd63fd0" + ], [ "malware--432555de-63bf-4f2a-a3fa-f720a4561078", "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], + [ + "malware--8393dac0-0583-456a-9372-fd81691bca20", + "uses", + "attack-pattern--0a5231ec-41af-4a35-83d0-6bdf11f28c65" + ], [ "malware--89f63ae4-f229-4a5c-95ad-6f22ed2b5c49", "uses", @@ -1914,6 +1639,11 @@ "subtechnique-of", "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118" ], + [ + "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "uses", + "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" + ], [ "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "uses", @@ -1944,21 +1674,6 @@ "uses", "attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d" ], - [ - "intrusion-set--88489675-d216-4884-a98f-49a89fcc1643", - "uses", - "tool--115f88dd-0618-4389-83cb-98d33ae81848" - ], - [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "uses", - "malware--065196de-d7e8-4888-acfb-b2134022ba1b" - ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60" - ], [ "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "uses", @@ -1969,36 +1684,11 @@ "uses", "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" - ], - [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "malware--536be338-e2ef-4a6b-afb6-8d5568b91eb2" - ], [ "malware--5e814485-012d-423d-b769-026bfed0f451", "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "malware--8f460983-1bbb-4e7e-8094-f0b5e720f658" - ], - [ - "intrusion-set--55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "uses", - "tool--5a63f900-5e7e-4928-a746-dd4558e1df71" - ], [ "malware--0f862b01-99da-47cc-9bdb-db4a86a95bb1", "uses", @@ -2019,41 +1709,16 @@ "uses", "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" ], - [ - "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064", - "uses", - "tool--b77b563c-34bb-4fb8-86a3-3694338f7b47" - ], [ "malware--0db09158-6e48-4e7c-8ce7-2b10b9c0c039", "uses", "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69" ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" - ], - [ - "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd", - "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" - ], [ "tool--4b57c098-f043-4da2-83ef-7588a6d426bc", "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--c416b28c-103b-4df1-909e-78089a7e0e5f", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], - [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", - "uses", - "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" - ], [ "malware--17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "uses", @@ -2069,11 +1734,6 @@ "uses", "attack-pattern--84e02621-8fdf-470f-bd58-993bb6a89d91" ], - [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", - "uses", - "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" - ], [ "malware--e170995d-4f61-4f17-b60e-04f9a06ee517", "uses", @@ -2105,14 +1765,14 @@ "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", + "malware--800bdfba-6d66-480f-9f45-15845c05cb5d", "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" + "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ - "malware--800bdfba-6d66-480f-9f45-15845c05cb5d", + "malware--3d57dcc4-be99-4613-9482-d5218f5ec13e", "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" + "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ "malware--76abb3ef-dafd-4762-97cb-a35379429db4", @@ -2120,65 +1780,40 @@ "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" ], [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", + "malware--e066bf86-9cfb-407a-9d25-26fd5d91e360", "uses", - "attack-pattern--9c99724c-a483-4d60-ad9d-7f004e42e8e8" + "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ - "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "malware--92b03a94-7147-4952-9d5a-b4d24da7487c", "uses", - "attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611" + "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], [ - "malware--e066bf86-9cfb-407a-9d25-26fd5d91e360", + "malware--4ab44516-ad75-4e43-a280-705dc0420e2f", "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" - ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - ], - [ - "malware--92b03a94-7147-4952-9d5a-b4d24da7487c", - "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" - ], - [ - "malware--4ab44516-ad75-4e43-a280-705dc0420e2f", - "uses", - "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062" + "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062" ], [ "malware--0efefea5-78da-4022-92bc-d726139e8883", "uses", "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c" - ], [ "malware--da5880b4-f7da-4869-85f2-e0aba84b8565", "uses", "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4" ], [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", + "tool--c4810609-7da6-48ec-8057-1b70a7814db0", "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" + "attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011" ], [ "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "uses", "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475" - ], [ "malware--ab3580c8-8435-4117-aace-3d9fbe46aa56", "uses", @@ -2244,16 +1879,6 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" - ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" - ], [ "malware--28b97733-ef07-4414-aaa5-df50b2d30cc5", "uses", @@ -2269,6 +1894,11 @@ "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], + [ + "malware--1cdbbcab-903a-414d-8eb0-439a97343737", + "uses", + "attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b" + ], [ "attack-pattern--f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", "subtechnique-of", @@ -2314,11 +1944,6 @@ "uses", "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], [ "malware--6a92d80f-cc65-45f6-aa66-3cdea6786b3c", "uses", @@ -2329,16 +1954,6 @@ "uses", "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "attack-pattern--eb125d40-0b2d-41ac-a71a-3229241c2cd3" - ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" - ], [ "malware--37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "uses", @@ -2354,6 +1969,11 @@ "subtechnique-of", "attack-pattern--67720091-eee3-4d2d-ae16-8264567f6f5b" ], + [ + "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "uses", + "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" + ], [ "malware--efece7e8-e40b-49c2-9f84-c55c5c93d05c", "uses", @@ -2364,11 +1984,6 @@ "uses", "attack-pattern--677569f9-a8b0-459e-ab24-7f18091fa7bf" ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "malware--2a70812b-f1ef-44db-8578-a496a227aef2" - ], [ "malware--a4f57468-fbd5-49e4-8476-52088220b92d", "uses", @@ -2379,30 +1994,20 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" - ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "attack-pattern--1e9eb839-294b-48cc-b0d3-c45555a2a004" - ], [ "malware--76abb3ef-dafd-4762-97cb-a35379429db4", "uses", "attack-pattern--ce4b7013-640e-48a9-b501-d0025a95f4bf" ], [ - "malware--de6cb631-52f6-4169-a73b-7965390b0c30", + "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", "uses", - "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" + "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ - "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411", + "malware--de6cb631-52f6-4169-a73b-7965390b0c30", "uses", - "malware--b42378e0-f147-496f-992a-26a49705395b" + "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" ], [ "malware--32066e94-3112-48ca-b9eb-ba2b59d2f023", @@ -2415,7 +2020,7 @@ "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--8cdeb020-e31e-4f88-a582-f53dcfbda819" ], @@ -2439,11 +2044,6 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" - ], [ "intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050", "uses", @@ -2460,10 +2060,15 @@ "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073" ], + [ + "malware--b9704a7d-feef-4af9-8898-5280f1686326", + "uses", + "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" + ], [ "malware--3c02fb1f-cbdb-48f5-abaf-8c81d6e0c322", "uses", @@ -2484,26 +2089,11 @@ "uses", "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" ], - [ - "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd", - "uses", - "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" - ], [ "malware--454fe82d-6fd2-4ac6-91ab-28a33fe01369", "uses", "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "malware--2dd34b01-6110-4aac-835d-b5e7b936b0be" - ], - [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "uses", - "malware--32066e94-3112-48ca-b9eb-ba2b59d2f023" - ], [ "attack-pattern--c48a67ee-b657-45c1-91bf-6cdbe27205f8", "subtechnique-of", @@ -2514,6 +2104,11 @@ "uses", "attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011" ], + [ + "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "uses", + "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" + ], [ "malware--64fa0de0-6240-41f4-8638-f4ca7ed528fd", "uses", @@ -2524,6 +2119,11 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], + [ + "attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968", + "subtechnique-of", + "attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365" + ], [ "malware--bd0536d7-b081-43ae-a773-cfb057c5b988", "uses", @@ -2534,6 +2134,11 @@ "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], + [ + "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "uses", + "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" + ], [ "intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258", "uses", @@ -2559,21 +2164,11 @@ "uses", "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "tool--4664b683-f578-434f-919b-1c1aad2a1111" - ], [ "malware--8e101fdd-9f7f-4916-bb04-6bd9e94c129c", "uses", "attack-pattern--29be378d-262d-4e99-b00d-852d573628e6" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" - ], [ "malware--a4f57468-fbd5-49e4-8476-52088220b92d", "uses", @@ -2584,21 +2179,11 @@ "uses", "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" ], - [ - "intrusion-set--dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", - "uses", - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39" - ], [ "malware--54895630-efd2-4608-9c24-319de972a9eb", "uses", "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" ], - [ - "intrusion-set--2e5d3a83-fe00-41a5-9b60-237efc84832f", - "uses", - "attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5" - ], [ "malware--8fc6c9e7-a162-4ca4-a488-f1819e9a7b06", "uses", @@ -2614,21 +2199,11 @@ "uses", "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0" ], - [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" - ], [ "malware--5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--c3888c54-775d-4b2f-b759-75a2ececcbfd" - ], [ "tool--26c87906-d750-42c5-946c-d4162c73fc7b", "uses", @@ -2654,16 +2229,6 @@ "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--eb125d40-0b2d-41ac-a71a-3229241c2cd3" - ], - [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" - ], [ "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", "uses", @@ -2689,36 +2254,16 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", - "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" - ], [ "malware--8ec6e3b4-b06d-4805-b6aa-af916acc2122", "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82" - ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" - ], [ "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", "uses", "malware--cba78a1c-186f-4112-9e6a-be1839f030f7" ], - [ - "intrusion-set--c5947e1c-1cbc-434c-94b8-27c7e3be0fff", - "uses", - "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" - ], [ "malware--e8545794-b98c-492b-a5b3-4b5a02682e37", "uses", @@ -2729,21 +2274,6 @@ "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], - [ - "intrusion-set--b74f909f-8e52-4b69-b770-162bf59a1b4e", - "uses", - "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" - ], - [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" - ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "tool--294e2560-bd48-44b2-9da2-833b5588ad11" - ], [ "malware--3249e92a-870b-426d-8790-ba311c1abfb4", "uses", @@ -2770,9 +2300,9 @@ "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", + "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", "uses", - "tool--03342581-f790-4f03-ba41-e82e67392e23" + "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c" ], [ "malware--b6b3dfc7-9a81-43ff-ac04-698bad48973a", @@ -2784,11 +2314,6 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd" - ], [ "malware--db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c", "uses", @@ -2799,11 +2324,6 @@ "uses", "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e" ], - [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "uses", - "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" - ], [ "malware--234e7770-99b0-4f65-b983-d3230f76a60b", "uses", @@ -2819,11 +2339,6 @@ "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd", - "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" - ], [ "malware--94379dec-5c87-49db-b36e-66abc0b81344", "uses", @@ -2835,9 +2350,9 @@ "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6" ], [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328", "uses", - "attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783" + "attack-pattern--960c3c86-1480-4d72-b4e0-8c242e84a5c5" ], [ "intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f", @@ -2894,36 +2409,11 @@ "uses", "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], - [ - "intrusion-set--fbe9387f-34e6-4828-ac28-3080020c597b", - "uses", - "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5" - ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" - ], - [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "uses", - "attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643" - ], - [ - "intrusion-set--813636db-3939-4a45-bea9-6113e970c029", - "uses", - "attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7" - ], [ "malware--c541efb4-e7b1-4ad6-9da8-b4e113f5dd42", "uses", "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf" - ], [ "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c", "uses", @@ -2934,11 +2424,6 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", - "uses", - "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3" - ], [ "malware--069af411-9b24-4e85-b26c-623d035bbe84", "uses", @@ -2975,19 +2460,14 @@ "attack-pattern--5909f20f-3c39-4795-be06-ef1ea40d350b" ], [ - "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", + "malware--959f3b19-2dc8-48d5-8942-c66813a5101a", "uses", - "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" - ], - [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", - "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" + "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b" ], [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", + "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", "uses", - "malware--2eb9b131-d333-4a48-9eb4-d8dec46c19ee" + "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], [ "malware--d3afa961-a80c-4043-9509-282cdf69ab21", @@ -3000,19 +2480,14 @@ "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a" ], [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60" - ], - [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", + "malware--6b62e336-176f-417b-856a-8552dd8c44e1", "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" + "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" ], [ - "malware--6b62e336-176f-417b-856a-8552dd8c44e1", + "malware--b9704a7d-feef-4af9-8898-5280f1686326", "uses", - "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" + "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18" ], [ "malware--a8a778f5-0035-4870-bb25-53dc05029586", @@ -3029,11 +2504,6 @@ "uses", "attack-pattern--e624264c-033a-424d-9fd7-fc9c3bbdb03e" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830" - ], [ "malware--53486bc7-7748-4716-8190-e4f1fde04c53", "uses", @@ -3052,7 +2522,7 @@ [ "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "uses", - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39" + "malware--a7881f21-e978-4fe4-af56-92c9416a2616" ], [ "malware--8ae43c46-57ef-47d5-a77a-eebb35628db2", @@ -3084,21 +2554,6 @@ "uses", "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63" - ], - [ - "intrusion-set--a0cb9370-e39b-44d5-9f50-ef78e412b973", - "uses", - "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077" - ], [ "malware--64fa0de0-6240-41f4-8638-f4ca7ed528fd", "uses", @@ -3119,21 +2574,11 @@ "uses", "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077" ], - [ - "intrusion-set--6688d679-ccdb-4f12-abf6-c7545dd767a4", - "uses", - "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062" - ], [ "malware--59a97b15-8189-4d51-9404-e1ce8ea4a069", "uses", "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643" - ], [ "tool--c8655260-9f4b-44e3-85e1-6538a5f6e4f4", "uses", @@ -3149,11 +2594,6 @@ "uses", "attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--fb640c43-aa6b-431e-a961-a279010424ac" - ], [ "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", "uses", @@ -3169,11 +2609,6 @@ "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", - "uses", - "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" - ], [ "malware--8787e86d-8475-4f13-acea-d33eb83b6105", "uses", @@ -3185,29 +2620,14 @@ "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", + "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", "uses", - "attack-pattern--69b8fd78-40e8-4600-ae4d-662c9d7afdb3" + "attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc" ], [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", + "tool--115f88dd-0618-4389-83cb-98d33ae81848", "uses", - "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" - ], - [ - "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", - "uses", - "attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc" - ], - [ - "tool--115f88dd-0618-4389-83cb-98d33ae81848", - "uses", - "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58" - ], - [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", - "uses", - "malware--49abab73-3c5c-476e-afd5-69b5c732d845" + "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58" ], [ "malware--3249e92a-870b-426d-8790-ba311c1abfb4", @@ -3225,14 +2645,9 @@ "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], [ - "intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74", - "uses", - "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0" - ], - [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", + "malware--99164b38-1775-40bc-b77b-a2373b14540a", "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" + "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], [ "malware--9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", @@ -3264,11 +2679,6 @@ "uses", "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa" ], - [ - "intrusion-set--813636db-3939-4a45-bea9-6113e970c029", - "uses", - "attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529" - ], [ "malware--11e36d5b-6a92-4bf9-8eb7-85eb24f59e22", "uses", @@ -3284,11 +2694,6 @@ "uses", "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], [ "malware--8d9e758b-735f-4cbc-ba7c-32cd15138b2a", "uses", @@ -3300,14 +2705,14 @@ "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5" ], [ - "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "uses", - "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e" + "attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d" ], [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "uses", - "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18" + "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e" ], [ "malware--069af411-9b24-4e85-b26c-623d035bbe84", @@ -3319,11 +2724,6 @@ "subtechnique-of", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], - [ - "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064", - "uses", - "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0" - ], [ "malware--aaf3fa65-8b27-4e68-91de-2b7738fe4c82", "uses", @@ -3359,11 +2759,6 @@ "uses", "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], - [ - "intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6", - "uses", - "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0" - ], [ "attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490", "subtechnique-of", @@ -3375,9 +2770,9 @@ "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062" ], [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", - "uses", - "malware--3c02fb1f-cbdb-48f5-abaf-8c81d6e0c322" + "attack-pattern--166de1c6-2814-4fe5-8438-4e80f76b169f", + "subtechnique-of", + "attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0" ], [ "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe", @@ -3389,16 +2784,6 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], [ "malware--3161d76a-e2b2-4b97-9906-24909b735386", "uses", @@ -3410,14 +2795,9 @@ "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81" ], [ - "intrusion-set--d0b3393b-3bec-4ba3-bda9-199d30db47b6", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], - [ - "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee", + "malware--8393dac0-0583-456a-9372-fd81691bca20", "uses", - "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4" + "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], [ "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", @@ -3449,6 +2829,11 @@ "uses", "malware--56f46b17-8cfa-46c0-b501-dd52fef394e2" ], + [ + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "uses", + "attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830" + ], [ "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9", "uses", @@ -3465,9 +2850,9 @@ "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" ], [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", + "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", "uses", - "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" + "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], [ "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", @@ -3524,36 +2909,16 @@ "uses", "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055" ], - [ - "intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8", - "uses", - "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "tool--2fab555f-7664-4623-b4e0-1675ae38190b" - ], [ "malware--6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb", "uses", "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "tool--13cd9151-83b7-410d-9f98-25d0f0d1d80d" - ], [ "malware--69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "uses", "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "tool--cf23bf4a-e003-4116-bbae-1ea6c558d565" - ], [ "tool--c11ac61d-50f4-444f-85d8-6f006067f0de", "uses", @@ -3570,15 +2935,20 @@ "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" ], [ - "intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40", + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", - "malware--b4d80f8b-d2b9-4448-8844-4bef777ed676" + "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], [ "malware--ade37ada-14af-4b44-b36c-210eec255d53", "uses", "attack-pattern--b4694861-542c-48ea-9eb1-10d356e7140a" ], + [ + "malware--d9f7383c-95ec-4080-bbce-121c9384457b", + "uses", + "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" + ], [ "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "uses", @@ -3589,11 +2959,6 @@ "uses", "attack-pattern--341e222a-a6e3-4f6f-b69c-831d792b1580" ], - [ - "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], [ "malware--495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", "uses", @@ -3609,6 +2974,11 @@ "uses", "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], + [ + "malware--99164b38-1775-40bc-b77b-a2373b14540a", + "uses", + "attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755" + ], [ "malware--222ba512-32d9-49ac-aefd-50ce981ce2ce", "uses", @@ -3655,9 +3025,9 @@ "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "tool--c4810609-7da6-48ec-8057-1b70a7814db0", "uses", - "attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82" + "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], [ "malware--06d735e7-1db1-4dbe-ab4b-acbe419f902b", @@ -3669,31 +3039,16 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--f40eb8ce-2a74-4e56-89a1-227021410142", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], [ "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", "uses", "attack-pattern--6495ae23-3ab4-43c5-a94f-5638a2c31fd2" ], - [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", - "uses", - "malware--c4de7d83-e875-4c88-8b5d-06c41e5b7e79" - ], [ "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" ], - [ - "intrusion-set--f40eb8ce-2a74-4e56-89a1-227021410142", - "uses", - "tool--0a68f1f1-da74-4d28-8d9a-696c082706cc" - ], [ "malware--af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "uses", @@ -3729,11 +3084,6 @@ "uses", "attack-pattern--d467bc38-284b-4a00-96ac-125f447799fc" ], - [ - "intrusion-set--a0cb9370-e39b-44d5-9f50-ef78e412b973", - "uses", - "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf" - ], [ "malware--ab3580c8-8435-4117-aace-3d9fbe46aa56", "uses", @@ -3750,9 +3100,9 @@ "attack-pattern--09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119" ], [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", + "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", "uses", - "malware--8ab98e25-1672-4b5f-a2fb-e60f08a5ea9e" + "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" ], [ "malware--5189f018-fea2-45d7-b0ed-23f9ee0a46f3", @@ -3764,6 +3114,11 @@ "uses", "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c" ], + [ + "attack-pattern--2d3f5b3c-54ca-4f4d-bb1f-849346d31230", + "subtechnique-of", + "attack-pattern--cca0ccb6-a068-4574-a722-b1556f86833a" + ], [ "malware--af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "uses", @@ -3774,41 +3129,16 @@ "uses", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011" - ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662" - ], - [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "uses", - "malware--3249e92a-870b-426d-8790-ba311c1abfb4" - ], [ "malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1", "uses", "attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" - ], [ "tool--03342581-f790-4f03-ba41-e82e67392e23", "uses", "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" ], - [ - "intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0", - "uses", - "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9" - ], [ "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498", "uses", @@ -3824,6 +3154,11 @@ "uses", "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], + [ + "malware--35cd1d01-1ede-44d2-b073-a264d727bc04", + "uses", + "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" + ], [ "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", "uses", @@ -3834,11 +3169,6 @@ "uses", "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" ], - [ - "intrusion-set--7ecc3b4f-5cdb-457e-b55a-df376b359446", - "uses", - "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475" - ], [ "malware--3161d76a-e2b2-4b97-9906-24909b735386", "uses", @@ -3854,16 +3184,6 @@ "uses", "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], - [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "uses", - "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" - ], - [ - "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd", - "uses", - "attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d" - ], [ "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa", "uses", @@ -3910,9 +3230,9 @@ "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", + "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", "uses", - "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d" + "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433" ], [ "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", @@ -3924,11 +3244,6 @@ "uses", "attack-pattern--635cbe30-392d-4e27-978e-66774357c762" ], - [ - "tool--d8d19e33-94fd-4aa3-b94a-08ee801a2153", - "uses", - "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" - ], [ "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", "uses", @@ -3939,11 +3254,6 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7" - ], [ "malware--d1531eaa-9e17-473e-a680-3298469662c3", "uses", @@ -3984,36 +3294,21 @@ "uses", "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619" ], - [ - "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064", - "uses", - "malware--91000a8a-58cc-4aba-9ad0-993ad6302b86" - ], - [ - "intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6", - "uses", - "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" - ], [ "malware--876f6a77-fbc5-4e13-ab1a-5611986730a3", "uses", "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077" ], [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", + "malware--a04d9a4c-bb52-40bf-98ec-e350c2d6a862", "uses", - "attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc" + "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], [ "malware--35cd1d01-1ede-44d2-b073-a264d727bc04", "uses", "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" - ], [ "malware--199463de-d9be-46d6-bb41-07234c1dd5a6", "uses", @@ -4024,6 +3319,11 @@ "uses", "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433" ], + [ + "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "uses", + "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" + ], [ "malware--edb24a93-1f7a-4bbf-a738-1397a14662c6", "uses", @@ -4045,15 +3345,20 @@ "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776" ], [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", + "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", "uses", - "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" + "attack-pattern--a2029942-0a85-4947-b23c-ca434698171d" ], [ "malware--c251e4a5-9a2e-4166-8e42-442af75c3b9a", "uses", "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" ], + [ + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "uses", + "attack-pattern--69b8fd78-40e8-4600-ae4d-662c9d7afdb3" + ], [ "malware--198db886-47af-4f4c-bff5-11b891f85946", "uses", @@ -4074,21 +3379,6 @@ "uses", "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5" ], - [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "uses", - "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" - ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" - ], - [ - "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", - "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" - ], [ "malware--96b08451-b27a-4ff6-893f-790e26393a8e", "uses", @@ -4105,19 +3395,14 @@ "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d" ], [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "tool--7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1" - ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "malware--5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", "uses", - "attack-pattern--1d24cdee-9ea2-4189-b08e-af110bf2435d" + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ - "malware--5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", + "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" + "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ], [ "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8", @@ -4154,21 +3439,11 @@ "uses", "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945" ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "malware--705f0783-5f7d-4491-b6b7-9628e6e006d2" - ], [ "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340", "uses", "attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490" ], - [ - "intrusion-set--f9c06633-dcff-48a1-8588-759e7cec5694", - "uses", - "malware--e170995d-4f61-4f17-b60e-04f9a06ee517" - ], [ "tool--c8655260-9f4b-44e3-85e1-6538a5f6e4f4", "uses", @@ -4184,16 +3459,6 @@ "uses", "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" ], - [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334" - ], - [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", - "uses", - "malware--211cfe9f-2676-4e1c-a5f5-2c8091da2a68" - ], [ "malware--cfc75b0d-e579-40ae-ad07-a1ce00d49a6c", "uses", @@ -4204,11 +3469,6 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" - ], [ "malware--65ffc206-d7c1-45b3-b543-f6b726e7840d", "uses", @@ -4219,6 +3479,11 @@ "uses", "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" ], + [ + "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "uses", + "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" + ], [ "malware--73a4793a-ce55-4159-b2a6-208ef29b326f", "uses", @@ -4235,7 +3500,7 @@ "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4" ], @@ -4250,9 +3515,14 @@ "attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c" ], [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", + "tool--975737f1-b10d-476f-8bda-3ec26ea57172", + "uses", + "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69" + ], + [ + "malware--ade37ada-14af-4b44-b36c-210eec255d53", "uses", - "malware--04fc1842-f9e4-47cf-8cb8-5c61becad142" + "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433" ], [ "malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", @@ -4265,20 +3535,25 @@ "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa" ], [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "uses", - "tool--03342581-f790-4f03-ba41-e82e67392e23" + "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" ], [ - "malware--00806466-754d-44ea-ad6f-0caf59cb8556", + "malware--ef2247bf-8062-404b-894f-d65d00564817", "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" + "attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d" ], [ "malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541", "uses", "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662" ], + [ + "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "uses", + "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" + ], [ "malware--9b19d6b4-cfcb-492f-8ca8-8449e7331573", "uses", @@ -4300,14 +3575,14 @@ "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" ], [ - "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", + "malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", "uses", - "attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d" + "attack-pattern--d10cbd34-42e3-45c0-84d2-535a09849584" ], [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", "uses", - "attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc" + "attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d" ], [ "malware--e8545794-b98c-492b-a5b3-4b5a02682e37", @@ -4320,14 +3595,9 @@ "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56" ], [ - "intrusion-set--a0cb9370-e39b-44d5-9f50-ef78e412b973", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", - "malware--94379dec-5c87-49db-b36e-66abc0b81344" - ], - [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" + "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ "attack-pattern--791481f8-e96a-41be-b089-a088763083d4", @@ -4360,14 +3630,14 @@ "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34" ], [ - "tool--7cd0bc75-055b-4098-a00e-83dc8beaff14", + "malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", "uses", - "attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf" + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", + "tool--7cd0bc75-055b-4098-a00e-83dc8beaff14", "uses", - "malware--8be7c69e-d8e3-4970-9668-61de08e508cc" + "attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf" ], [ "malware--a0ebedca-d558-4e48-8ff7-4bf76208d90c", @@ -4404,6 +3674,11 @@ "uses", "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], + [ + "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", + "uses", + "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" + ], [ "malware--efece7e8-e40b-49c2-9f84-c55c5c93d05c", "uses", @@ -4425,12 +3700,12 @@ "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", + "malware--50d6688b-0985-4f3d-8cbe-0c796b30703b", "uses", - "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" + "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], [ - "malware--50d6688b-0985-4f3d-8cbe-0c796b30703b", + "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], @@ -4444,6 +3719,11 @@ "uses", "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073" ], + [ + "malware--1cdbbcab-903a-414d-8eb0-439a97343737", + "uses", + "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" + ], [ "malware--f9b05f33-d45d-4e4d-aafe-c208d38a0080", "uses", @@ -4454,11 +3734,6 @@ "uses", "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], - [ - "intrusion-set--7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70", - "uses", - "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" - ], [ "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", "uses", @@ -4499,20 +3774,15 @@ "uses", "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" - ], [ "malware--9dbdadb6-fdbf-490f-a35f-38762d06a0d2", "uses", "attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc" ], [ - "intrusion-set--88489675-d216-4884-a98f-49a89fcc1643", + "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" + "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c" ], [ "malware--11e36d5b-6a92-4bf9-8eb7-85eb24f59e22", @@ -4530,19 +3800,9 @@ "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], [ - "intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74", - "uses", - "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" - ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa" - ], - [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", - "uses", - "attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf" + "attack-pattern--65013dd2-bc61-43e3-afb5-a14c4fa7437a", + "subtechnique-of", + "attack-pattern--cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8" ], [ "malware--d9f7383c-95ec-4080-bbce-121c9384457b", @@ -4557,27 +3817,27 @@ [ "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" + "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--4eeaf8a9-c86b-4954-a663-9555fb406466" ], [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", + "malware--20945359-3b39-4542-85ef-08ecb4e1c174", "uses", - "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5" + "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9" ], [ - "malware--c251e4a5-9a2e-4166-8e42-442af75c3b9a", + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", - "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" + "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d" ], [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", + "malware--c251e4a5-9a2e-4166-8e42-442af75c3b9a", "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" + "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" ], [ "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", @@ -4594,21 +3854,11 @@ "uses", "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea" ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0" - ], [ "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579", "subtechnique-of", "attack-pattern--3d333250-30e4-4a82-9edc-756c68afc529" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], [ "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9", "uses", @@ -4644,11 +3894,6 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" - ], [ "malware--35cd1d01-1ede-44d2-b073-a264d727bc04", "uses", @@ -4724,11 +3969,6 @@ "uses", "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "tool--2e45723a-31da-4a7e-aaa6-e01998a6788f" - ], [ "malware--5e595477-2e78-4ce7-ae42-e0b059b17808", "uses", @@ -4744,6 +3984,11 @@ "subtechnique-of", "attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db" ], + [ + "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", + "uses", + "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b" + ], [ "malware--0ced8926-914e-4c78-bc93-356fb90dbd1f", "uses", @@ -4759,11 +4004,6 @@ "uses", "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" - ], [ "malware--071d5d65-83ec-4a55-acfa-be7d5f28ba9a", "uses", @@ -4779,11 +4019,6 @@ "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "uses", - "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c" - ], [ "malware--e8268361-a599-4e45-bd3f-71c8c7e700c0", "uses", @@ -4809,11 +4044,6 @@ "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" - ], [ "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4", "uses", @@ -4824,21 +4054,11 @@ "uses", "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], - [ - "intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "uses", - "attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d" - ], [ "malware--e170995d-4f61-4f17-b60e-04f9a06ee517", "uses", "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6" - ], [ "malware--f25aab1a-0cef-4910-a85d-bb38b32ea41a", "uses", @@ -4859,6 +4079,16 @@ "uses", "attack-pattern--09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119" ], + [ + "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", + "uses", + "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" + ], + [ + "malware--ade37ada-14af-4b44-b36c-210eec255d53", + "uses", + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" + ], [ "malware--f108215f-3487-489d-be8b-80e346d32518", "uses", @@ -4870,19 +4100,19 @@ "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], [ - "malware--8dbadf80-468c-4a62-b817-4e4d8b606887", + "malware--d9f7383c-95ec-4080-bbce-121c9384457b", "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" + "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c" ], [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", + "malware--8dbadf80-468c-4a62-b817-4e4d8b606887", "uses", - "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4" + "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "tool--c4810609-7da6-48ec-8057-1b70a7814db0", "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" + "attack-pattern--09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119" ], [ "malware--2eb9b131-d333-4a48-9eb4-d8dec46c19ee", @@ -4890,20 +4120,25 @@ "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], [ - "intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74", + "malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1", "uses", - "attack-pattern--635cbe30-392d-4e27-978e-66774357c762" + "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" ], [ - "malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1", + "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", "uses", - "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" + "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" ], [ "malware--c541efb4-e7b1-4ad6-9da8-b4e113f5dd42", "uses", "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" ], + [ + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "uses", + "attack-pattern--d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c" + ], [ "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "uses", @@ -4914,31 +4149,16 @@ "uses", "attack-pattern--a01bf75f-00b2-4568-a58f-565ff9bf202b" ], - [ - "intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], [ "malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", "uses", "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" ], - [ - "malware--d6b3fcd0-1c86-4350-96f0-965ed02fcc51", - "uses", - "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" - ], [ "malware--0c824410-58ff-49b2-9cf2-1c96b182bdf0", "uses", "attack-pattern--1e9eb839-294b-48cc-b0d3-c45555a2a004" ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" - ], [ "malware--b51797f7-57da-4210-b8ac-b8632ee75d70", "uses", @@ -4974,16 +4194,6 @@ "uses", "attack-pattern--69b8fd78-40e8-4600-ae4d-662c9d7afdb3" ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" - ], - [ - "intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "uses", - "malware--9e2bba94-950b-4fcf-8070-cb3f816c5f4e" - ], [ "malware--04227b24-7817-4de1-9050-b7b1b57f5866", "uses", @@ -4999,11 +4209,6 @@ "uses", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], - [ - "intrusion-set--55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "uses", - "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4" - ], [ "malware--56e6b6c2-e573-4969-8bab-783205cebbbf", "uses", @@ -5030,9 +4235,9 @@ "malware--b42378e0-f147-496f-992a-26a49705395b" ], [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", "uses", - "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" + "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], [ "malware--92b55426-109f-4d93-899f-1833ce91ff90", @@ -5044,11 +4249,6 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74", - "uses", - "tool--999c4e6e-b8dc-4b4f-8d6e-1b829f29997e" - ], [ "malware--2a70812b-f1ef-44db-8578-a496a227aef2", "uses", @@ -5064,21 +4264,11 @@ "uses", "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" ], - [ - "intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" - ], [ "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", "uses", "attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--e624264c-033a-424d-9fd7-fc9c3bbdb03e" - ], [ "malware--5189f018-fea2-45d7-b0ed-23f9ee0a46f3", "uses", @@ -5114,11 +4304,6 @@ "uses", "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34" ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "malware--dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2" - ], [ "malware--76ac7989-c5cc-42e2-93e3-d6c476f01ace", "uses", @@ -5129,11 +4314,6 @@ "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], [ "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "uses", @@ -5144,21 +4324,11 @@ "uses", "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], - [ - "intrusion-set--76565741-3452-4069-ab08-80c0ea95bbeb", - "uses", - "attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b" - ], [ "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83", "uses", "attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc" ], - [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "uses", - "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e" - ], [ "malware--687c23e4-4e25-4ee7-a870-c5e002511f54", "uses", @@ -5204,21 +4374,6 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", - "uses", - "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9" - ], - [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "uses", - "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" - ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], [ "malware--536be338-e2ef-4a6b-afb6-8d5568b91eb2", "uses", @@ -5235,14 +4390,9 @@ "attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611" ], [ - "intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", + "malware--47124daf-44be-4530-9c63-038bc64318dd", "uses", - "tool--4b57c098-f043-4da2-83ef-7588a6d426bc" + "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" ], [ "malware--0db09158-6e48-4e7c-8ce7-2b10b9c0c039", @@ -5269,11 +4419,6 @@ "uses", "attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529" ], - [ - "intrusion-set--ae41895a-243f-4a65-b99b-d85022326c31", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], [ "malware--f5352566-1a64-49ac-8f7f-97e1d1a03300", "uses", @@ -5299,21 +4444,11 @@ "uses", "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839" ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d" - ], [ "malware--c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", "uses", "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63" - ], [ "malware--9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", "uses", @@ -5384,11 +4519,6 @@ "uses", "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], [ "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4", "uses", @@ -5404,25 +4534,15 @@ "uses", "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - ], [ "malware--2cfe8a26-5be7-4a09-8915-ea3d9e787513", "uses", "attack-pattern--dca670cf-eeec-438f-8185-fd959d9ef211" ], [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf" - ], - [ - "intrusion-set--88b7dbc2-32d3-4e31-af2f-3fc24e1582d7", - "uses", - "malware--7551188b-8f91-4d34-8350-0d0c57b2b913" + "attack-pattern--31225cd3-cd46-4575-b287-c2c14011c074", + "subtechnique-of", + "attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2" ], [ "malware--aae22730-e571-4d17-b037-65f2a3e26213", @@ -5444,11 +4564,6 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - ], [ "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83", "uses", @@ -5464,6 +4579,11 @@ "uses", "tool--03342581-f790-4f03-ba41-e82e67392e23" ], + [ + "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "uses", + "attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5" + ], [ "malware--40d3e230-ed32-469f-ba89-be70cc08ab39", "uses", @@ -5474,26 +4594,11 @@ "uses", "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf" ], - [ - "intrusion-set--5636b7b3-d99b-4edd-aa05-ee649c1d4ef1", - "uses", - "tool--7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1" - ], [ "malware--6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb", "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "attack-pattern--70e52b04-2a0c-4cea-9d18-7149f1df9dc5" - ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "tool--294e2560-bd48-44b2-9da2-833b5588ad11" - ], [ "malware--eff1a885-6f90-42a1-901f-eef6e7a1905e", "uses", @@ -5504,26 +4609,31 @@ "uses", "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18" ], + [ + "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "uses", + "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" + ], [ "tool--c9cd7ec9-40b7-49db-80be-1399eddd9c52", "uses", "attack-pattern--6add2ab5-2711-4e9d-87c8-7a0be8531530" ], + [ + "attack-pattern--5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4", + "subtechnique-of", + "attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b" + ], [ "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "uses", "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839" ], - [ - "intrusion-set--5636b7b3-d99b-4edd-aa05-ee649c1d4ef1", - "uses", - "tool--03342581-f790-4f03-ba41-e82e67392e23" - ], [ "malware--9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", "uses", @@ -5539,25 +4649,15 @@ "uses", "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" - ], [ "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", "uses", "attack-pattern--f244b8dd-af6c-4391-a497-fc03627ce995" ], [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", + "malware--11e36d5b-6a92-4bf9-8eb7-85eb24f59e22", "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], - [ - "malware--11e36d5b-6a92-4bf9-8eb7-85eb24f59e22", - "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" + "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], [ "malware--53486bc7-7748-4716-8190-e4f1fde04c53", @@ -5584,11 +4684,6 @@ "uses", "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" ], - [ - "intrusion-set--55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "uses", - "attack-pattern--5372c5fe-f424-4def-bcd5-d3a8e770f07b" - ], [ "malware--288fa242-e894-4c7e-ac86-856deedf5cea", "uses", @@ -5604,6 +4699,11 @@ "subtechnique-of", "attack-pattern--67720091-eee3-4d2d-ae16-8264567f6f5b" ], + [ + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "uses", + "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" + ], [ "malware--e494ad79-37ee-4cd0-866b-299c521d8b94", "uses", @@ -5644,11 +4744,6 @@ "uses", "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], - [ - "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "uses", - "attack-pattern--2db31dcd-54da-405d-acef-b9129b816ed6" - ], [ "malware--4ab44516-ad75-4e43-a280-705dc0420e2f", "uses", @@ -5669,21 +4764,11 @@ "uses", "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], - [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "uses", - "attack-pattern--42fe883a-21ea-4cfb-b94a-78b6476dcc83" - ], [ "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2", "uses", "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0" ], - [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "uses", - "attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00" - ], [ "malware--e8545794-b98c-492b-a5b3-4b5a02682e37", "uses", @@ -5725,25 +4810,20 @@ "attack-pattern--b4694861-542c-48ea-9eb1-10d356e7140a" ], [ - "malware--9b19d6b4-cfcb-492f-8ca8-8449e7331573", + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", - "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c" + "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" ], [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", + "malware--9b19d6b4-cfcb-492f-8ca8-8449e7331573", "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" + "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c" ], [ "malware--5dd649c0-bca4-488b-bd85-b180474ec62e", "uses", "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], - [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", - "uses", - "malware--43155329-3edf-47a6-9a14-7dac899b01e4" - ], [ "malware--7ba0fc46-197d-466d-8b9f-f1c64d5d81e5", "uses", @@ -5754,11 +4834,6 @@ "subtechnique-of", "attack-pattern--d456de47-a16f-4e46-8980-e67478a12dcb" ], - [ - "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064", - "uses", - "tool--2e45723a-31da-4a7e-aaa6-e01998a6788f" - ], [ "malware--ccd61dfc-b03f-4689-8c18-7c97eab08472", "uses", @@ -5779,6 +4854,11 @@ "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], + [ + "attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de", + "subtechnique-of", + "attack-pattern--b8017880-4b1e-42de-ad10-ae7ac6705166" + ], [ "malware--f99f3dcc-683f-4936-8791-075ac5e58f10", "uses", @@ -5790,9 +4870,9 @@ "attack-pattern--c615231b-f253-4f58-9d47-d5b4cbdb6839" ], [ - "intrusion-set--fbe9387f-34e6-4828-ac28-3080020c597b", + "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", "uses", - "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" + "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ "malware--8ec6e3b4-b06d-4805-b6aa-af916acc2122", @@ -5805,12 +4885,7 @@ "attack-pattern--29be378d-262d-4e99-b00d-852d573628e6" ], [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18" - ], - [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" ], @@ -5820,35 +4895,20 @@ "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c" ], [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "tool--294e2560-bd48-44b2-9da2-833b5588ad11" - ], - [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", + "malware--3d57dcc4-be99-4613-9482-d5218f5ec13e", "uses", - "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63" + "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" ], [ "attack-pattern--6836813e-8ec8-4375-b459-abb388cb1a35", "subtechnique-of", "attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf" ], - [ - "intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022", - "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" - ], [ "malware--cfc75b0d-e579-40ae-ad07-a1ce00d49a6c", "uses", "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], - [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", - "uses", - "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" - ], [ "malware--8c050cea-86e1-4b63-bf21-7af4fa483349", "uses", @@ -5869,11 +4929,6 @@ "uses", "attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529" ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60" - ], [ "malware--54895630-efd2-4608-9c24-319de972a9eb", "uses", @@ -5884,11 +4939,6 @@ "uses", "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541" - ], [ "malware--b879758f-bbc4-4cab-b5ba-177ac9b009b4", "uses", @@ -5900,19 +4950,14 @@ "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", + "tool--c4810609-7da6-48ec-8057-1b70a7814db0", "uses", - "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - ], - [ - "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064", - "uses", - "malware--fbb470da-1d44-4f29-bbb3-9efbe20f94a3" + "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" ], [ "malware--9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", @@ -5929,41 +4974,16 @@ "uses", "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72" ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118" - ], [ "malware--2dd34b01-6110-4aac-835d-b5e7b936b0be", "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" - ], - [ - "intrusion-set--d69e568e-9ac8-4c08-b32c-d93b43ba9172", - "uses", - "malware--8d9e758b-735f-4cbc-ba7c-32cd15138b2a" - ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "tool--b07c2c47-fefb-4d7c-a69e-6a3296171f54" - ], [ "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", "uses", "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf" - ], [ "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", "uses", @@ -5999,6 +5019,11 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], + [ + "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", + "uses", + "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" + ], [ "malware--a8d3d497-2da9-4797-8e0b-ed176be08654", "uses", @@ -6025,20 +5050,15 @@ "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0" ], [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", - "attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf" + "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c" ], [ "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "uses", "attack-pattern--b200542e-e877-4395-875b-cf1a44537ca4" ], - [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "uses", - "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63" - ], [ "malware--c8b6cc43-ce61-42ae-87f3-a5f10526f952", "uses", @@ -6074,6 +5094,11 @@ "uses", "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63" ], + [ + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "uses", + "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88" + ], [ "malware--8901ac23-6b50-410c-b0dd-d8174a86f9b3", "uses", @@ -6104,11 +5129,6 @@ "uses", "attack-pattern--3120b9fa-23b8-4500-ae73-09494f607b7d" ], - [ - "intrusion-set--dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", - "uses", - "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0" - ], [ "malware--3161d76a-e2b2-4b97-9906-24909b735386", "uses", @@ -6119,21 +5139,6 @@ "uses", "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475" ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af" - ], - [ - "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee", - "uses", - "attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48" - ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" - ], [ "malware--64fa0de0-6240-41f4-8638-f4ca7ed528fd", "uses", @@ -6149,11 +5154,6 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", - "uses", - "malware--432555de-63bf-4f2a-a3fa-f720a4561078" - ], [ "malware--aae22730-e571-4d17-b037-65f2a3e26213", "uses", @@ -6174,11 +5174,6 @@ "uses", "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e" ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" - ], [ "malware--f25aab1a-0cef-4910-a85d-bb38b32ea41a", "uses", @@ -6189,40 +5184,35 @@ "subtechnique-of", "attack-pattern--7f0ca133-88c4-40c6-a62f-b3083a7fbc2e" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "malware--069af411-9b24-4e85-b26c-623d035bbe84" - ], [ "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c", "subtechnique-of", "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce" ], [ - "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", + "malware--d9f7383c-95ec-4080-bbce-121c9384457b", "uses", - "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062" + "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], [ - "malware--c2417bab-3189-4d4d-9d60-96de2cdaf0ab", + "malware--911fe4c3-444d-4e92-83b8-cc761ac5fd3b", "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" + "attack-pattern--40597f16-0963-4249-bf4c-ac93b7fb9807" ], [ - "malware--7ba0fc46-197d-466d-8b9f-f1c64d5d81e5", + "malware--c2417bab-3189-4d4d-9d60-96de2cdaf0ab", "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", + "malware--7ba0fc46-197d-466d-8b9f-f1c64d5d81e5", "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" + "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ - "intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842", + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", - "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c" + "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433" ], [ "tool--999c4e6e-b8dc-4b4f-8d6e-1b829f29997e", @@ -6244,16 +5234,6 @@ "uses", "attack-pattern--bc0f5e80-91c0-4e04-9fbb-e4e332c85dae" ], - [ - "intrusion-set--c5947e1c-1cbc-434c-94b8-27c7e3be0fff", - "uses", - "malware--d3afa961-a80c-4043-9509-282cdf69ab21" - ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "malware--cb444a16-3ea5-4a91-88c6-f329adcb8af3" - ], [ "malware--aae22730-e571-4d17-b037-65f2a3e26213", "uses", @@ -6269,6 +5249,11 @@ "uses", "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], + [ + "malware--959f3b19-2dc8-48d5-8942-c66813a5101a", + "uses", + "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" + ], [ "malware--67fc172a-36fa-4a35-88eb-4ba730ed52a6", "uses", @@ -6280,9 +5265,9 @@ "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6" ], [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", - "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c" + "attack-pattern--a750a9f6-0bde-4bb3-9aae-1e2786e9780c" ], [ "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf", @@ -6295,9 +5280,9 @@ "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5" ], [ - "intrusion-set--da49b9f1-ca99-443f-9728-0a074db66850", + "malware--99164b38-1775-40bc-b77b-a2373b14540a", "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" + "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ "malware--f99f3dcc-683f-4936-8791-075ac5e58f10", @@ -6324,21 +5309,11 @@ "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" - ], [ "malware--7343e208-7cab-45f2-a47b-41ba5e2f0fab", "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6" - ], [ "malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1", "uses", @@ -6349,11 +5324,21 @@ "uses", "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], + [ + "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "uses", + "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062" + ], [ "malware--bfd2738c-8b43-43c3-bc9f-d523c8e88bf4", "uses", "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" ], + [ + "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "uses", + "attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b" + ], [ "malware--cfc75b0d-e579-40ae-ad07-a1ce00d49a6c", "uses", @@ -6390,9 +5375,9 @@ "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], [ - "intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022", + "malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", "uses", - "attack-pattern--69b8fd78-40e8-4600-ae4d-662c9d7afdb3" + "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], [ "malware--92b03a94-7147-4952-9d5a-b4d24da7487c", @@ -6414,11 +5399,6 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "attack-pattern--910906dd-8c0a-475a-9cc1-5e029e2fad58" - ], [ "tool--96fd6cc4-a693-4118-83ec-619e5352d07d", "uses", @@ -6434,6 +5414,16 @@ "uses", "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077" ], + [ + "attack-pattern--ae797531-3219-49a4-bccf-324ad7a4c7b2", + "subtechnique-of", + "attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9" + ], + [ + "attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d", + "subtechnique-of", + "attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754" + ], [ "malware--65ffc206-d7c1-45b3-b543-f6b726e7840d", "uses", @@ -6450,9 +5440,9 @@ "attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643" ], [ - "intrusion-set--88b7dbc2-32d3-4e31-af2f-3fc24e1582d7", + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", - "malware--0f862b01-99da-47cc-9bdb-db4a86a95bb1" + "attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec" ], [ "attack-pattern--7c0f17c9-1af6-4628-9cbd-9e45482dd605", @@ -6464,6 +5454,11 @@ "subtechnique-of", "attack-pattern--e6415f09-df0e-48de-9aba-928c902b7549" ], + [ + "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", + "uses", + "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" + ], [ "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "uses", @@ -6474,50 +5469,30 @@ "uses", "attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c" - ], - [ - "intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "uses", - "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81" - ], [ "malware--8d9e758b-735f-4cbc-ba7c-32cd15138b2a", "uses", "attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f" ], - [ - "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064", - "uses", - "malware--94379dec-5c87-49db-b36e-66abc0b81344" - ], [ "malware--69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "tool--b07c2c47-fefb-4d7c-a69e-6a3296171f54" - ], [ "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60", "uses", "attack-pattern--768dce68-8d0d-477a-b01d-0eea98b963a1" ], [ - "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44", + "malware--d9f7383c-95ec-4080-bbce-121c9384457b", "uses", - "attack-pattern--a2029942-0a85-4947-b23c-ca434698171d" + "attack-pattern--b5327dd1-6bf9-4785-a199-25bcbd1f4a9d" ], [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44", "uses", - "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" + "attack-pattern--a2029942-0a85-4947-b23c-ca434698171d" ], [ "malware--04fc1842-f9e4-47cf-8cb8-5c61becad142", @@ -6525,39 +5500,39 @@ "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c" ], [ - "intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8", + "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", "uses", - "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63" - ], - [ - "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee", - "uses", - "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055" + "attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d" ], [ "malware--d1b7830a-fced-4be3-a99c-f495af9d9e1b", "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], + [ + "attack-pattern--1cec9319-743b-4840-bb65-431547bce82a", + "subtechnique-of", + "attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf" + ], [ "malware--b45747dc-87ca-4597-a245-7e16a61bc491", "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "intrusion-set--090242d7-73fc-4738-af68-20162f7a5aae", "uses", - "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" + "attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54" ], [ - "intrusion-set--fe98767f-9df8-42b9-83c9-004b1dec8647", + "malware--d6b3fcd0-1c86-4350-96f0-965ed02fcc51", "uses", - "tool--b07c2c47-fefb-4d7c-a69e-6a3296171f54" + "attack-pattern--60b508a1-6a5e-46b1-821a-9f7b78752abf" ], [ - "malware--d6b3fcd0-1c86-4350-96f0-965ed02fcc51", + "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", "uses", - "attack-pattern--60b508a1-6a5e-46b1-821a-9f7b78752abf" + "attack-pattern--9c99724c-a483-4d60-ad9d-7f004e42e8e8" ], [ "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", @@ -6584,25 +5559,15 @@ "uses", "attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643" ], - [ - "intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8", - "uses", - "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9" - ], [ "malware--8c050cea-86e1-4b63-bf21-7af4fa483349", "uses", "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055" ], [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "malware--495b6cdb-7b5a-4fbc-8d33-e7ef68806d08" - ], - [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", + "malware--911fe4c3-444d-4e92-83b8-cc761ac5fd3b", "uses", - "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" + "attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd" ], [ "malware--3161d76a-e2b2-4b97-9906-24909b735386", @@ -6615,24 +5580,14 @@ "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c" ], [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", + "malware--76abb3ef-dafd-4762-97cb-a35379429db4", "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" + "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "malware--e8545794-b98c-492b-a5b3-4b5a02682e37", "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" - ], - [ - "malware--76abb3ef-dafd-4762-97cb-a35379429db4", - "uses", - "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" - ], - [ - "malware--e8545794-b98c-492b-a5b3-4b5a02682e37", - "uses", - "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" + "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], [ "tool--4b57c098-f043-4da2-83ef-7588a6d426bc", @@ -6645,35 +5600,25 @@ "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ - "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", + "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" + "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" ], [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", "uses", - "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d" + "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" ], [ "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4", "uses", "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073" ], - [ - "intrusion-set--b74f909f-8e52-4b69-b770-162bf59a1b4e", - "uses", - "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34" - ], [ "malware--21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b", "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "uses", - "malware--0ced8926-914e-4c78-bc93-356fb90dbd1f" - ], [ "malware--73c4711b-407a-449d-b269-e3b1531fe7a9", "uses", @@ -6739,21 +5684,6 @@ "uses", "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" ], - [ - "intrusion-set--f9c06633-dcff-48a1-8588-759e7cec5694", - "uses", - "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b" - ], - [ - "intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], [ "malware--6b62e336-176f-417b-856a-8552dd8c44e1", "uses", @@ -6769,11 +5699,6 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], [ "malware--7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77", "uses", @@ -6799,50 +5724,40 @@ "uses", "attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5" ], - [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", - "uses", - "attack-pattern--a6937325-9321-4e2e-bb2b-3ed2d40b2a9d" - ], [ "attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d", "subtechnique-of", "attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53" ], [ - "malware--64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", + "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "uses", - "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" + "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433" ], [ - "intrusion-set--5cbe0d3b-6fb1-471f-b591-4b192915116d", + "malware--64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", "uses", - "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88" + "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], [ "malware--691c60e2-273d-4d56-9ce6-b67e0f8719ad", "uses", "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c" ], - [ - "intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1", - "uses", - "attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d" - ], [ "malware--69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "uses", "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b" ], [ - "malware--f99f3dcc-683f-4936-8791-075ac5e58f10", + "malware--911fe4c3-444d-4e92-83b8-cc761ac5fd3b", "uses", - "attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf" + "attack-pattern--4fe28b27-b13c-453e-a386-c2ef362a573b" ], [ - "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", + "malware--911fe4c3-444d-4e92-83b8-cc761ac5fd3b", "uses", - "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" + "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea" ], [ "malware--f6d1d2cb-12f5-4221-9636-44606ea1f3f8", @@ -6859,21 +5774,11 @@ "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" - ], [ "malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1", "uses", "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" ], - [ - "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd", - "uses", - "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" - ], [ "malware--aad11e34-02ca-4220-91cd-2ed420af4db3", "uses", @@ -6885,20 +5790,10 @@ "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47" ], - [ - "intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1", - "uses", - "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" - ], - [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", - "uses", - "attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f" - ], [ "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56", "subtechnique-of", @@ -6914,11 +5809,6 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "uses", - "attack-pattern--d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c" - ], [ "malware--f99f3dcc-683f-4936-8791-075ac5e58f10", "uses", @@ -6934,21 +5824,6 @@ "uses", "attack-pattern--54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "malware--50d6688b-0985-4f3d-8cbe-0c796b30703b" - ], - [ - "malware--ade37ada-14af-4b44-b36c-210eec255d53", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" - ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "attack-pattern--4cbc6a62-9e34-4f94-8a19-5c1a11392a49" - ], [ "malware--af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "uses", @@ -6959,6 +5834,11 @@ "uses", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], + [ + "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "uses", + "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" + ], [ "malware--c8b6cc43-ce61-42ae-87f3-a5f10526f952", "uses", @@ -6975,14 +5855,14 @@ "attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d" ], [ - "malware--f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e", + "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" + "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], [ - "intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648", + "malware--f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e", "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" + "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], [ "malware--a4f57468-fbd5-49e4-8476-52088220b92d", @@ -6994,6 +5874,11 @@ "uses", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], + [ + "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", + "uses", + "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" + ], [ "malware--f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e", "uses", @@ -7019,11 +5904,6 @@ "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "tool--4664b683-f578-434f-919b-1c1aad2a1111" - ], [ "tool--c8655260-9f4b-44e3-85e1-6538a5f6e4f4", "uses", @@ -7034,11 +5914,6 @@ "uses", "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" ], - [ - "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd", - "uses", - "attack-pattern--840a987a-99bd-4a80-a5c9-0cb2baa6cade" - ], [ "malware--a8d3d497-2da9-4797-8e0b-ed176be08654", "uses", @@ -7049,11 +5924,6 @@ "uses", "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" ], - [ - "intrusion-set--fbe9387f-34e6-4828-ac28-3080020c597b", - "uses", - "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81" - ], [ "malware--f0fc920e-57a3-4af5-89be-9ea594c8b1ea", "uses", @@ -7089,16 +5959,6 @@ "uses", "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" - ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "tool--b77b563c-34bb-4fb8-86a3-3694338f7b47" - ], [ "malware--d9f7383c-95ec-4080-bbce-121c9384457b", "uses", @@ -7124,11 +5984,6 @@ "uses", "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--4eb28bed-d11a-4641-9863-c2ac017d910a" - ], [ "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340", "uses", @@ -7154,11 +6009,6 @@ "uses", "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" ], - [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", - "uses", - "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" - ], [ "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", @@ -7179,16 +6029,6 @@ "uses", "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6" ], - [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" - ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39" - ], [ "malware--fb261c56-b80e-43a9-8351-c84081e7213d", "uses", @@ -7230,9 +6070,9 @@ "malware--e8545794-b98c-492b-a5b3-4b5a02682e37" ], [ - "intrusion-set--6b9ebeb5-20bf-48b0-afb7-988d769a2f01", + "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" + "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" ], [ "malware--a020a61c-423f-4195-8c46-ba1d21abba37", @@ -7249,11 +6089,6 @@ "uses", "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], - [ - "intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8", - "uses", - "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" - ], [ "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", "uses", @@ -7284,6 +6119,11 @@ "uses", "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" ], + [ + "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "uses", + "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" + ], [ "malware--04fc1842-f9e4-47cf-8cb8-5c61becad142", "uses", @@ -7305,19 +6145,9 @@ "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], - [ - "intrusion-set--dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", - "uses", - "attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b" - ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", "uses", - "attack-pattern--b0533c6e-8fea-4788-874f-b799cacc4b92" + "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56" ], [ "malware--92b55426-109f-4d93-899f-1833ce91ff90", @@ -7344,6 +6174,11 @@ "uses", "attack-pattern--16ab6452-c3c1-497c-a47d-206018ca1ada" ], + [ + "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", + "uses", + "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4" + ], [ "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", "uses", @@ -7359,50 +6194,25 @@ "uses", "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" ], - [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", - "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" - ], - [ - "intrusion-set--f9c06633-dcff-48a1-8588-759e7cec5694", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], [ "tool--115f88dd-0618-4389-83cb-98d33ae81848", "uses", "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], - [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", - "uses", - "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" - ], - [ - "intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6", - "uses", - "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3" - ], - [ - "intrusion-set--f047ee18-7985-4946-8bfb-4ed754d3a0dd", - "uses", - "malware--fb261c56-b80e-43a9-8351-c84081e7213d" - ], [ "malware--705f0783-5f7d-4491-b6b7-9628e6e006d2", "uses", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ - "intrusion-set--5636b7b3-d99b-4edd-aa05-ee649c1d4ef1", + "malware--754effde-613c-4244-a83e-fb659b2a4d06", "uses", - "tool--30489451-5886-4c46-90c9-0dff9adc5252" + "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ - "malware--754effde-613c-4244-a83e-fb659b2a4d06", + "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" + "attack-pattern--c3888c54-775d-4b2f-b759-75a2ececcbfd" ], [ "malware--9ca488bd-9587-48ef-b923-1743523e63b2", @@ -7414,40 +6224,35 @@ "uses", "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c" ], - [ - "intrusion-set--d519164e-f5fa-4b8c-a1fb-cf0172ad0983", - "uses", - "attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f" - ], [ "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4", "uses", "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf" ], [ - "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", + "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", "uses", - "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" + "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b" ], [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", "uses", - "malware--5be33fef-39c0-4532-84ee-bea31e1b5324" + "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", + "malware--a8d3d497-2da9-4797-8e0b-ed176be08654", "uses", - "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" + "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4" ], [ - "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", + "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", "uses", - "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" + "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], [ - "malware--a8d3d497-2da9-4797-8e0b-ed176be08654", + "malware--ef2247bf-8062-404b-894f-d65d00564817", "uses", - "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4" + "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" ], [ "malware--49abab73-3c5c-476e-afd5-69b5c732d845", @@ -7504,11 +6309,6 @@ "uses", "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f" - ], [ "malware--54895630-efd2-4608-9c24-319de972a9eb", "uses", @@ -7544,6 +6344,11 @@ "uses", "attack-pattern--2bce5b30-7014-4a5d-ade7-12913fe6ac36" ], + [ + "malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053", + "uses", + "attack-pattern--fa44a152-ac48-441e-a524-dd7b04b8adcd" + ], [ "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", "uses", @@ -7559,11 +6364,6 @@ "uses", "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541" ], - [ - "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "uses", - "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60" - ], [ "malware--54e8672d-5338-4ad1-954a-a7c986bee530", "uses", @@ -7579,11 +6379,6 @@ "subtechnique-of", "attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b" ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "tool--03342581-f790-4f03-ba41-e82e67392e23" - ], [ "malware--e9e9bfe2-76f4-4870-a2a1-b7af89808613", "uses", @@ -7614,30 +6409,15 @@ "uses", "attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611" ], - [ - "intrusion-set--5636b7b3-d99b-4edd-aa05-ee649c1d4ef1", - "uses", - "tool--4664b683-f578-434f-919b-1c1aad2a1111" - ], [ "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "uses", "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18" ], [ - "intrusion-set--c5574ca0-d5a4-490a-b207-e4658e5fd1d7", - "uses", - "attack-pattern--77eae145-55db-4519-8ae5-77b0c7215d69" - ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179" - ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", + "malware--ef2247bf-8062-404b-894f-d65d00564817", "uses", - "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ "tool--4b57c098-f043-4da2-83ef-7588a6d426bc", @@ -7650,14 +6430,9 @@ "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], [ - "intrusion-set--d1acfbb3-647b-4723-9154-800ec119006e", - "uses", - "attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c" - ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", "uses", - "attack-pattern--2db31dcd-54da-405d-acef-b9129b816ed6" + "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ "malware--76abb3ef-dafd-4762-97cb-a35379429db4", @@ -7665,25 +6440,15 @@ "attack-pattern--6836813e-8ec8-4375-b459-abb388cb1a35" ], [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", + "malware--ade37ada-14af-4b44-b36c-210eec255d53", "uses", - "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" + "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0" ], [ "malware--b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29", "uses", "attack-pattern--29be378d-262d-4e99-b00d-852d573628e6" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" - ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179" - ], [ "malware--76abb3ef-dafd-4762-97cb-a35379429db4", "uses", @@ -7700,14 +6465,14 @@ "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d" ], [ - "tool--4b57c098-f043-4da2-83ef-7588a6d426bc", + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", - "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" + "attack-pattern--29be378d-262d-4e99-b00d-852d573628e6" ], [ - "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064", + "tool--4b57c098-f043-4da2-83ef-7588a6d426bc", "uses", - "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055" + "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" ], [ "malware--7dbb67c7-270a-40ad-836e-c45f8948aa5a", @@ -7719,11 +6484,6 @@ "uses", "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58" ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "malware--e85cae1a-bce3-4ac4-b36b-b00acac0567b" - ], [ "malware--ae9d818d-95d0-41da-b045-9cabea1ca164", "uses", @@ -7764,46 +6524,31 @@ "uses", "attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611" ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" - ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "tool--2e45723a-31da-4a7e-aaa6-e01998a6788f" - ], [ "malware--c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", "uses", "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643" - ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--69b8fd78-40e8-4600-ae4d-662c9d7afdb3" - ], [ "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "uses", "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" ], [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", "uses", - "malware--b42378e0-f147-496f-992a-26a49705395b" + "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ "tool--da04ac30-27da-4959-a67d-450ce47d9470", "uses", "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf" ], + [ + "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "uses", + "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58" + ], [ "tool--115f88dd-0618-4389-83cb-98d33ae81848", "uses", @@ -7819,6 +6564,11 @@ "uses", "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], + [ + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "uses", + "attack-pattern--41868330-6ee2-4d0f-b743-9f2294c3c9b6" + ], [ "malware--8be7c69e-d8e3-4970-9668-61de08e508cc", "uses", @@ -7830,7 +6580,7 @@ "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055" ], @@ -7894,21 +6644,6 @@ "uses", "attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611" ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541" - ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "malware--7ba0fc46-197d-466d-8b9f-f1c64d5d81e5" - ], - [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "uses", - "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72" - ], [ "malware--64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", "uses", @@ -7939,11 +6674,21 @@ "uses", "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" ], + [ + "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "uses", + "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72" + ], [ "attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d", "subtechnique-of", "attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48" ], + [ + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "uses", + "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" + ], [ "intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258", "uses", @@ -7979,6 +6724,16 @@ "uses", "attack-pattern--41868330-6ee2-4d0f-b743-9f2294c3c9b6" ], + [ + "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", + "uses", + "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18" + ], + [ + "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "uses", + "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" + ], [ "malware--6b62e336-176f-417b-856a-8552dd8c44e1", "uses", @@ -8000,9 +6755,9 @@ "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--69b8fd78-40e8-4600-ae4d-662c9d7afdb3" + "attack-pattern--cc723aff-ec88-40e3-a224-5af9fd983cc4", + "subtechnique-of", + "attack-pattern--937e4772-8441-4e4a-8bf0-8d447d667e23" ], [ "malware--b2c5d3ca-b43a-4888-ad8d-e2d43497bf85", @@ -8014,6 +6769,11 @@ "uses", "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], + [ + "malware--959f3b19-2dc8-48d5-8942-c66813a5101a", + "uses", + "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" + ], [ "malware--edb24a93-1f7a-4bbf-a738-1397a14662c6", "uses", @@ -8024,6 +6784,11 @@ "uses", "attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd" ], + [ + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "uses", + "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" + ], [ "attack-pattern--eb125d40-0b2d-41ac-a71a-3229241c2cd3", "subtechnique-of", @@ -8034,20 +6799,15 @@ "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70", - "uses", - "attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc" - ], [ "malware--fde50aaa-f5de-4cb8-989a-babb57d6a704", "uses", "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" ], [ - "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411", + "malware--99164b38-1775-40bc-b77b-a2373b14540a", "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" + "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" ], [ "malware--495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", @@ -8089,6 +6849,11 @@ "uses", "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" ], + [ + "malware--8393dac0-0583-456a-9372-fd81691bca20", + "uses", + "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073" + ], [ "malware--65ffc206-d7c1-45b3-b543-f6b726e7840d", "uses", @@ -8105,9 +6870,9 @@ "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", + "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", "uses", - "malware--5c6ed2dc-37f4-40ea-b2e1-4c76140a388c" + "attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830" ], [ "malware--7dbb67c7-270a-40ad-836e-c45f8948aa5a", @@ -8175,20 +6940,15 @@ "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", + "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "uses", - "tool--96fd6cc4-a693-4118-83ec-619e5352d07d" + "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" ], [ "malware--d20b397a-ea47-48a9-b503-2e2a3551e11d", "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63" - ], [ "malware--0c824410-58ff-49b2-9cf2-1c96b182bdf0", "uses", @@ -8234,11 +6994,6 @@ "uses", "attack-pattern--d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c" ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "malware--5a84dc36-df0d-4053-9b7c-f0c388a57283" - ], [ "malware--11e36d5b-6a92-4bf9-8eb7-85eb24f59e22", "uses", @@ -8254,36 +7009,16 @@ "uses", "attack-pattern--2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64" ], - [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "uses", - "attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53" - ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], [ "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2", "uses", "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c" ], - [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], [ "tool--64764dc6-a032-495f-8250-1e4c06bdc163", "uses", "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5" ], - [ - "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee", - "uses", - "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5" - ], [ "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", "uses", @@ -8304,26 +7039,11 @@ "uses", "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" - ], [ "tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf", "uses", "attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0" ], - [ - "intrusion-set--f40eb8ce-2a74-4e56-89a1-227021410142", - "uses", - "malware--d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb" - ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "tool--96fd6cc4-a693-4118-83ec-619e5352d07d" - ], [ "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83", "uses", @@ -8334,11 +7054,6 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8", - "uses", - "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" - ], [ "malware--8e101fdd-9f7f-4916-bb04-6bd9e94c129c", "uses", @@ -8359,31 +7074,16 @@ "uses", "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" - ], [ "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2", "uses", "attack-pattern--6add2ab5-2711-4e9d-87c8-7a0be8531530" ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4" - ], [ "malware--f6d1d2cb-12f5-4221-9636-44606ea1f3f8", "uses", "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72" - ], [ "malware--2cfe8a26-5be7-4a09-8915-ea3d9e787513", "uses", @@ -8395,14 +7095,9 @@ "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6" ], [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "tool--cde2d700-9ed1-46cf-9bce-07364fe8b24f" - ], - [ - "intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6", + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "uses", - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39" + "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" ], [ "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44", @@ -8419,11 +7114,6 @@ "uses", "attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf" ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" - ], [ "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "uses", @@ -8444,11 +7134,6 @@ "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" - ], [ "malware--414dc555-c79e-4b24-a2da-9b607f7eaf16", "uses", @@ -8464,26 +7149,11 @@ "uses", "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], [ "intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258", "uses", "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--6add2ab5-2711-4e9d-87c8-7a0be8531530" - ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "tool--64764dc6-a032-495f-8250-1e4c06bdc163" - ], [ "tool--7cd0bc75-055b-4098-a00e-83dc8beaff14", "uses", @@ -8514,6 +7184,11 @@ "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], + [ + "malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328", + "uses", + "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" + ], [ "malware--96b08451-b27a-4ff6-893f-790e26393a8e", "uses", @@ -8534,11 +7209,6 @@ "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--d519164e-f5fa-4b8c-a1fb-cf0172ad0983", - "uses", - "tool--03342581-f790-4f03-ba41-e82e67392e23" - ], [ "malware--a2282af0-f9dd-4373-9b92-eaf9e11e0c71", "uses", @@ -8550,14 +7220,14 @@ "tool--da04ac30-27da-4959-a67d-450ce47d9470" ], [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4", "uses", - "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" + "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ - "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4", + "tool--c4810609-7da6-48ec-8057-1b70a7814db0", "uses", - "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" + "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" ], [ "malware--f8dfbc54-b070-4224-b560-79aaa5f835bd", @@ -8619,11 +7289,6 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "uses", - "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" - ], [ "malware--65341f30-bec6-4b1d-8abf-1a5620446c29", "uses", @@ -8634,21 +7299,6 @@ "subtechnique-of", "attack-pattern--c675646d-e204-4aa8-978d-e3d6d65885c4" ], - [ - "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", - "uses", - "tool--7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1" - ], - [ - "intrusion-set--c47f937f-1022-4f42-8525-e7a4779a14cb", - "uses", - "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4" - ], - [ - "intrusion-set--d519164e-f5fa-4b8c-a1fb-cf0172ad0983", - "uses", - "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - ], [ "malware--44c75271-0e4d-496f-ae0a-a6d883a42a65", "uses", @@ -8669,16 +7319,6 @@ "uses", "attack-pattern--4fe28b27-b13c-453e-a386-c2ef362a573b" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "malware--9dbdadb6-fdbf-490f-a35f-38762d06a0d2" - ], - [ - "intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "uses", - "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24" - ], [ "malware--aae22730-e571-4d17-b037-65f2a3e26213", "uses", @@ -8709,11 +7349,6 @@ "subtechnique-of", "attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab" ], - [ - "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", - "uses", - "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" - ], [ "malware--f9b05f33-d45d-4e4d-aafe-c208d38a0080", "uses", @@ -8735,25 +7370,20 @@ "attack-pattern--4ff5d6a8-c062-4c68-a778-36fc5edd564f" ], [ - "malware--73a4793a-ce55-4159-b2a6-208ef29b326f", + "malware--959f3b19-2dc8-48d5-8942-c66813a5101a", "uses", - "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" + "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], [ - "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", + "malware--73a4793a-ce55-4159-b2a6-208ef29b326f", "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" + "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], [ "malware--edf5aee2-9b1c-4252-8e64-25b12f14c8b3", "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "tool--ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68" - ], [ "malware--fb575479-14ef-41e9-bfab-0b7cf10bec73", "uses", @@ -8789,11 +7419,6 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a", - "uses", - "malware--b42378e0-f147-496f-992a-26a49705395b" - ], [ "malware--495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", "uses", @@ -8805,9 +7430,9 @@ "attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f" ], [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", + "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", "uses", - "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" + "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", @@ -8824,16 +7449,6 @@ "uses", "attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf" ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "malware--06d735e7-1db1-4dbe-ab4b-acbe419f902b" - ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" - ], [ "malware--cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e", "uses", @@ -8875,24 +7490,24 @@ "attack-pattern--37b11151-1776-4f8f-b328-30939fbf2ceb" ], [ - "malware--44c75271-0e4d-496f-ae0a-a6d883a42a65", + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "uses", - "attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5" + "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" ], [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "malware--20945359-3b39-4542-85ef-08ecb4e1c174", "uses", - "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" + "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" ], [ - "malware--04227b24-7817-4de1-9050-b7b1b57f5866", + "malware--44c75271-0e4d-496f-ae0a-a6d883a42a65", "uses", - "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" + "attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5" ], [ - "intrusion-set--fbe9387f-34e6-4828-ac28-3080020c597b", + "malware--04227b24-7817-4de1-9050-b7b1b57f5866", "uses", - "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" + "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ "malware--198db886-47af-4f4c-bff5-11b891f85946", @@ -8909,6 +7524,11 @@ "uses", "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6" ], + [ + "malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328", + "uses", + "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" + ], [ "tool--2fab555f-7664-4623-b4e0-1675ae38190b", "uses", @@ -8934,11 +7554,6 @@ "uses", "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d" ], - [ - "intrusion-set--c47f937f-1022-4f42-8525-e7a4779a14cb", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], [ "malware--198db886-47af-4f4c-bff5-11b891f85946", "uses", @@ -8974,11 +7589,6 @@ "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee", - "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" - ], [ "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "uses", @@ -9005,9 +7615,9 @@ "attack-pattern--a01bf75f-00b2-4568-a58f-565ff9bf202b" ], [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", + "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", "uses", - "attack-pattern--a750a9f6-0bde-4bb3-9aae-1e2786e9780c" + "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], [ "malware--536be338-e2ef-4a6b-afb6-8d5568b91eb2", @@ -9025,22 +7635,12 @@ "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", + "malware--8be7c69e-d8e3-4970-9668-61de08e508cc", "uses", - "attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d" + "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "malware--d20b397a-ea47-48a9-b503-2e2a3551e11d" - ], - [ - "malware--8be7c69e-d8e3-4970-9668-61de08e508cc", - "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" - ], - [ - "tool--13cd9151-83b7-410d-9f98-25d0f0d1d80d", + "tool--13cd9151-83b7-410d-9f98-25d0f0d1d80d", "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], @@ -9069,20 +7669,15 @@ "uses", "attack-pattern--b24e2a20-3b3d-4bf0-823b-1ed765398fb0" ], - [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--2db31dcd-54da-405d-acef-b9129b816ed6" - ], [ "tool--c8655260-9f4b-44e3-85e1-6538a5f6e4f4", "uses", "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", "uses", - "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3" + "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ "malware--e066bf86-9cfb-407a-9d25-26fd5d91e360", @@ -9100,9 +7695,9 @@ "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", + "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", "uses", - "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18" + "attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47" ], [ "malware--50d6688b-0985-4f3d-8cbe-0c796b30703b", @@ -9124,21 +7719,11 @@ "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8", - "uses", - "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" - ], [ "malware--326af1cd-78e7-45b7-a326-125d2f7ef8f2", "uses", "attack-pattern--1e9eb839-294b-48cc-b0d3-c45555a2a004" ], - [ - "intrusion-set--6b9ebeb5-20bf-48b0-afb7-988d769a2f01", - "uses", - "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60" - ], [ "attack-pattern--0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", "subtechnique-of", @@ -9159,6 +7744,16 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], + [ + "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "uses", + "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce" + ], + [ + "attack-pattern--810d8072-afb6-4a56-9ee7-86379ac4a6f3", + "subtechnique-of", + "attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9" + ], [ "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997", "uses", @@ -9205,25 +7800,15 @@ "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", + "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" + "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72" ], [ "malware--da5880b4-f7da-4869-85f2-e0aba84b8565", "uses", "attack-pattern--bc0f5e80-91c0-4e04-9fbb-e4e332c85dae" ], - [ - "intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1", - "uses", - "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" - ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "tool--b76b2d94-60e4-4107-a903-4a3a7622fb3b" - ], [ "malware--e8545794-b98c-492b-a5b3-4b5a02682e37", "uses", @@ -9285,14 +7870,14 @@ "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", + "malware--ecc2f65a-b452-4eaf-9689-7e181f17f7a5", "uses", - "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" + "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" ], [ - "malware--ecc2f65a-b452-4eaf-9689-7e181f17f7a5", + "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", "uses", - "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" + "attack-pattern--7c0f17c9-1af6-4628-9cbd-9e45482dd605" ], [ "malware--0f862b01-99da-47cc-9bdb-db4a86a95bb1", @@ -9315,7 +7900,12 @@ "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "uses", + "attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6" + ], + [ + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--b0533c6e-8fea-4788-874f-b799cacc4b92" ], @@ -9329,6 +7919,11 @@ "uses", "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], + [ + "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "uses", + "attack-pattern--eec23884-3fa1-4d8a-ac50-6f104d51e235" + ], [ "tool--03342581-f790-4f03-ba41-e82e67392e23", "uses", @@ -9340,9 +7935,9 @@ "attack-pattern--573ad264-1371-4ae0-8482-d2673b719dba" ], [ - "intrusion-set--96e239be-ad99-49eb-b127-3007b8c1bec9", + "malware--8393dac0-0583-456a-9372-fd81691bca20", "uses", - "attack-pattern--dfebc3b7-d19d-450b-81c7-6dafe4184c04" + "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433" ], [ "tool--b76b2d94-60e4-4107-a903-4a3a7622fb3b", @@ -9360,14 +7955,9 @@ "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], - [ - "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", + "malware--20945359-3b39-4542-85ef-08ecb4e1c174", "uses", - "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0" + "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ "malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541", @@ -9384,11 +7974,6 @@ "uses", "malware--7f8730af-f683-423f-9ee1-5f6875a80481" ], - [ - "intrusion-set--5636b7b3-d99b-4edd-aa05-ee649c1d4ef1", - "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" - ], [ "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "uses", @@ -9400,9 +7985,9 @@ "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", + "malware--b9704a7d-feef-4af9-8898-5280f1686326", "uses", - "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4" + "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" ], [ "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0", @@ -9415,24 +8000,14 @@ "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" ], [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" - ], - [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" - ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9", "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" + "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ - "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9", + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" + "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72" ], [ "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", @@ -9444,21 +8019,11 @@ "uses", "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" ], - [ - "intrusion-set--a0cb9370-e39b-44d5-9f50-ef78e412b973", - "uses", - "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842" - ], [ "malware--fb575479-14ef-41e9-bfab-0b7cf10bec73", "uses", "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--64196062-5210-42c3-9a02-563a0d1797ef" - ], [ "attack-pattern--d273434a-448e-4598-8e14-607f4a0d5e27", "subtechnique-of", @@ -9470,9 +8035,14 @@ "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c" ], [ - "intrusion-set--6b9ebeb5-20bf-48b0-afb7-988d769a2f01", + "malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053", + "uses", + "attack-pattern--d245808a-7086-4310-984a-a84aaaa43f8f" + ], + [ + "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", "uses", - "attack-pattern--b77cf5f3-6060-475d-bd60-40ccbf28fdc2" + "attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f" ], [ "malware--69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", @@ -9489,11 +8059,6 @@ "uses", "attack-pattern--0af0ca99-357d-4ba1-805f-674fdfb7bef9" ], - [ - "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "uses", - "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81" - ], [ "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe", "uses", @@ -9569,11 +8134,6 @@ "uses", "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], - [ - "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", - "uses", - "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3" - ], [ "malware--e3cedcfe-6515-4348-af65-7f2c4157bf0d", "uses", @@ -9585,14 +8145,14 @@ "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], [ - "intrusion-set--d0b3393b-3bec-4ba3-bda9-199d30db47b6", + "tool--38952eac-cb1b-4a71-bad2-ee8223a1c8fe", "uses", - "attack-pattern--a2029942-0a85-4947-b23c-ca434698171d" + "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c" ], [ - "tool--38952eac-cb1b-4a71-bad2-ee8223a1c8fe", + "malware--ade37ada-14af-4b44-b36c-210eec255d53", "uses", - "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c" + "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d" ], [ "malware--7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77", @@ -9624,80 +8184,35 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", - "uses", - "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce" - ], [ "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9", "uses", "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d" ], [ - "intrusion-set--d0b3393b-3bec-4ba3-bda9-199d30db47b6", - "uses", - "attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d" - ], - [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", - "uses", - "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81" + "attack-pattern--cacc40da-4c9e-462c-80d5-fd70a178b12d", + "subtechnique-of", + "attack-pattern--3d333250-30e4-4a82-9edc-756c68afc529" ], [ "malware--12a7450d-b03e-4990-a5b8-b405ab9c803b", "uses", "attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b" ], - [ - "intrusion-set--f40eb8ce-2a74-4e56-89a1-227021410142", - "uses", - "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" - ], [ "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c", "uses", "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776" ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b" - ], [ "malware--432555de-63bf-4f2a-a3fa-f720a4561078", "uses", "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7" - ], - [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", - "uses", - "tool--d8d19e33-94fd-4aa3-b94a-08ee801a2153" - ], - [ - "intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022", - "uses", - "tool--d8d19e33-94fd-4aa3-b94a-08ee801a2153" - ], - [ - "intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" - ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055" - ], - [ - "intrusion-set--d0b3393b-3bec-4ba3-bda9-199d30db47b6", + "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", "uses", - "attack-pattern--b4694861-542c-48ea-9eb1-10d356e7140a" + "attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5" ], [ "malware--495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", @@ -9714,20 +8229,15 @@ "uses", "attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b" ], - [ - "intrusion-set--d0b3393b-3bec-4ba3-bda9-199d30db47b6", - "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" - ], [ "tool--4b57c098-f043-4da2-83ef-7588a6d426bc", "uses", "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662" ], [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60" + "attack-pattern--3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b", + "subtechnique-of", + "attack-pattern--81033c3b-16a4-46e4-8fed-9b030dd03c4a" ], [ "malware--64fa0de0-6240-41f4-8638-f4ca7ed528fd", @@ -9739,6 +8249,11 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], + [ + "malware--959f3b19-2dc8-48d5-8942-c66813a5101a", + "uses", + "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" + ], [ "attack-pattern--e5cc9e7a-e61a-46a1-b869-55fb6eab058e", "subtechnique-of", @@ -9754,11 +8269,6 @@ "uses", "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], [ "malware--f72251cb-2be5-421f-a081-99c29a1209e7", "uses", @@ -9789,21 +8299,11 @@ "uses", "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4" ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "tool--03342581-f790-4f03-ba41-e82e67392e23" - ], [ "malware--a5575606-9b85-4e3d-9cd2-40ef30e3672d", "uses", "attack-pattern--09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119" ], - [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "uses", - "attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0" - ], [ "malware--1d1fce2f-0db5-402b-9843-4278a0694637", "uses", @@ -9829,11 +8329,6 @@ "uses", "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" - ], [ "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2", "uses", @@ -9865,9 +8360,9 @@ "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" ], [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", + "malware--ef2247bf-8062-404b-894f-d65d00564817", "uses", - "attack-pattern--a3e1e6c5-9c74-4fc0-a16c-a9d228c17829" + "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" ], [ "malware--414dc555-c79e-4b24-a2da-9b607f7eaf16", @@ -9909,21 +8404,11 @@ "uses", "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062" - ], [ "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c", "uses", "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--0af0ca99-357d-4ba1-805f-674fdfb7bef9" - ], [ "malware--44c75271-0e4d-496f-ae0a-a6d883a42a65", "uses", @@ -9940,24 +8425,9 @@ "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], [ - "intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" - ], - [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "uses", - "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5" - ], - [ - "intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74", + "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", "uses", - "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88" + "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" ], [ "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", @@ -9979,11 +8449,6 @@ "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc" - ], [ "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "uses", @@ -9999,36 +8464,16 @@ "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], - [ - "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", - "uses", - "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" - ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" - ], [ "malware--48523614-309e-43bf-a2b8-705c2b45d7b2", "uses", "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" ], - [ - "intrusion-set--7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70", - "uses", - "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf" - ], [ "malware--198db886-47af-4f4c-bff5-11b891f85946", "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", - "uses", - "attack-pattern--6495ae23-3ab4-43c5-a94f-5638a2c31fd2" - ], [ "malware--ade37ada-14af-4b44-b36c-210eec255d53", "uses", @@ -10045,14 +8490,14 @@ "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ - "malware--0db09158-6e48-4e7c-8ce7-2b10b9c0c039", + "malware--20945359-3b39-4542-85ef-08ecb4e1c174", "uses", - "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b" + "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "malware--0db09158-6e48-4e7c-8ce7-2b10b9c0c039", "uses", - "attack-pattern--d28ef391-8ed4-45dc-bc4a-2f43abf54416" + "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b" ], [ "malware--53486bc7-7748-4716-8190-e4f1fde04c53", @@ -10064,21 +8509,6 @@ "uses", "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945" - ], - [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "uses", - "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" - ], - [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", - "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" - ], [ "tool--bba595da-b73a-4354-aa6c-224d4de7cb4e", "uses", @@ -10099,21 +8529,11 @@ "uses", "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "attack-pattern--910906dd-8c0a-475a-9cc1-5e029e2fad58" - ], [ "intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258", "uses", "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--b0533c6e-8fea-4788-874f-b799cacc4b92" - ], [ "malware--e8545794-b98c-492b-a5b3-4b5a02682e37", "uses", @@ -10124,6 +8544,11 @@ "uses", "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea" ], + [ + "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "uses", + "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" + ], [ "tool--115f88dd-0618-4389-83cb-98d33ae81848", "uses", @@ -10135,30 +8560,15 @@ "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" ], [ - "intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0", + "malware--0852567d-7958-4f4b-8947-4f840ec8d57d", "uses", - "malware--35cd1d01-1ede-44d2-b073-a264d727bc04" - ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "tool--0a68f1f1-da74-4d28-8d9a-696c082706cc" - ], - [ - "malware--0852567d-7958-4f4b-8947-4f840ec8d57d", - "uses", - "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4" + "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4" ], [ "malware--bdb27a1d-1844-42f1-a0c0-826027ae0326", "uses", "attack-pattern--840a987a-99bd-4a80-a5c9-0cb2baa6cade" ], - [ - "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064", - "uses", - "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" - ], [ "tool--4b57c098-f043-4da2-83ef-7588a6d426bc", "uses", @@ -10190,34 +8600,29 @@ "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" ], [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "attack-pattern--77eae145-55db-4519-8ae5-77b0c7215d69" + "attack-pattern--e196b5c5-8118-4a1c-ab8a-936586ce3db5", + "subtechnique-of", + "attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9" ], [ "tool--da04ac30-27da-4959-a67d-450ce47d9470", "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], [ "malware--e2031fd5-02c2-43d4-85e2-b64f474530c2", "uses", "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], [ - "malware--b42378e0-f147-496f-992a-26a49705395b", - "uses", - "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" + "attack-pattern--39cc9f64-cf74-4a48-a4d8-fe98c54a02e0", + "subtechnique-of", + "attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9" ], [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", + "malware--b42378e0-f147-496f-992a-26a49705395b", "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" + "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], [ "malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", @@ -10254,41 +8659,21 @@ "uses", "attack-pattern--86a96bf6-cf8b-411c-aaeb-8959944d64f7" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], [ "malware--a60657fa-e2e7-4f8f-8128-a882534ae8c5", "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--6495ae23-3ab4-43c5-a94f-5638a2c31fd2" - ], [ "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "uses", "tool--c256da91-6dd5-40b2-beeb-ee3b22ab3d27" ], - [ - "intrusion-set--62a64fd3-aaf7-4d09-a375-d6f8bb118481", - "uses", - "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63" - ], [ "tool--65370d0b-3bd4-4653-8cf9-daf56f6be830", "uses", "attack-pattern--ca9d3402-ada3-484d-876a-d717bd6e05f2" ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb" - ], [ "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4", "uses", @@ -10304,26 +8689,11 @@ "uses", "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" ], - [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "uses", - "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" - ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" - ], [ "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", "uses", "malware--9b19d6b4-cfcb-492f-8ca8-8449e7331573" ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], [ "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997", "uses", @@ -10339,11 +8709,6 @@ "uses", "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e" ], - [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", - "uses", - "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" - ], [ "malware--32066e94-3112-48ca-b9eb-ba2b59d2f023", "uses", @@ -10359,25 +8724,25 @@ "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d" - ], [ "malware--c13d9621-aca7-436b-ab3d-3a95badb3d00", "uses", "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" ], [ - "malware--0c824410-58ff-49b2-9cf2-1c96b182bdf0", + "attack-pattern--0979abf9-4e26-43ec-9b6e-54efc4e70fca", + "subtechnique-of", + "attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0" + ], + [ + "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "uses", - "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" + "attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48" ], [ - "intrusion-set--7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70", + "malware--0c824410-58ff-49b2-9cf2-1c96b182bdf0", "uses", - "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" + "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ "malware--00c3bfcb-99bd-4767-8c03-b08f585f5c8a", @@ -10389,6 +8754,11 @@ "uses", "tool--13cd9151-83b7-410d-9f98-25d0f0d1d80d" ], + [ + "malware--3d57dcc4-be99-4613-9482-d5218f5ec13e", + "uses", + "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" + ], [ "malware--56e6b6c2-e573-4969-8bab-783205cebbbf", "uses", @@ -10414,11 +8784,6 @@ "uses", "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], [ "malware--56e6b6c2-e573-4969-8bab-783205cebbbf", "uses", @@ -10434,21 +8799,11 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa" - ], [ "malware--b0f13390-cec7-4814-b37c-ccec01887faa", "uses", "attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00" ], - [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "uses", - "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81" - ], [ "malware--1492d0f8-7e14-4af3-9239-bc3fe10d3407", "uses", @@ -10470,14 +8825,14 @@ "attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253" ], [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "uses", - "malware--6b62e336-176f-417b-856a-8552dd8c44e1" + "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945" ], [ - "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", + "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", "uses", - "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945" + "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], [ "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", @@ -10509,11 +8864,6 @@ "uses", "attack-pattern--b7dc639b-24cd-482d-a7f1-8897eda21023" ], - [ - "intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74", - "uses", - "attack-pattern--692074ae-bb62-4a5e-a735-02cb6bde458c" - ], [ "attack-pattern--68a0c5ed-bee2-4513-830d-5b0d650139bd", "subtechnique-of", @@ -10535,24 +8885,19 @@ "attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd" ], [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a" - ], - [ - "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", "uses", - "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" + "attack-pattern--5372c5fe-f424-4def-bcd5-d3a8e770f07b" ], [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", + "malware--a04d9a4c-bb52-40bf-98ec-e350c2d6a862", "uses", - "attack-pattern--bf1b6176-597c-4600-bfcd-ac989670f96b" + "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", + "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "uses", - "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" + "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ], [ "malware--17b40f60-729f-4fe8-8aea-cc9ee44a95d5", @@ -10564,16 +8909,6 @@ "uses", "attack-pattern--650c784b-7504-4df7-ab2c-4ea882384d1e" ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--635cbe30-392d-4e27-978e-66774357c762" - ], - [ - "intrusion-set--c416b28c-103b-4df1-909e-78089a7e0e5f", - "uses", - "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841" - ], [ "malware--495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", "uses", @@ -10604,11 +8939,6 @@ "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], - [ - "intrusion-set--d0b3393b-3bec-4ba3-bda9-199d30db47b6", - "uses", - "attack-pattern--1cfcb312-b8d7-47a4-b560-4b16cc677292" - ], [ "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", "uses", @@ -10619,11 +8949,6 @@ "uses", "attack-pattern--4eeaf8a9-c86b-4954-a663-9555fb406466" ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], [ "attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2", "subtechnique-of", @@ -10634,11 +8959,6 @@ "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8", - "uses", - "malware--76ac7989-c5cc-42e2-93e3-d6c476f01ace" - ], [ "malware--8e101fdd-9f7f-4916-bb04-6bd9e94c129c", "uses", @@ -10654,35 +8974,25 @@ "uses", "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "tool--242f3da3-4425-4d11-8f5c-b842886da966" - ], [ "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", "uses", "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475" ], - [ - "intrusion-set--c416b28c-103b-4df1-909e-78089a7e0e5f", - "uses", - "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34" - ], [ "malware--76ac7989-c5cc-42e2-93e3-d6c476f01ace", "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", + "malware--36ede314-7db4-4d09-b53d-81bbfbe5f6f8", "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" + "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" ], [ - "malware--36ede314-7db4-4d09-b53d-81bbfbe5f6f8", + "tool--c4810609-7da6-48ec-8057-1b70a7814db0", "uses", - "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" + "attack-pattern--692074ae-bb62-4a5e-a735-02cb6bde458c" ], [ "malware--72f54d66-675d-4587-9bd3-4ed09f9522e4", @@ -10694,41 +9004,16 @@ "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475" - ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "malware--f5352566-1a64-49ac-8f7f-97e1d1a03300" - ], [ "malware--64fa0de0-6240-41f4-8638-f4ca7ed528fd", "uses", "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f" - ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "tool--03342581-f790-4f03-ba41-e82e67392e23" - ], [ "malware--687c23e4-4e25-4ee7-a870-c5e002511f54", "uses", "attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4" ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--dc31fe1e-d722-49da-8f5f-92c7b5aff534" - ], [ "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c", "uses", @@ -10740,9 +9025,9 @@ "attack-pattern--a01bf75f-00b2-4568-a58f-565ff9bf202b" ], [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", + "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" + "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], [ "malware--8beac7c2-48d2-4cd9-9b15-6c452f38ac06", @@ -10760,19 +9045,19 @@ "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], [ - "malware--ab3580c8-8435-4117-aace-3d9fbe46aa56", + "malware--c984b414-b766-44c5-814a-2fe96c913c12", "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ - "intrusion-set--a0cb9370-e39b-44d5-9f50-ef78e412b973", + "malware--ab3580c8-8435-4117-aace-3d9fbe46aa56", "uses", - "malware--95047f03-4811-4300-922e-1ba937d53a61" + "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", + "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", "uses", - "attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7" + "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], [ "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2", @@ -10780,14 +9065,9 @@ "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" ], [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb" - ], - [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" + "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], [ "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", @@ -10829,6 +9109,11 @@ "uses", "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945" ], + [ + "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "uses", + "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b" + ], [ "malware--6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb", "uses", @@ -10839,26 +9124,26 @@ "uses", "attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6" ], - [ - "intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022", - "uses", - "attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd" - ], [ "malware--198db886-47af-4f4c-bff5-11b891f85946", "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ - "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", + "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" + "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" ], [ "malware--cf8df906-179c-4a78-bd6e-6605e30f6624", "uses", "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" ], + [ + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "uses", + "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0" + ], [ "malware--288fa242-e894-4c7e-ac86-856deedf5cea", "uses", @@ -10874,21 +9159,11 @@ "uses", "attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f" ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" - ], [ "malware--60d50676-459a-47dd-92e9-a827a9fe9c58", "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", - "uses", - "malware--835a79f1-842d-472d-b8f4-d54b545c341b" - ], [ "malware--b51797f7-57da-4210-b8ac-b8632ee75d70", "uses", @@ -10914,31 +9189,11 @@ "uses", "attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179" ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf" - ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" - ], [ "malware--32066e94-3112-48ca-b9eb-ba2b59d2f023", "uses", "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9" ], - [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--830c9528-df21-472c-8c14-a036bf17d665" - ], - [ - "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee", - "uses", - "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" - ], [ "malware--b45747dc-87ca-4597-a245-7e16a61bc491", "uses", @@ -10950,20 +9205,25 @@ "attack-pattern--1d24cdee-9ea2-4189-b08e-af110bf2435d" ], [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", + "tool--5a63f900-5e7e-4928-a746-dd4558e1df71", "uses", - "malware--92b03a94-7147-4952-9d5a-b4d24da7487c" + "attack-pattern--5372c5fe-f424-4def-bcd5-d3a8e770f07b" ], [ - "tool--5a63f900-5e7e-4928-a746-dd4558e1df71", + "malware--1cdbbcab-903a-414d-8eb0-439a97343737", "uses", - "attack-pattern--5372c5fe-f424-4def-bcd5-d3a8e770f07b" + "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776" ], [ "malware--1d1fce2f-0db5-402b-9843-4278a0694637", "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], + [ + "malware--ade37ada-14af-4b44-b36c-210eec255d53", + "uses", + "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c" + ], [ "malware--dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", "uses", @@ -10979,11 +9239,6 @@ "uses", "attack-pattern--c4ad009b-6e13-4419-8d21-918a1652de02" ], - [ - "intrusion-set--f9c06633-dcff-48a1-8588-759e7cec5694", - "uses", - "attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6" - ], [ "malware--56e6b6c2-e573-4969-8bab-783205cebbbf", "uses", @@ -10999,11 +9254,6 @@ "uses", "attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb" - ], [ "malware--8ec6e3b4-b06d-4805-b6aa-af916acc2122", "uses", @@ -11019,6 +9269,11 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], + [ + "malware--ef2247bf-8062-404b-894f-d65d00564817", + "uses", + "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" + ], [ "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "uses", @@ -11030,9 +9285,9 @@ "attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8" ], [ - "intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6", + "malware--ef2247bf-8062-404b-894f-d65d00564817", "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" + "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9" ], [ "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", @@ -11060,25 +9315,20 @@ "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" ], [ - "malware--da5880b4-f7da-4869-85f2-e0aba84b8565", + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "uses", - "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" + "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" ], [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", + "malware--da5880b4-f7da-4869-85f2-e0aba84b8565", "uses", - "malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f" + "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], [ "malware--00c3bfcb-99bd-4767-8c03-b08f585f5c8a", "uses", "attack-pattern--d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c" ], - [ - "intrusion-set--96e239be-ad99-49eb-b127-3007b8c1bec9", - "uses", - "attack-pattern--791481f8-e96a-41be-b089-a088763083d4" - ], [ "malware--79499993-a8d6-45eb-b343-bf58dea5bdde", "uses", @@ -11104,11 +9354,6 @@ "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--77eae145-55db-4519-8ae5-77b0c7215d69" - ], [ "malware--f9b05f33-d45d-4e4d-aafe-c208d38a0080", "uses", @@ -11120,9 +9365,9 @@ "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea" ], [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "malware--a04d9a4c-bb52-40bf-98ec-e350c2d6a862", "uses", - "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" + "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], [ "malware--60d50676-459a-47dd-92e9-a827a9fe9c58", @@ -11135,14 +9380,9 @@ "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69" ], [ - "intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40", - "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" - ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", + "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" + "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842" ], [ "tool--c256da91-6dd5-40b2-beeb-ee3b22ab3d27", @@ -11189,11 +9429,6 @@ "uses", "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], - [ - "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", - "uses", - "attack-pattern--dc31fe1e-d722-49da-8f5f-92c7b5aff534" - ], [ "malware--da5880b4-f7da-4869-85f2-e0aba84b8565", "uses", @@ -11205,12 +9440,12 @@ "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073" ], [ - "malware--04fc1842-f9e4-47cf-8cb8-5c61becad142", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" + "attack-pattern--bbc3cba7-84ae-410d-b18b-16750731dfa2", + "subtechnique-of", + "attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf" ], [ - "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", + "malware--04fc1842-f9e4-47cf-8cb8-5c61becad142", "uses", "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" ], @@ -11219,6 +9454,11 @@ "uses", "tool--242f3da3-4425-4d11-8f5c-b842886da966" ], + [ + "attack-pattern--6ee2dc99-91ad-4534-a7d8-a649358c331f", + "subtechnique-of", + "attack-pattern--937e4772-8441-4e4a-8bf0-8d447d667e23" + ], [ "malware--7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77", "uses", @@ -11255,14 +9495,14 @@ "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], [ - "malware--37cc7eb6-12e3-467b-82e8-f20f2cc73c69", + "malware--8393dac0-0583-456a-9372-fd81691bca20", "uses", - "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "malware--37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "uses", - "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" + "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], [ "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", @@ -11279,35 +9519,15 @@ "uses", "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" - ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "tool--c8655260-9f4b-44e3-85e1-6538a5f6e4f4" - ], [ "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c", "uses", "attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf" ], [ - "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], - [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" - ], - [ - "intrusion-set--2fd2be6a-d3a2-4a65-b499-05ea2693abee", + "malware--20945359-3b39-4542-85ef-08ecb4e1c174", "uses", - "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662" + "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], [ "malware--e9595678-d269-469e-ae6b-75e49259de63", @@ -11334,11 +9554,6 @@ "uses", "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" ], - [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c" - ], [ "malware--b51797f7-57da-4210-b8ac-b8632ee75d70", "uses", @@ -11349,11 +9564,6 @@ "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0" - ], [ "malware--72f54d66-675d-4587-9bd3-4ed09f9522e4", "uses", @@ -11369,11 +9579,6 @@ "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], - [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "uses", - "malware--a020a61c-423f-4195-8c46-ba1d21abba37" - ], [ "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", "uses", @@ -11384,11 +9589,6 @@ "uses", "attack-pattern--e49ee9d2-0d98-44ef-85e5-5d3100065744" ], - [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" - ], [ "malware--60c18d06-7b91-4742-bae3-647845cd9d81", "uses", @@ -11409,41 +9609,11 @@ "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - ], - [ - "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", - "uses", - "attack-pattern--f6ad61ee-65f3-4bd0-a3f5-2f0accb36317" - ], - [ - "intrusion-set--dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", - "uses", - "malware--0b32ec39-ba61-4864-9ebe-b4b0b73caf9a" - ], - [ - "intrusion-set--f9c06633-dcff-48a1-8588-759e7cec5694", - "uses", - "malware--0f1ad2ef-41d4-4b7a-9304-ddae68ea3005" - ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "tool--0a68f1f1-da74-4d28-8d9a-696c082706cc" - ], [ "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "uses", "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa" ], - [ - "intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1", - "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" - ], [ "malware--76ac7989-c5cc-42e2-93e3-d6c476f01ace", "uses", @@ -11459,16 +9629,6 @@ "uses", "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662" - ], - [ - "intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6", - "uses", - "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" - ], [ "attack-pattern--635cbe30-392d-4e27-978e-66774357c762", "subtechnique-of", @@ -11484,6 +9644,11 @@ "uses", "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" ], + [ + "malware--8393dac0-0583-456a-9372-fd81691bca20", + "uses", + "attack-pattern--677569f9-a8b0-459e-ab24-7f18091fa7bf" + ], [ "malware--fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa", "uses", @@ -11494,21 +9659,11 @@ "uses", "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" - ], [ "malware--54895630-efd2-4608-9c24-319de972a9eb", "uses", "attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336" ], - [ - "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], [ "malware--cf8df906-179c-4a78-bd6e-6605e30f6624", "uses", @@ -11519,11 +9674,6 @@ "uses", "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077" ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], [ "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "uses", @@ -11534,11 +9684,6 @@ "uses", "attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48" ], - [ - "intrusion-set--fbe9387f-34e6-4828-ac28-3080020c597b", - "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" - ], [ "tool--4b57c098-f043-4da2-83ef-7588a6d426bc", "uses", @@ -11550,35 +9695,20 @@ "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ - "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", - "uses", - "tool--bba595da-b73a-4354-aa6c-224d4de7cb4e" + "attack-pattern--e7cbc1de-1f79-48ee-abfd-da1241c65a15", + "subtechnique-of", + "attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1" ], [ "tool--cde2d700-9ed1-46cf-9bce-07364fe8b24f", "uses", "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" ], - [ - "intrusion-set--d1acfbb3-647b-4723-9154-800ec119006e", - "uses", - "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" - ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "malware--11e36d5b-6a92-4bf9-8eb7-85eb24f59e22" - ], [ "malware--53ab35c2-d00e-491a-8753-41d35ae7e547", "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" - ], [ "malware--687c23e4-4e25-4ee7-a870-c5e002511f54", "uses", @@ -11610,24 +9740,24 @@ "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" ], [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "uses", - "attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5" + "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" ], [ - "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", "uses", - "attack-pattern--6d4a7fb3-5a24-42be-ae61-6728a2b581f6" + "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" ], [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83", "uses", - "tool--03342581-f790-4f03-ba41-e82e67392e23" + "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ], [ - "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83", + "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", "uses", - "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" + "attack-pattern--29be378d-262d-4e99-b00d-852d573628e6" ], [ "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa", @@ -11640,9 +9770,9 @@ "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", + "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" + "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], [ "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", @@ -11654,21 +9784,11 @@ "uses", "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" ], - [ - "intrusion-set--7ecc3b4f-5cdb-457e-b55a-df376b359446", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], [ "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "tool--bba595da-b73a-4354-aa6c-224d4de7cb4e" - ], [ "tool--03342581-f790-4f03-ba41-e82e67392e23", "uses", @@ -11685,9 +9805,9 @@ "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", + "malware--ef2247bf-8062-404b-894f-d65d00564817", "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" + "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" ], [ "malware--e811ff6a-4cef-4856-a6ae-a7daf9ed39ae", @@ -11700,25 +9820,20 @@ "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ - "malware--5967cc93-57c9-404a-8ffd-097edfa7bdfc", + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", - "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" + "attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c" ], [ - "intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383", + "malware--5967cc93-57c9-404a-8ffd-097edfa7bdfc", "uses", - "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" + "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" ], [ "malware--ccd61dfc-b03f-4689-8c18-7c97eab08472", "uses", "attack-pattern--54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b" ], - [ - "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], [ "intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258", "uses", @@ -11735,20 +9850,15 @@ "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", + "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" + "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], [ "malware--96b08451-b27a-4ff6-893f-790e26393a8e", "uses", "attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b" ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2" - ], [ "malware--54e8672d-5338-4ad1-954a-a7c986bee530", "uses", @@ -11769,21 +9879,6 @@ "uses", "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "malware--bd0536d7-b081-43ae-a773-cfb057c5b988" - ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" - ], - [ - "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411", - "uses", - "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - ], [ "malware--e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4", "uses", @@ -11805,7 +9900,7 @@ "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], @@ -11814,25 +9909,15 @@ "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475" - ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83" - ], [ "malware--a2282af0-f9dd-4373-9b92-eaf9e11e0c71", "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63" + "attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4", + "subtechnique-of", + "attack-pattern--7f0ca133-88c4-40c6-a62f-b3083a7fbc2e" ], [ "malware--6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb", @@ -11844,11 +9929,6 @@ "uses", "malware--dc5d1a33-62aa-4a0c-aa8c-589b87beb11e" ], - [ - "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", - "uses", - "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" - ], [ "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", "uses", @@ -11859,11 +9939,6 @@ "uses", "attack-pattern--f3d95a1f-bba2-44ce-9af7-37866cd63fd0" ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839" - ], [ "attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470", "subtechnique-of", @@ -11900,25 +9975,20 @@ "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ - "malware--b1de6916-7a22-4460-8d26-6b5483ffaa2a", + "malware--ef2247bf-8062-404b-894f-d65d00564817", "uses", - "attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4" + "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], [ - "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd", + "malware--b1de6916-7a22-4460-8d26-6b5483ffaa2a", "uses", - "attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab" + "attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4" ], [ "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", "uses", "attack-pattern--c8e87b83-edbb-48d4-9295-4974897525b7" ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e" - ], [ "malware--d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb", "uses", @@ -11935,7 +10005,7 @@ "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--4fe28b27-b13c-453e-a386-c2ef362a573b" ], @@ -11969,11 +10039,6 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd", - "uses", - "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63" - ], [ "malware--8ae43c46-57ef-47d5-a77a-eebb35628db2", "uses", @@ -12005,30 +10070,40 @@ "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662" ], [ - "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe", + "malware--8393dac0-0583-456a-9372-fd81691bca20", "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" + "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ - "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", + "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", "uses", - "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" + "attack-pattern--0a5231ec-41af-4a35-83d0-6bdf11f28c65" ], [ - "malware--4e6b9625-bbda-4d96-a652-b3bb45453f26", + "malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328", "uses", - "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" + "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" + ], + [ + "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe", + "uses", + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "malware--4e6b9625-bbda-4d96-a652-b3bb45453f26", "uses", - "tool--b35068ec-107a-4266-bda8-eb7036267aea" + "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ], [ "malware--08d20cd2-f084-45ee-8558-fa6ef5a18519", "uses", "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073" ], + [ + "malware--1cdbbcab-903a-414d-8eb0-439a97343737", + "uses", + "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c" + ], [ "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "uses", @@ -12045,9 +10120,19 @@ "attack-pattern--3d333250-30e4-4a82-9edc-756c68afc529" ], [ - "intrusion-set--c416b28c-103b-4df1-909e-78089a7e0e5f", + "malware--b9704a7d-feef-4af9-8898-5280f1686326", "uses", - "attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7" + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" + ], + [ + "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "uses", + "attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd" + ], + [ + "malware--911fe4c3-444d-4e92-83b8-cc761ac5fd3b", + "uses", + "attack-pattern--830c9528-df21-472c-8c14-a036bf17d665" ], [ "malware--aae22730-e571-4d17-b037-65f2a3e26213", @@ -12059,11 +10144,6 @@ "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", - "uses", - "attack-pattern--69b8fd78-40e8-4600-ae4d-662c9d7afdb3" - ], [ "malware--8e101fdd-9f7f-4916-bb04-6bd9e94c129c", "uses", @@ -12075,9 +10155,9 @@ "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e" ], [ - "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", + "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ "malware--1f6e3702-7ca1-4582-b2e7-4591297d05a8", @@ -12089,11 +10169,6 @@ "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0", - "uses", - "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c" - ], [ "malware--53ab35c2-d00e-491a-8753-41d35ae7e547", "uses", @@ -12119,11 +10194,6 @@ "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--ae41895a-243f-4a65-b99b-d85022326c31", - "uses", - "malware--0db09158-6e48-4e7c-8ce7-2b10b9c0c039" - ], [ "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa", "uses", @@ -12144,30 +10214,25 @@ "uses", "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c" ], - [ - "intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "uses", - "malware--b96680d1-5eb3-4f07-b95c-00ab904ac236" - ], [ "malware--c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", "uses", "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" ], [ - "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", + "malware--ef2247bf-8062-404b-894f-d65d00564817", "uses", - "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" + "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", "uses", - "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" + "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], [ - "intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0", + "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" + "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839" ], [ "malware--198db886-47af-4f4c-bff5-11b891f85946", @@ -12175,12 +10240,7 @@ "attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6" ], [ - "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411", - "uses", - "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830" - ], - [ - "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4", + "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4", "uses", "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945" ], @@ -12200,9 +10260,9 @@ "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ - "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", "uses", - "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" + "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], [ "attack-pattern--f244b8dd-af6c-4391-a497-fc03627ce995", @@ -12224,6 +10284,11 @@ "uses", "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c" ], + [ + "malware--3d57dcc4-be99-4613-9482-d5218f5ec13e", + "uses", + "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" + ], [ "malware--a60657fa-e2e7-4f8f-8128-a882534ae8c5", "uses", @@ -12249,11 +10314,6 @@ "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" - ], [ "malware--2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", "uses", @@ -12264,16 +10324,6 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", - "uses", - "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b" - ], - [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--09b130a2-a77e-4af0-a361-f46f9aad1345" - ], [ "malware--754effde-613c-4244-a83e-fb659b2a4d06", "uses", @@ -12315,55 +10365,25 @@ "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", - "uses", - "malware--53a42597-1974-4b8e-84fd-3675e8992053" - ], - [ - "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd", + "malware--b9704a7d-feef-4af9-8898-5280f1686326", "uses", - "tool--b76b2d94-60e4-4107-a903-4a3a7622fb3b" + "attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00" ], [ "malware--536be338-e2ef-4a6b-afb6-8d5568b91eb2", "uses", "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c" ], - [ - "intrusion-set--62a64fd3-aaf7-4d09-a375-d6f8bb118481", - "uses", - "malware--64fa0de0-6240-41f4-8638-f4ca7ed528fd" - ], - [ - "intrusion-set--fe98767f-9df8-42b9-83c9-004b1dec8647", - "uses", - "malware--b42378e0-f147-496f-992a-26a49705395b" - ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062" - ], [ "attack-pattern--60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", "subtechnique-of", "attack-pattern--54a649ff-439a-41a4-9856-8d144a2551ba" ], - [ - "intrusion-set--813636db-3939-4a45-bea9-6113e970c029", - "uses", - "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" - ], [ "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0", "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "attack-pattern--ca9d3402-ada3-484d-876a-d717bd6e05f2" - ], [ "malware--2f1a9fd0-3b7c-4d77-a358-78db13adbe78", "uses", @@ -12399,6 +10419,11 @@ "uses", "attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b" ], + [ + "malware--b136d088-a829-432c-ac26-5529c26d4c7e", + "uses", + "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" + ], [ "malware--5189f018-fea2-45d7-b0ed-23f9ee0a46f3", "uses", @@ -12414,6 +10439,11 @@ "uses", "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0" ], + [ + "malware--b9704a7d-feef-4af9-8898-5280f1686326", + "uses", + "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" + ], [ "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83", "uses", @@ -12425,20 +10455,15 @@ "attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830" ], [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "malware--e48df773-7c95-4a4c-ba70-ea3d15900148" + "attack-pattern--6c2957f9-502a-478c-b1dd-d626c0659413", + "subtechnique-of", + "attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109" ], [ "attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44", "subtechnique-of", "attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53" ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "attack-pattern--910906dd-8c0a-475a-9cc1-5e029e2fad58" - ], [ "attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21", "subtechnique-of", @@ -12459,36 +10484,16 @@ "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", - "uses", - "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - ], [ "malware--4b072c90-bc7a-432b-940e-016fc1c01761", "uses", "attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c" - ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" - ], [ "malware--cf8df906-179c-4a78-bd6e-6605e30f6624", "uses", "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "malware--2daa14d6-cbf3-4308-bb8e-213c324a08e4" - ], [ "malware--b9799466-9dd7-4098-b2d6-f999ce50b9a8", "uses", @@ -12514,16 +10519,6 @@ "uses", "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], - [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "uses", - "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" - ], - [ - "intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8", - "uses", - "malware--b57f419e-8b12-49d3-886b-145383725dcd" - ], [ "malware--ecc2f65a-b452-4eaf-9689-7e181f17f7a5", "uses", @@ -12544,11 +10539,21 @@ "uses", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], + [ + "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", + "uses", + "attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783" + ], [ "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "uses", "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], + [ + "malware--b9704a7d-feef-4af9-8898-5280f1686326", + "uses", + "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" + ], [ "malware--1492d0f8-7e14-4af3-9239-bc3fe10d3407", "uses", @@ -12599,11 +10604,6 @@ "uses", "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - ], [ "malware--454fe82d-6fd2-4ac6-91ab-28a33fe01369", "uses", @@ -12619,6 +10619,11 @@ "uses", "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" ], + [ + "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "uses", + "attack-pattern--840a987a-99bd-4a80-a5c9-0cb2baa6cade" + ], [ "malware--5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", "uses", @@ -12660,39 +10665,29 @@ "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "malware--60c18d06-7b91-4742-bae3-647845cd9d81" - ], - [ - "intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8", + "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", "uses", - "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" + "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" ], [ "malware--198db886-47af-4f4c-bff5-11b891f85946", "uses", "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" ], - [ - "intrusion-set--2fd2be6a-d3a2-4a65-b499-05ea2693abee", - "uses", - "attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d" - ], [ "malware--705f0783-5f7d-4491-b6b7-9628e6e006d2", "uses", "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72" ], [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", + "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "uses", - "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" + "attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47" ], [ - "malware--00806466-754d-44ea-ad6f-0caf59cb8556", + "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", "uses", - "attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47" + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ "malware--f4d8a2d6-c684-453a-8a14-cf4a94f755c5", @@ -12714,6 +10709,11 @@ "uses", "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], + [ + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "uses", + "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" + ], [ "malware--da5880b4-f7da-4869-85f2-e0aba84b8565", "uses", @@ -12729,6 +10729,11 @@ "uses", "attack-pattern--341e222a-a6e3-4f6f-b69c-831d792b1580" ], + [ + "attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795", + "subtechnique-of", + "attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2" + ], [ "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", @@ -12779,15 +10784,20 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], + [ + "malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", + "uses", + "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0" + ], [ "malware--e48df773-7c95-4a4c-ba70-ea3d15900148", "uses", "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" ], [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", + "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "uses", - "malware--8fc6c9e7-a162-4ca4-a488-f1819e9a7b06" + "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" ], [ "malware--0f862b01-99da-47cc-9bdb-db4a86a95bb1", @@ -12805,14 +10815,14 @@ "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--20945359-3b39-4542-85ef-08ecb4e1c174", "uses", - "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" + "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" ], [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", - "malware--00806466-754d-44ea-ad6f-0caf59cb8556" + "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" ], [ "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83", @@ -12824,16 +10834,6 @@ "uses", "attack-pattern--c3888c54-775d-4b2f-b759-75a2ececcbfd" ], - [ - "intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8", - "uses", - "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" - ], - [ - "intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40", - "uses", - "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" - ], [ "attack-pattern--c63a348e-ffc2-486a-b9d9-d7f11ec54d99", "subtechnique-of", @@ -12844,26 +10844,11 @@ "uses", "attack-pattern--f7c0689c-4dbd-489b-81be-7cb7c7079ade" ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" - ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e" - ], [ "malware--4c59cce8-cb48-4141-b9f1-f646edfaadb0", "uses", "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541" ], - [ - "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee", - "uses", - "attack-pattern--910906dd-8c0a-475a-9cc1-5e029e2fad58" - ], [ "malware--2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", "uses", @@ -12884,25 +10869,20 @@ "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383", - "uses", - "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" - ], [ "malware--7bec698a-7e20-4fd3-bb6a-12787770fb1a", "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", + "malware--c541efb4-e7b1-4ad6-9da8-b4e113f5dd42", "uses", - "attack-pattern--c8e87b83-edbb-48d4-9295-4974897525b7" + "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], [ - "malware--c541efb4-e7b1-4ad6-9da8-b4e113f5dd42", + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", - "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" + "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839" ], [ "malware--32066e94-3112-48ca-b9eb-ba2b59d2f023", @@ -12920,14 +10900,19 @@ "attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2" ], [ - "intrusion-set--96e239be-ad99-49eb-b127-3007b8c1bec9", + "malware--c984b414-b766-44c5-814a-2fe96c913c12", "uses", - "attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643" + "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c" ], [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "malware--d9f7383c-95ec-4080-bbce-121c9384457b", "uses", - "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81" + "attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336" + ], + [ + "malware--ade37ada-14af-4b44-b36c-210eec255d53", + "uses", + "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619" ], [ "malware--fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa", @@ -12935,9 +10920,9 @@ "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], [ - "intrusion-set--d1acfbb3-647b-4723-9154-800ec119006e", + "tool--975737f1-b10d-476f-8bda-3ec26ea57172", "uses", - "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662" + "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ], [ "malware--049ff071-0b3c-4712-95d2-d21c6aa54501", @@ -12959,6 +10944,11 @@ "uses", "attack-pattern--41868330-6ee2-4d0f-b743-9f2294c3c9b6" ], + [ + "malware--99164b38-1775-40bc-b77b-a2373b14540a", + "uses", + "attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6" + ], [ "malware--2daa14d6-cbf3-4308-bb8e-213c324a08e4", "uses", @@ -12989,11 +10979,6 @@ "uses", "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" ], - [ - "intrusion-set--55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "uses", - "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60" - ], [ "malware--edb24a93-1f7a-4bbf-a738-1397a14662c6", "uses", @@ -13019,11 +11004,6 @@ "uses", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" - ], [ "malware--d1b7830a-fced-4be3-a99c-f495af9d9e1b", "uses", @@ -13049,21 +11029,11 @@ "uses", "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077" ], - [ - "intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022", - "uses", - "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - ], [ "malware--687c23e4-4e25-4ee7-a870-c5e002511f54", "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], [ "malware--9b19d6b4-cfcb-492f-8ca8-8449e7331573", "uses", @@ -13074,16 +11044,6 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "malware--049ff071-0b3c-4712-95d2-d21c6aa54501" - ], - [ - "intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0", - "uses", - "attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1" - ], [ "malware--b45747dc-87ca-4597-a245-7e16a61bc491", "uses", @@ -13094,21 +11054,11 @@ "uses", "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b" ], - [ - "intrusion-set--c47f937f-1022-4f42-8525-e7a4779a14cb", - "uses", - "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63" - ], [ "malware--ecc2f65a-b452-4eaf-9689-7e181f17f7a5", "uses", "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" ], - [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "uses", - "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" - ], [ "malware--536be338-e2ef-4a6b-afb6-8d5568b91eb2", "uses", @@ -13149,16 +11099,6 @@ "uses", "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "malware--00c3bfcb-99bd-4767-8c03-b08f585f5c8a" - ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" - ], [ "malware--d1183cb9-258e-4f2f-8415-50ac8252c49e", "uses", @@ -13169,11 +11109,6 @@ "uses", "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" ], - [ - "intrusion-set--c47f937f-1022-4f42-8525-e7a4779a14cb", - "uses", - "tool--d5e96a35-7b0b-4c6a-9533-d63ecbda563e" - ], [ "malware--64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", "uses", @@ -13219,11 +11154,6 @@ "subtechnique-of", "attack-pattern--1608f3e1-598a-42f4-a01a-2e252e81728f" ], - [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", - "uses", - "attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470" - ], [ "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "uses", @@ -13234,11 +11164,6 @@ "uses", "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" ], - [ - "intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74", - "uses", - "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" - ], [ "intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258", "uses", @@ -13300,9 +11225,9 @@ "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "malware--8393dac0-0583-456a-9372-fd81691bca20", "uses", - "malware--fece06b7-d4b1-42cf-b81a-5323c917546e" + "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945" ], [ "malware--5189f018-fea2-45d7-b0ed-23f9ee0a46f3", @@ -13334,16 +11259,6 @@ "uses", "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" ], - [ - "intrusion-set--6688d679-ccdb-4f12-abf6-c7545dd767a4", - "uses", - "malware--bdb27a1d-1844-42f1-a0c0-826027ae0326" - ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" - ], [ "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2", "uses", @@ -13355,19 +11270,19 @@ "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4" ], [ - "intrusion-set--dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", + "malware--8fc6c9e7-a162-4ca4-a488-f1819e9a7b06", "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" + "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" ], [ - "malware--8fc6c9e7-a162-4ca4-a488-f1819e9a7b06", + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" + "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ], [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", + "malware--c984b414-b766-44c5-814a-2fe96c913c12", "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" + "attack-pattern--960c3c86-1480-4d72-b4e0-8c242e84a5c5" ], [ "malware--6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", @@ -13384,11 +11299,6 @@ "uses", "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], - [ - "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064", - "uses", - "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb" - ], [ "malware--5189f018-fea2-45d7-b0ed-23f9ee0a46f3", "uses", @@ -13399,11 +11309,6 @@ "uses", "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "tool--26c87906-d750-42c5-946c-d4162c73fc7b" - ], [ "malware--edb24a93-1f7a-4bbf-a738-1397a14662c6", "uses", @@ -13415,12 +11320,7 @@ "attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967" ], [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619" - ], - [ - "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", + "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "uses", "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" ], @@ -13429,6 +11329,11 @@ "uses", "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c" ], + [ + "attack-pattern--cabe189c-a0e3-4965-a473-dcff00f17213", + "subtechnique-of", + "attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d" + ], [ "malware--cf8df906-179c-4a78-bd6e-6605e30f6624", "uses", @@ -13470,14 +11375,9 @@ "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "uses", - "tool--26c87906-d750-42c5-946c-d4162c73fc7b" - ], - [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", - "uses", - "malware--4189a679-72ed-4a89-a57c-7f689712ecf8" + "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" ], [ "malware--5967cc93-57c9-404a-8ffd-097edfa7bdfc", @@ -13499,16 +11399,6 @@ "subtechnique-of", "attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db" ], - [ - "intrusion-set--a0cb9370-e39b-44d5-9f50-ef78e412b973", - "uses", - "malware--cfc75b0d-e579-40ae-ad07-a1ce00d49a6c" - ], - [ - "intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1", - "uses", - "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - ], [ "malware--0db09158-6e48-4e7c-8ce7-2b10b9c0c039", "uses", @@ -13519,21 +11409,6 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" - ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], - [ - "intrusion-set--c416b28c-103b-4df1-909e-78089a7e0e5f", - "uses", - "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6" - ], [ "malware--dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", "uses", @@ -13564,11 +11439,6 @@ "uses", "attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf" ], - [ - "intrusion-set--5cbe0d3b-6fb1-471f-b591-4b192915116d", - "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" - ], [ "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "uses", @@ -13594,11 +11464,6 @@ "uses", "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4" ], - [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - ], [ "malware--e8545794-b98c-492b-a5b3-4b5a02682e37", "uses", @@ -13619,6 +11484,11 @@ "uses", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], + [ + "malware--c984b414-b766-44c5-814a-2fe96c913c12", + "uses", + "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" + ], [ "tool--c256da91-6dd5-40b2-beeb-ee3b22ab3d27", "uses", @@ -13655,10 +11525,15 @@ "attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" ], + [ + "malware--3d57dcc4-be99-4613-9482-d5218f5ec13e", + "uses", + "attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916" + ], [ "malware--af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "uses", @@ -13690,24 +11565,24 @@ "attack-pattern--c675646d-e204-4aa8-978d-e3d6d65885c4" ], [ - "malware--28b97733-ef07-4414-aaa5-df50b2d30cc5", + "malware--20945359-3b39-4542-85ef-08ecb4e1c174", "uses", - "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" + "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619" ], [ - "malware--37cc7eb6-12e3-467b-82e8-f20f2cc73c69", + "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", "uses", - "attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643" + "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" ], [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "malware--28b97733-ef07-4414-aaa5-df50b2d30cc5", "uses", - "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" + "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], [ - "intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74", + "malware--37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "uses", - "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d" + "attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643" ], [ "malware--eff1a885-6f90-42a1-901f-eef6e7a1905e", @@ -13729,11 +11604,6 @@ "uses", "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a" ], - [ - "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", - "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" - ], [ "malware--9752aef4-a1f3-4328-929f-b64eb0536090", "uses", @@ -13774,16 +11644,6 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "attack-pattern--692074ae-bb62-4a5e-a735-02cb6bde458c" - ], - [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", - "uses", - "malware--414dc555-c79e-4b24-a2da-9b607f7eaf16" - ], [ "malware--0817aaf2-afea-4c32-9285-4dcd1df5bf14", "uses", @@ -13794,6 +11654,11 @@ "uses", "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062" ], + [ + "tool--975737f1-b10d-476f-8bda-3ec26ea57172", + "uses", + "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" + ], [ "malware--069af411-9b24-4e85-b26c-623d035bbe84", "uses", @@ -13809,11 +11674,6 @@ "uses", "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], [ "malware--ecc2f65a-b452-4eaf-9689-7e181f17f7a5", "uses", @@ -13824,16 +11684,6 @@ "uses", "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" ], - [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" - ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d" - ], [ "tool--2e45723a-31da-4a7e-aaa6-e01998a6788f", "uses", @@ -13869,16 +11719,6 @@ "uses", "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a" - ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - ], [ "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2", "uses", @@ -13889,11 +11729,6 @@ "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055" - ], [ "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", "uses", @@ -13904,16 +11739,6 @@ "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "uses", - "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c" - ], - [ - "intrusion-set--55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "uses", - "attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7" - ], [ "attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "subtechnique-of", @@ -13929,21 +11754,11 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb" - ], [ "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83", "uses", "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--6836813e-8ec8-4375-b459-abb388cb1a35" - ], [ "malware--cf8df906-179c-4a78-bd6e-6605e30f6624", "uses", @@ -13959,6 +11774,11 @@ "uses", "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], + [ + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "uses", + "attack-pattern--4ff5d6a8-c062-4c68-a778-36fc5edd564f" + ], [ "malware--754effde-613c-4244-a83e-fb659b2a4d06", "uses", @@ -13979,21 +11799,11 @@ "uses", "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--a01bf75f-00b2-4568-a58f-565ff9bf202b" - ], [ "malware--0f862b01-99da-47cc-9bdb-db4a86a95bb1", "uses", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], - [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", - "uses", - "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" - ], [ "malware--ccd61dfc-b03f-4689-8c18-7c97eab08472", "uses", @@ -14009,11 +11819,6 @@ "uses", "attack-pattern--1d24cdee-9ea2-4189-b08e-af110bf2435d" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81" - ], [ "attack-pattern--34e793de-0274-4982-9c1a-246ed1c19dee", "subtechnique-of", @@ -14049,6 +11854,11 @@ "uses", "attack-pattern--a01bf75f-00b2-4568-a58f-565ff9bf202b" ], + [ + "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "uses", + "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" + ], [ "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340", "uses", @@ -14060,14 +11870,14 @@ "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], [ - "malware--92b03a94-7147-4952-9d5a-b4d24da7487c", + "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2", "uses", - "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea" + "tool--c4810609-7da6-48ec-8057-1b70a7814db0" ], [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "malware--92b03a94-7147-4952-9d5a-b4d24da7487c", "uses", - "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" + "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea" ], [ "malware--876f6a77-fbc5-4e13-ab1a-5611986730a3", @@ -14079,46 +11889,26 @@ "uses", "attack-pattern--5372c5fe-f424-4def-bcd5-d3a8e770f07b" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "malware--b6b3dfc7-9a81-43ff-ac04-698bad48973a" - ], [ "malware--b8fdef82-d2cf-4948-8949-6466357b1be1", "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], [ "malware--d69c8146-ab35-4d50-8382-6fc80e641d43", "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], [ - "intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842", - "uses", - "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18" + "attack-pattern--7807d3a4-a885-4639-a786-c1ed41484970", + "subtechnique-of", + "attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1" ], [ "malware--8be7c69e-d8e3-4970-9668-61de08e508cc", "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", - "uses", - "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055" - ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], [ "malware--95047f03-4811-4300-922e-1ba937d53a61", "uses", @@ -14139,6 +11929,11 @@ "uses", "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9" ], + [ + "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "uses", + "attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0" + ], [ "malware--64fa0de0-6240-41f4-8638-f4ca7ed528fd", "uses", @@ -14149,21 +11944,11 @@ "uses", "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72" ], - [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", - "uses", - "malware--0852567d-7958-4f4b-8947-4f840ec8d57d" - ], [ "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "uses", "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "malware--e3cedcfe-6515-4348-af65-7f2c4157bf0d" - ], [ "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44", "uses", @@ -14179,11 +11964,6 @@ "uses", "attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0" ], - [ - "intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], [ "malware--04227b24-7817-4de1-9050-b7b1b57f5866", "uses", @@ -14195,14 +11975,14 @@ "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], [ - "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498", - "uses", - "attack-pattern--613d08bc-e8f4-4791-80b0-c8b974340dfd" + "attack-pattern--ee7ff928-801c-4f34-8a99-3df965e581a5", + "subtechnique-of", + "attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74" ], [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", + "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498", "uses", - "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839" + "attack-pattern--613d08bc-e8f4-4791-80b0-c8b974340dfd" ], [ "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", @@ -14210,14 +11990,14 @@ "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b" ], [ - "intrusion-set--7ecc3b4f-5cdb-457e-b55a-df376b359446", + "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", "uses", - "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" + "attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d" ], [ - "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "malware--c984b414-b766-44c5-814a-2fe96c913c12", "uses", - "attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d" + "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], [ "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", @@ -14239,20 +12019,15 @@ "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" - ], [ "malware--9af05de0-bc09-4511-a350-5eb8b06185c1", "uses", "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" ], [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", + "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" + "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" ], [ "malware--5e595477-2e78-4ce7-ae42-e0b059b17808", @@ -14269,11 +12044,6 @@ "uses", "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], - [ - "intrusion-set--d0b3393b-3bec-4ba3-bda9-199d30db47b6", - "uses", - "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" - ], [ "malware--ccd61dfc-b03f-4689-8c18-7c97eab08472", "uses", @@ -14304,20 +12074,15 @@ "uses", "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" - ], [ "tool--7cd0bc75-055b-4098-a00e-83dc8beaff14", "uses", "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], [ - "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", + "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" + "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" ], [ "malware--0817aaf2-afea-4c32-9285-4dcd1df5bf14", @@ -14330,9 +12095,9 @@ "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" ], [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" + "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2", @@ -14340,44 +12105,49 @@ "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" ], [ - "malware--dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2", + "malware--b9704a7d-feef-4af9-8898-5280f1686326", "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ - "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", + "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", "uses", - "attack-pattern--1e9eb839-294b-48cc-b0d3-c45555a2a004" + "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], [ - "malware--ccd61dfc-b03f-4689-8c18-7c97eab08472", + "malware--dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2", "uses", - "attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4" + "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ - "tool--03342581-f790-4f03-ba41-e82e67392e23", + "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", "uses", - "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa" + "attack-pattern--1e9eb839-294b-48cc-b0d3-c45555a2a004" ], [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", + "attack-pattern--b85f6ce5-81e8-4f36-aff2-3df9d02a9c9d", + "subtechnique-of", + "attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f" + ], + [ + "malware--ccd61dfc-b03f-4689-8c18-7c97eab08472", "uses", - "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073" + "attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4" ], [ - "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad", + "malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", "uses", - "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" + "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "tool--03342581-f790-4f03-ba41-e82e67392e23", "uses", "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa" ], [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", + "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad", "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" + "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], [ "malware--a4f57468-fbd5-49e4-8476-52088220b92d", @@ -14405,14 +12175,9 @@ "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce" ], [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", - "uses", - "attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc" - ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", + "malware--20945359-3b39-4542-85ef-08ecb4e1c174", "uses", - "malware--5dd649c0-bca4-488b-bd85-b180474ec62e" + "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0" ], [ "attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65", @@ -14435,14 +12200,14 @@ "attack-pattern--60b508a1-6a5e-46b1-821a-9f7b78752abf" ], [ - "malware--536be338-e2ef-4a6b-afb6-8d5568b91eb2", + "malware--99164b38-1775-40bc-b77b-a2373b14540a", "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" + "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56" ], [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", + "malware--536be338-e2ef-4a6b-afb6-8d5568b91eb2", "uses", - "attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755" + "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ "malware--9752aef4-a1f3-4328-929f-b64eb0536090", @@ -14465,19 +12230,14 @@ "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], [ - "intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1", - "uses", - "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" - ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0", "uses", - "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ - "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0", + "malware--20945359-3b39-4542-85ef-08ecb4e1c174", "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" + "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" ], [ "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", @@ -14485,100 +12245,35 @@ "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6" ], [ - "intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" - ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "tool--0a68f1f1-da74-4d28-8d9a-696c082706cc" - ], - [ - "malware--e9e9bfe2-76f4-4870-a2a1-b7af89808613", + "malware--e9e9bfe2-76f4-4870-a2a1-b7af89808613", "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" - ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "malware--454fe82d-6fd2-4ac6-91ab-28a33fe01369" - ], - [ - "intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], - [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "uses", - "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d" - ], - [ - "intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74", - "uses", - "attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc" - ], [ "malware--326af1cd-78e7-45b7-a326-125d2f7ef8f2", "uses", "attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec" ], - [ - "intrusion-set--55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "uses", - "malware--72f54d66-675d-4587-9bd3-4ed09f9522e4" - ], [ "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997", "uses", "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88" ], - [ - "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "uses", - "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" - ], [ "malware--b9799466-9dd7-4098-b2d6-f999ce50b9a8", "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], - [ - "intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022", - "uses", - "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619" - ], [ "intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f", "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "malware--1f6e3702-7ca1-4582-b2e7-4591297d05a8" - ], [ "malware--fb575479-14ef-41e9-bfab-0b7cf10bec73", "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39" - ], [ "malware--876f6a77-fbc5-4e13-ab1a-5611986730a3", "uses", @@ -14614,11 +12309,6 @@ "uses", "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - ], [ "intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050", "uses", @@ -14639,6 +12329,11 @@ "uses", "attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc" ], + [ + "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "uses", + "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" + ], [ "malware--454fe82d-6fd2-4ac6-91ab-28a33fe01369", "uses", @@ -14655,14 +12350,14 @@ "attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd" ], [ - "malware--11e36d5b-6a92-4bf9-8eb7-85eb24f59e22", + "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", "uses", - "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" + "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" ], [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "malware--11e36d5b-6a92-4bf9-8eb7-85eb24f59e22", "uses", - "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619" + "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], [ "malware--a4f57468-fbd5-49e4-8476-52088220b92d", @@ -14689,6 +12384,11 @@ "uses", "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5" ], + [ + "malware--959f3b19-2dc8-48d5-8942-c66813a5101a", + "uses", + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" + ], [ "malware--53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", "uses", @@ -14709,26 +12409,11 @@ "subtechnique-of", "attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48" ], - [ - "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" - ], - [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", - "uses", - "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" - ], [ "malware--c8b6cc43-ce61-42ae-87f3-a5f10526f952", "uses", "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c" ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830" - ], [ "intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258", "uses", @@ -14739,11 +12424,6 @@ "uses", "attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b" ], - [ - "intrusion-set--76565741-3452-4069-ab08-80c0ea95bbeb", - "uses", - "malware--2a70812b-f1ef-44db-8578-a496a227aef2" - ], [ "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad", "uses", @@ -14784,21 +12464,11 @@ "uses", "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "malware--5e595477-2e78-4ce7-ae42-e0b059b17808" - ], [ "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "uses", "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" ], - [ - "intrusion-set--a0cb9370-e39b-44d5-9f50-ef78e412b973", - "uses", - "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c" - ], [ "malware--aad11e34-02ca-4220-91cd-2ed420af4db3", "uses", @@ -14810,14 +12480,14 @@ "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ - "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", + "malware--8393dac0-0583-456a-9372-fd81691bca20", "uses", - "malware--4e6b9625-bbda-4d96-a652-b3bb45453f26" + "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" ], [ - "intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648", + "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "uses", - "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" + "malware--4e6b9625-bbda-4d96-a652-b3bb45453f26" ], [ "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60", @@ -14840,24 +12510,9 @@ "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81" ], [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9" - ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" - ], - [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], - [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", + "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", "uses", - "attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5" + "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], [ "malware--efece7e8-e40b-49c2-9f84-c55c5c93d05c", @@ -14874,25 +12529,20 @@ "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], - [ - "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd", - "uses", - "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" - ], [ "malware--b4d80f8b-d2b9-4448-8844-4bef777ed676", "uses", "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" ], [ - "malware--454fe82d-6fd2-4ac6-91ab-28a33fe01369", + "tool--c4810609-7da6-48ec-8057-1b70a7814db0", "uses", - "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea" + "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "malware--454fe82d-6fd2-4ac6-91ab-28a33fe01369", "uses", - "malware--59a97b15-8189-4d51-9404-e1ce8ea4a069" + "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea" ], [ "malware--65ffc206-d7c1-45b3-b543-f6b726e7840d", @@ -14909,26 +12559,11 @@ "uses", "attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9" - ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611" - ], [ "malware--53486bc7-7748-4716-8190-e4f1fde04c53", "uses", "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" ], - [ - "intrusion-set--d0b3393b-3bec-4ba3-bda9-199d30db47b6", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], [ "malware--0c824410-58ff-49b2-9cf2-1c96b182bdf0", "uses", @@ -14949,6 +12584,11 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], + [ + "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "uses", + "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" + ], [ "malware--17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "uses", @@ -14964,11 +12604,6 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63" - ], [ "malware--92b03a94-7147-4952-9d5a-b4d24da7487c", "uses", @@ -14989,11 +12624,6 @@ "uses", "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], - [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "uses", - "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5" - ], [ "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "uses", @@ -15009,25 +12639,20 @@ "uses", "attack-pattern--84e02621-8fdf-470f-bd58-993bb6a89d91" ], - [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", - "uses", - "attack-pattern--0af0ca99-357d-4ba1-805f-674fdfb7bef9" - ], [ "malware--fc774af4-533b-4724-96d2-ac1026316794", "uses", "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], [ - "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", + "tool--4b57c098-f043-4da2-83ef-7588a6d426bc", "uses", - "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" + "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073" ], [ - "tool--4b57c098-f043-4da2-83ef-7588a6d426bc", + "malware--959f3b19-2dc8-48d5-8942-c66813a5101a", "uses", - "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073" + "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18" ], [ "malware--bdb27a1d-1844-42f1-a0c0-826027ae0326", @@ -15044,6 +12669,11 @@ "uses", "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], + [ + "malware--8393dac0-0583-456a-9372-fd81691bca20", + "uses", + "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" + ], [ "tool--7cd0bc75-055b-4098-a00e-83dc8beaff14", "uses", @@ -15074,11 +12704,6 @@ "uses", "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], - [ - "intrusion-set--c47f937f-1022-4f42-8525-e7a4779a14cb", - "uses", - "attack-pattern--83a766f8-1501-4b3a-a2de-2e2849e8dfc1" - ], [ "malware--454fe82d-6fd2-4ac6-91ab-28a33fe01369", "uses", @@ -15089,11 +12714,6 @@ "uses", "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475" ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "malware--a705b085-1eae-455e-8f4d-842483d814eb" - ], [ "malware--95047f03-4811-4300-922e-1ba937d53a61", "uses", @@ -15109,6 +12729,11 @@ "uses", "attack-pattern--29be378d-262d-4e99-b00d-852d573628e6" ], + [ + "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "uses", + "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" + ], [ "malware--8dbadf80-468c-4a62-b817-4e4d8b606887", "uses", @@ -15124,6 +12749,11 @@ "uses", "attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967" ], + [ + "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "uses", + "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" + ], [ "attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d", "subtechnique-of", @@ -15149,6 +12779,11 @@ "uses", "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], + [ + "malware--b9704a7d-feef-4af9-8898-5280f1686326", + "uses", + "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" + ], [ "malware--73a4793a-ce55-4159-b2a6-208ef29b326f", "uses", @@ -15215,37 +12850,22 @@ "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" ], [ - "intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383", - "uses", - "attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4" - ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60" + "attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1", + "subtechnique-of", + "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9" ], [ "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022", - "uses", - "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c" - ], - [ - "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", - "uses", - "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9" - ], [ "malware--a5e91d50-24fa-44ec-9894-39a88f658cea", "uses", "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" ], @@ -15259,20 +12879,15 @@ "uses", "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" - ], [ "intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258", "uses", "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" ], [ - "intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842", + "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" + "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], [ "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", @@ -15284,21 +12899,6 @@ "uses", "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619" ], - [ - "intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383", - "uses", - "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" - ], - [ - "intrusion-set--f40eb8ce-2a74-4e56-89a1-227021410142", - "uses", - "malware--21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b" - ], - [ - "intrusion-set--d1acfbb3-647b-4723-9154-800ec119006e", - "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" - ], [ "malware--454fe82d-6fd2-4ac6-91ab-28a33fe01369", "uses", @@ -15335,19 +12935,19 @@ "attack-pattern--29be378d-262d-4e99-b00d-852d573628e6" ], [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", "uses", - "malware--80a014ba-3fef-4768-990b-37d8bd10d7f4" + "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", + "malware--bdb27a1d-1844-42f1-a0c0-826027ae0326", "uses", - "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" + "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], [ - "malware--bdb27a1d-1844-42f1-a0c0-826027ae0326", + "malware--d9f7383c-95ec-4080-bbce-121c9384457b", "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" + "attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b" ], [ "malware--53ab35c2-d00e-491a-8753-41d35ae7e547", @@ -15370,9 +12970,9 @@ "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "malware--99164b38-1775-40bc-b77b-a2373b14540a", "uses", - "malware--dcac85c1-6485-4790-84f6-de5e6f6b91dd" + "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], [ "malware--8787e86d-8475-4f13-acea-d33eb83b6105", @@ -15394,11 +12994,6 @@ "uses", "attack-pattern--cc89ecbd-3d33-4a41-bcca-001e702d18fd" ], - [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", - "uses", - "attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967" - ], [ "malware--73a4793a-ce55-4159-b2a6-208ef29b326f", "uses", @@ -15409,21 +13004,6 @@ "uses", "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], - [ - "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee", - "uses", - "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60" - ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e" - ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" - ], [ "malware--b9eec47e-98f4-4b3c-b574-3fa8a87ebe05", "uses", @@ -15445,9 +13025,9 @@ "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" ], [ - "intrusion-set--ae41895a-243f-4a65-b99b-d85022326c31", - "uses", - "malware--166c0eca-02fd-424a-92c0-6b5106994d31" + "attack-pattern--0a241b6c-7bb2-48f9-98f7-128145b4d27f", + "subtechnique-of", + "attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4" ], [ "malware--705f0783-5f7d-4491-b6b7-9628e6e006d2", @@ -15469,11 +13049,6 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "uses", - "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb" - ], [ "tool--bba595da-b73a-4354-aa6c-224d4de7cb4e", "uses", @@ -15500,9 +13075,9 @@ "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ - "intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8", + "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", "uses", - "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" + "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" ], [ "malware--5e814485-012d-423d-b769-026bfed0f451", @@ -15519,11 +13094,6 @@ "uses", "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], - [ - "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411", - "uses", - "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" - ], [ "malware--5763217a-05b6-4edd-9bca-057e47b5e403", "uses", @@ -15539,11 +13109,6 @@ "uses", "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], - [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", - "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" - ], [ "malware--835a79f1-842d-472d-b8f4-d54b545c341b", "uses", @@ -15564,31 +13129,31 @@ "uses", "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "malware--bfd2738c-8b43-43c3-bc9f-d523c8e88bf4" - ], [ "malware--a4f57468-fbd5-49e4-8476-52088220b92d", "uses", "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c" ], [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", + "malware--68dca94f-c11d-421e-9287-7c501108e18c", "uses", - "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60" + "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945" ], [ - "malware--68dca94f-c11d-421e-9287-7c501108e18c", + "malware--99164b38-1775-40bc-b77b-a2373b14540a", "uses", - "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945" + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ "malware--32066e94-3112-48ca-b9eb-ba2b59d2f023", "uses", "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" ], + [ + "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "uses", + "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062" + ], [ "tool--4f45dfeb-fe51-4df0-8db3-edf7dd0513fe", "uses", @@ -15600,14 +13165,14 @@ "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" ], [ - "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4", + "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", "uses", - "attack-pattern--635cbe30-392d-4e27-978e-66774357c762" + "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" ], [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4", "uses", - "attack-pattern--dc31fe1e-d722-49da-8f5f-92c7b5aff534" + "attack-pattern--635cbe30-392d-4e27-978e-66774357c762" ], [ "malware--e494ad79-37ee-4cd0-866b-299c521d8b94", @@ -15639,16 +13204,6 @@ "uses", "attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1" ], - [ - "intrusion-set--55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "uses", - "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - ], - [ - "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064", - "uses", - "malware--96b08451-b27a-4ff6-893f-790e26393a8e" - ], [ "malware--8fc6c9e7-a162-4ca4-a488-f1819e9a7b06", "uses", @@ -15660,20 +13215,15 @@ "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", - "attack-pattern--1b7b1806-7746-41a1-a35d-e48dae25ddba" + "attack-pattern--7c0f17c9-1af6-4628-9cbd-9e45482dd605" ], [ "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", "uses", "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" ], - [ - "intrusion-set--b74f909f-8e52-4b69-b770-162bf59a1b4e", - "uses", - "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830" - ], [ "malware--fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa", "uses", @@ -15684,11 +13234,6 @@ "uses", "attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f" ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" - ], [ "malware--b45747dc-87ca-4597-a245-7e16a61bc491", "uses", @@ -15724,11 +13269,6 @@ "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63" - ], [ "malware--1cc934e4-b01d-4543-a011-b988dfc1a458", "uses", @@ -15739,6 +13279,11 @@ "uses", "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" ], + [ + "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "uses", + "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" + ], [ "malware--32066e94-3112-48ca-b9eb-ba2b59d2f023", "uses", @@ -15769,40 +13314,20 @@ "uses", "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], - [ - "intrusion-set--7ecc3b4f-5cdb-457e-b55a-df376b359446", - "uses", - "attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af" - ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" - ], [ "malware--85b39628-204a-48d2-b377-ec368cbcb7ca", "uses", "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9" ], [ - "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4", - "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" - ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" - ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", + "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "uses", - "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6" + "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" ], [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4", "uses", - "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945" + "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ "tool--03342581-f790-4f03-ba41-e82e67392e23", @@ -15824,11 +13349,6 @@ "uses", "attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7" ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6" - ], [ "malware--c541efb4-e7b1-4ad6-9da8-b4e113f5dd42", "uses", @@ -15839,11 +13359,6 @@ "uses", "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b" ], - [ - "intrusion-set--b74f909f-8e52-4b69-b770-162bf59a1b4e", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], [ "attack-pattern--0cfe31a7-81fc-472c-bc45-e2808d1066a3", "subtechnique-of", @@ -15865,20 +13380,15 @@ "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4" ], [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", + "tool--975737f1-b10d-476f-8bda-3ec26ea57172", "uses", - "attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af" + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ "malware--b7e9880a-7a7c-4162-bddb-e28e8ef2bf1f", "uses", "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "malware--8e101fdd-9f7f-4916-bb04-6bd9e94c129c" - ], [ "malware--5bcd5511-6756-4824-a692-e8bb109364af", "uses", @@ -15894,11 +13404,6 @@ "uses", "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], - [ - "intrusion-set--76565741-3452-4069-ab08-80c0ea95bbeb", - "uses", - "malware--53ab35c2-d00e-491a-8753-41d35ae7e547" - ], [ "attack-pattern--bf147104-abf9-4221-95d1-e81585859441", "subtechnique-of", @@ -15909,26 +13414,6 @@ "uses", "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a" ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "malware--b136d088-a829-432c-ac26-5529c26d4c7e" - ], - [ - "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "uses", - "malware--fde50aaa-f5de-4cb8-989a-babb57d6a704" - ], - [ - "intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022", - "uses", - "malware--9752aef4-a1f3-4328-929f-b64eb0536090" - ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c" - ], [ "malware--76ac7989-c5cc-42e2-93e3-d6c476f01ace", "uses", @@ -15939,21 +13424,6 @@ "uses", "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c" ], - [ - "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "uses", - "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" - ], - [ - "intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d" - ], [ "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa", "uses", @@ -15990,25 +13460,15 @@ "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e" ], [ - "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee", - "uses", - "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541" - ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "malware--a60657fa-e2e7-4f8f-8128-a882534ae8c5" + "attack-pattern--a6557c75-798f-42e4-be70-ab4502e0a3bc", + "subtechnique-of", + "attack-pattern--7f0ca133-88c4-40c6-a62f-b3083a7fbc2e" ], [ "malware--1d1fce2f-0db5-402b-9843-4278a0694637", "uses", "attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" - ], [ "malware--8901ac23-6b50-410c-b0dd-d8174a86f9b3", "uses", @@ -16049,6 +13509,11 @@ "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], + [ + "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "uses", + "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" + ], [ "tool--38952eac-cb1b-4a71-bad2-ee8223a1c8fe", "uses", @@ -16059,6 +13524,11 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], + [ + "malware--8393dac0-0583-456a-9372-fd81691bca20", + "uses", + "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" + ], [ "malware--d9f7383c-95ec-4080-bbce-121c9384457b", "uses", @@ -16070,19 +13540,19 @@ "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" ], [ - "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", + "malware--47124daf-44be-4530-9c63-038bc64318dd", "uses", - "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", + "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" + "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", + "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", "uses", - "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" + "attack-pattern--1b7b1806-7746-41a1-a35d-e48dae25ddba" ], [ "malware--32066e94-3112-48ca-b9eb-ba2b59d2f023", @@ -16099,11 +13569,6 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "malware--7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77" - ], [ "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", "uses", @@ -16124,11 +13589,6 @@ "uses", "attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611" ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], [ "tool--4b57c098-f043-4da2-83ef-7588a6d426bc", "uses", @@ -16139,16 +13599,6 @@ "uses", "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4" ], - [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "uses", - "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" - ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af" - ], [ "intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050", "uses", @@ -16170,20 +13620,15 @@ "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" + "attack-pattern--ec4be82f-940c-4dcb-87fe-2bbdd17c692f", + "subtechnique-of", + "attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0" ], [ "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "uses", "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" - ], [ "malware--e8545794-b98c-492b-a5b3-4b5a02682e37", "uses", @@ -16205,7 +13650,7 @@ "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541" ], @@ -16214,11 +13659,6 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], [ "malware--e85cae1a-bce3-4ac4-b36b-b00acac0567b", "uses", @@ -16244,35 +13684,20 @@ "uses", "attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "malware--a0ebedca-d558-4e48-8ff7-4bf76208d90c" - ], [ "malware--8901ac23-6b50-410c-b0dd-d8174a86f9b3", "uses", "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5" ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "attack-pattern--768dce68-8d0d-477a-b01d-0eea98b963a1" - ], - [ - "intrusion-set--6688d679-ccdb-4f12-abf6-c7545dd767a4", - "uses", - "malware--2a70812b-f1ef-44db-8578-a496a227aef2" - ], [ "tool--da04ac30-27da-4959-a67d-450ce47d9470", "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ - "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", + "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", "uses", - "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63" + "attack-pattern--0a5231ec-41af-4a35-83d0-6bdf11f28c65" ], [ "malware--00806466-754d-44ea-ad6f-0caf59cb8556", @@ -16284,6 +13709,11 @@ "uses", "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], + [ + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "uses", + "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5" + ], [ "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4", "uses", @@ -16294,11 +13724,6 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74", - "uses", - "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60" - ], [ "malware--b0f13390-cec7-4814-b37c-ccec01887faa", "uses", @@ -16320,15 +13745,20 @@ "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" ], [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", + "malware--ef2247bf-8062-404b-894f-d65d00564817", "uses", - "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9" + "attack-pattern--808e6329-ca91-4b87-ac2d-8eadc5f8f327" ], [ "malware--67e6d66b-1b82-4699-b47a-e2efb6268d14", "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], + [ + "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "uses", + "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4" + ], [ "malware--8beac7c2-48d2-4cd9-9b15-6c452f38ac06", "uses", @@ -16339,16 +13769,16 @@ "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], + [ + "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", + "uses", + "attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b" + ], [ "attack-pattern--8faedf87-dceb-4c35-b2a2-7286f59a3bc3", "subtechnique-of", "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9" ], - [ - "intrusion-set--813636db-3939-4a45-bea9-6113e970c029", - "uses", - "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18" - ], [ "malware--04227b24-7817-4de1-9050-b7b1b57f5866", "uses", @@ -16364,6 +13794,11 @@ "uses", "attack-pattern--a6937325-9321-4e2e-bb2b-3ed2d40b2a9d" ], + [ + "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", + "uses", + "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" + ], [ "malware--6b62e336-176f-417b-856a-8552dd8c44e1", "uses", @@ -16375,30 +13810,15 @@ "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", + "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", "uses", - "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5" + "attack-pattern--d10cbd34-42e3-45c0-84d2-535a09849584" ], [ "malware--64fa0de0-6240-41f4-8638-f4ca7ed528fd", "uses", "attack-pattern--29be378d-262d-4e99-b00d-852d573628e6" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916" - ], - [ - "intrusion-set--f9c06633-dcff-48a1-8588-759e7cec5694", - "uses", - "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" - ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--fe926152-f431-4baf-956c-4ad3cb0bf23b" - ], [ "malware--b9799466-9dd7-4098-b2d6-f999ce50b9a8", "uses", @@ -16409,11 +13829,6 @@ "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" - ], [ "malware--36ede314-7db4-4d09-b53d-81bbfbe5f6f8", "uses", @@ -16434,11 +13849,6 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], [ "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", "uses", @@ -16454,16 +13864,6 @@ "uses", "attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "tool--cde2d700-9ed1-46cf-9bce-07364fe8b24f" - ], - [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6" - ], [ "malware--0ced8926-914e-4c78-bc93-356fb90dbd1f", "uses", @@ -16474,11 +13874,6 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--813636db-3939-4a45-bea9-6113e970c029", - "uses", - "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - ], [ "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", "uses", @@ -16494,23 +13889,13 @@ "uses", "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" - ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60" - ], [ "tool--4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b", "uses", "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f" ], @@ -16520,7 +13905,7 @@ "attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2" ], @@ -16529,26 +13914,11 @@ "uses", "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--b6075259-dba3-44e9-87c7-e954f37ec0d5" - ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611" - ], [ "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "uses", "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" ], - [ - "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], [ "malware--06d735e7-1db1-4dbe-ab4b-acbe419f902b", "uses", @@ -16580,15 +13950,25 @@ "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], [ - "malware--f25aab1a-0cef-4910-a85d-bb38b32ea41a", - "uses", - "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" + "attack-pattern--fa44a152-ac48-441e-a524-dd7b04b8adcd", + "subtechnique-of", + "attack-pattern--f4c1826f-a322-41cd-9557-562100848c84" + ], + [ + "malware--f25aab1a-0cef-4910-a85d-bb38b32ea41a", + "uses", + "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], [ "malware--a8a778f5-0035-4870-bb25-53dc05029586", "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], + [ + "malware--ef2247bf-8062-404b-894f-d65d00564817", + "uses", + "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" + ], [ "malware--e1161124-f22e-487f-9d5f-ed8efc8dcd61", "uses", @@ -16619,11 +13999,6 @@ "uses", "attack-pattern--389735f1-f21c-4208-b8f0-f8031e7169b8" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" - ], [ "malware--f6d1d2cb-12f5-4221-9636-44606ea1f3f8", "uses", @@ -16645,35 +14020,20 @@ "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], [ - "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", - "uses", - "attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179" - ], - [ - "intrusion-set--7ecc3b4f-5cdb-457e-b55a-df376b359446", - "uses", - "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" - ], - [ - "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", - "uses", - "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6" + "attack-pattern--3a40f208-a9c1-4efa-a598-4003c3681fb8", + "subtechnique-of", + "attack-pattern--1f9012ef-1e10-4e48-915e-e03563435fe8" ], [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", + "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", "uses", - "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4" + "attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179" ], [ "malware--8beac7c2-48d2-4cd9-9b15-6c452f38ac06", "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", - "uses", - "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" - ], [ "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", "uses", @@ -16684,11 +14044,6 @@ "uses", "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" ], - [ - "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064", - "uses", - "tool--03342581-f790-4f03-ba41-e82e67392e23" - ], [ "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "uses", @@ -16699,26 +14054,11 @@ "uses", "attack-pattern--84e02621-8fdf-470f-bd58-993bb6a89d91" ], - [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], - [ - "intrusion-set--6b9ebeb5-20bf-48b0-afb7-988d769a2f01", - "uses", - "attack-pattern--dc31fe1e-d722-49da-8f5f-92c7b5aff534" - ], [ "attack-pattern--3120b9fa-23b8-4500-ae73-09494f607b7d", "subtechnique-of", "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "tool--0c8465c0-d0b4-4670-992e-4eee8d7ff952" - ], [ "malware--43213480-78f7-4fb3-976f-d48f5f6a4c2a", "uses", @@ -16729,16 +14069,6 @@ "uses", "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf" - ], - [ - "intrusion-set--7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70", - "uses", - "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" - ], [ "tool--13cd9151-83b7-410d-9f98-25d0f0d1d80d", "uses", @@ -16754,11 +14084,6 @@ "uses", "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], - [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", - "uses", - "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662" - ], [ "malware--d5268dfb-ae2b-4e0e-ac07-02a460613d8a", "uses", @@ -16779,11 +14104,6 @@ "uses", "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" ], - [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", - "uses", - "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3" - ], [ "malware--518bb5f1-91f4-4ff2-b09d-5a94e1ebe95f", "uses", @@ -16830,9 +14150,9 @@ "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" ], [ - "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", + "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", "uses", - "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" + "attack-pattern--29ba5a15-3b7b-4732-b817-65ea8f6468e6" ], [ "malware--5189f018-fea2-45d7-b0ed-23f9ee0a46f3", @@ -16849,21 +14169,11 @@ "uses", "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0" ], - [ - "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411", - "uses", - "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d" - ], [ "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2", "uses", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b" - ], [ "malware--26fed817-e7bf-41f9-829a-9075ffac45c2", "uses", @@ -16884,21 +14194,6 @@ "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--b74f909f-8e52-4b69-b770-162bf59a1b4e", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" - ], - [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "uses", - "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe" - ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" - ], [ "malware--a8d3d497-2da9-4797-8e0b-ed176be08654", "uses", @@ -16929,6 +14224,11 @@ "uses", "attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b" ], + [ + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "uses", + "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" + ], [ "malware--09b2cd76-c674-47cc-9f57-d2f2ad150a46", "uses", @@ -16949,6 +14249,11 @@ "uses", "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" ], + [ + "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "uses", + "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" + ], [ "attack-pattern--a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", "subtechnique-of", @@ -16969,6 +14274,11 @@ "subtechnique-of", "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" ], + [ + "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", + "uses", + "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" + ], [ "malware--3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", "uses", @@ -16985,19 +14295,14 @@ "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--c8e87b83-edbb-48d4-9295-4974897525b7" ], [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81" - ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "malware--8393dac0-0583-456a-9372-fd81691bca20", "uses", - "attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b" + "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], [ "tool--b35068ec-107a-4266-bda8-eb7036267aea", @@ -17005,9 +14310,9 @@ "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475" ], [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "malware--47124daf-44be-4530-9c63-038bc64318dd", "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" + "attack-pattern--910906dd-8c0a-475a-9cc1-5e029e2fad58" ], [ "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", @@ -17024,11 +14329,6 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70", - "uses", - "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60" - ], [ "malware--35cd1d01-1ede-44d2-b073-a264d727bc04", "uses", @@ -17040,9 +14340,9 @@ "attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21" ], [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", + "tool--975737f1-b10d-476f-8bda-3ec26ea57172", "uses", - "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" + "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0" ], [ "malware--aad11e34-02ca-4220-91cd-2ed420af4db3", @@ -17079,31 +14379,16 @@ "uses", "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" ], - [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611" - ], [ "malware--d1183cb9-258e-4f2f-8415-50ac8252c49e", "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], [ "malware--0c824410-58ff-49b2-9cf2-1c96b182bdf0", "uses", "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ], - [ - "intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], [ "malware--8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", "uses", @@ -17139,11 +14424,6 @@ "uses", "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa" ], - [ - "intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74", - "uses", - "attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc" - ], [ "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad", "uses", @@ -17165,14 +14445,9 @@ "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" ], [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], - [ - "intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74", + "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", "uses", - "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6" + "attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af" ], [ "malware--c541efb4-e7b1-4ad6-9da8-b4e113f5dd42", @@ -17194,21 +14469,11 @@ "uses", "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5" ], - [ - "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "uses", - "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18" - ], [ "malware--56e6b6c2-e573-4969-8bab-783205cebbbf", "uses", "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" ], - [ - "intrusion-set--7ecc3b4f-5cdb-457e-b55a-df376b359446", - "uses", - "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - ], [ "malware--552462b9-ae79-49dd-855c-5973014e157f", "uses", @@ -17224,16 +14489,6 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "uses", - "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" - ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" - ], [ "malware--4b072c90-bc7a-432b-940e-016fc1c01761", "uses", @@ -17259,25 +14514,15 @@ "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", - "uses", - "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" - ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" - ], [ "intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f", "uses", "attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7" ], [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "malware--a04d9a4c-bb52-40bf-98ec-e350c2d6a862", "uses", - "tool--5a63f900-5e7e-4928-a746-dd4558e1df71" + "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ "malware--705f0783-5f7d-4491-b6b7-9628e6e006d2", @@ -17295,14 +14540,14 @@ "attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc" ], [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "malware--8b880b41-5139-4807-baa9-309690218719", "uses", - "attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d" + "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ - "malware--8b880b41-5139-4807-baa9-309690218719", + "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", "uses", - "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" + "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945" ], [ "tool--b76b2d94-60e4-4107-a903-4a3a7622fb3b", @@ -17310,14 +14555,14 @@ "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" ], [ - "intrusion-set--f047ee18-7985-4946-8bfb-4ed754d3a0dd", + "malware--a04d9a4c-bb52-40bf-98ec-e350c2d6a862", "uses", - "malware--43213480-78f7-4fb3-976f-d48f5f6a4c2a" + "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118" ], [ - "intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74", + "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", "uses", - "attack-pattern--7007935a-a8a7-4c0b-bd98-4e85be8ed197" + "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], [ "attack-pattern--c615231b-f253-4f58-9d47-d5b4cbdb6839", @@ -17325,19 +14570,14 @@ "attack-pattern--b83e166d-13d7-4b52-8677-dff90c548fd7" ], [ - "malware--efece7e8-e40b-49c2-9f84-c55c5c93d05c", - "uses", - "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" - ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "uses", - "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" + "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" ], [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "malware--efece7e8-e40b-49c2-9f84-c55c5c93d05c", "uses", - "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88" + "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ "malware--cf8df906-179c-4a78-bd6e-6605e30f6624", @@ -17345,14 +14585,9 @@ "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "tool--9de2308e-7bed-43a3-8e58-f194b3586700" - ], - [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", + "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", "uses", - "attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617" + "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], [ "malware--32066e94-3112-48ca-b9eb-ba2b59d2f023", @@ -17365,9 +14600,14 @@ "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], [ - "intrusion-set--88489675-d216-4884-a98f-49a89fcc1643", + "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", "uses", - "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9" + "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c" + ], + [ + "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "uses", + "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619" ], [ "malware--a2282af0-f9dd-4373-9b92-eaf9e11e0c71", @@ -17399,30 +14639,25 @@ "uses", "attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc" ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "malware--75bba379-4ba1-467e-8c60-ec2b269ee984" - ], - [ - "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", - "uses", - "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" - ], [ "malware--fb575479-14ef-41e9-bfab-0b7cf10bec73", "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], [ - "intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0", + "tool--c4810609-7da6-48ec-8057-1b70a7814db0", "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" + "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" + ], + [ + "attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21", + "subtechnique-of", + "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9" ], [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "uses", - "attack-pattern--bc0f5e80-91c0-4e04-9fbb-e4e332c85dae" + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ "malware--aae22730-e571-4d17-b037-65f2a3e26213", @@ -17514,16 +14749,6 @@ "uses", "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" - ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" - ], [ "malware--7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77", "uses", @@ -17532,7 +14757,7 @@ [ "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", "uses", - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39" + "malware--a7881f21-e978-4fe4-af56-92c9416a2616" ], [ "malware--00c3bfcb-99bd-4767-8c03-b08f585f5c8a", @@ -17579,11 +14804,6 @@ "uses", "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], - [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "uses", - "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c" - ], [ "malware--8caa18af-4758-4fd3-9600-e8af579e89ed", "uses", @@ -17604,11 +14824,6 @@ "uses", "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" - ], [ "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "uses", @@ -17634,61 +14849,41 @@ "uses", "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - ], [ "attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6", "subtechnique-of", "attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2" ], [ - "malware--efece7e8-e40b-49c2-9f84-c55c5c93d05c", + "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" + "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce" ], [ - "intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8", + "malware--efece7e8-e40b-49c2-9f84-c55c5c93d05c", "uses", - "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055" + "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", + "malware--8393dac0-0583-456a-9372-fd81691bca20", "uses", - "tool--fbd727ea-c0dc-42a9-8448-9e12962d1ab5" + "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" ], [ "malware--5763217a-05b6-4edd-9bca-057e47b5e403", "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee", - "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" - ], [ "tool--7cd0bc75-055b-4098-a00e-83dc8beaff14", "uses", "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - ], [ "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340", "uses", "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], - [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", - "uses", - "malware--f01e2711-4b48-4192-a2e8-5f56c945ca19" - ], [ "malware--6a92d80f-cc65-45f6-aa66-3cdea6786b3c", "uses", @@ -17704,6 +14899,11 @@ "uses", "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63" ], + [ + "malware--a04d9a4c-bb52-40bf-98ec-e350c2d6a862", + "uses", + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" + ], [ "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "uses", @@ -17714,11 +14914,6 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--f047ee18-7985-4946-8bfb-4ed754d3a0dd", - "uses", - "malware--53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2" - ], [ "malware--1d1fce2f-0db5-402b-9843-4278a0694637", "uses", @@ -17730,12 +14925,7 @@ "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0" ], [ - "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee", - "uses", - "attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783" - ], - [ - "malware--0c824410-58ff-49b2-9cf2-1c96b182bdf0", + "malware--0c824410-58ff-49b2-9cf2-1c96b182bdf0", "uses", "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" ], @@ -17754,21 +14944,11 @@ "uses", "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "malware--f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2" - ], [ "malware--687c23e4-4e25-4ee7-a870-c5e002511f54", "uses", "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "malware--24b4ce59-eaac-4c8b-8634-9b093b7ccd92" - ], [ "malware--8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", "uses", @@ -17789,26 +14969,11 @@ "uses", "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b" - ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb" - ], [ "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "uses", "tool--9de2308e-7bed-43a3-8e58-f194b3586700" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63" - ], [ "malware--b879758f-bbc4-4cab-b5ba-177ac9b009b4", "uses", @@ -17840,14 +15005,14 @@ "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4" ], [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", + "malware--ade37ada-14af-4b44-b36c-210eec255d53", "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" + "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" ], [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "malware--20945359-3b39-4542-85ef-08ecb4e1c174", "uses", - "attack-pattern--f6ad61ee-65f3-4bd0-a3f5-2f0accb36317" + "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ "malware--1d1fce2f-0db5-402b-9843-4278a0694637", @@ -17859,6 +15024,11 @@ "uses", "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077" ], + [ + "malware--8393dac0-0583-456a-9372-fd81691bca20", + "uses", + "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" + ], [ "malware--e8545794-b98c-492b-a5b3-4b5a02682e37", "uses", @@ -17904,6 +15074,11 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], + [ + "attack-pattern--774ad5bb-2366-4c13-a8a9-65e50b292e7c", + "subtechnique-of", + "attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f" + ], [ "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "uses", @@ -17960,19 +15135,14 @@ "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" ], [ - "tool--4b57c098-f043-4da2-83ef-7588a6d426bc", - "uses", - "attack-pattern--910906dd-8c0a-475a-9cc1-5e029e2fad58" - ], - [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", + "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", "uses", - "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", + "tool--4b57c098-f043-4da2-83ef-7588a6d426bc", "uses", - "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" + "attack-pattern--910906dd-8c0a-475a-9cc1-5e029e2fad58" ], [ "malware--11194d8b-fdce-45d2-8047-df15bb8f16bd", @@ -17980,9 +15150,9 @@ "attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c" ], [ - "intrusion-set--ae41895a-243f-4a65-b99b-d85022326c31", + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", - "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" + "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" ], [ "malware--3161d76a-e2b2-4b97-9906-24909b735386", @@ -18040,9 +15210,9 @@ "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", + "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", "uses", - "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d" + "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ "malware--5763217a-05b6-4edd-9bca-057e47b5e403", @@ -18094,21 +15264,11 @@ "subtechnique-of", "attack-pattern--457c7820-d331-465a-915e-42f85500ccc4" ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88" - ], [ "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--f9c06633-dcff-48a1-8588-759e7cec5694", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], [ "malware--59a97b15-8189-4d51-9404-e1ce8ea4a069", "uses", @@ -18119,11 +15279,6 @@ "uses", "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5" ], - [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "uses", - "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - ], [ "malware--f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e", "uses", @@ -18134,41 +15289,26 @@ "uses", "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077" ], - [ - "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], [ "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9", "uses", "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf" ], [ - "tool--03342581-f790-4f03-ba41-e82e67392e23", + "malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053", "uses", - "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c" + "attack-pattern--451a9977-d255-43c9-b431-66de80130c8c" ], [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", + "tool--03342581-f790-4f03-ba41-e82e67392e23", "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" + "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c" ], [ "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662", "subtechnique-of", "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a" ], - [ - "intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6", - "uses", - "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6" - ], - [ - "intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74", - "uses", - "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - ], [ "malware--22addc7b-b39f-483d-979a-1b35147da5de", "uses", @@ -18184,11 +15324,6 @@ "uses", "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077" ], - [ - "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd", - "uses", - "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" - ], [ "malware--af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "uses", @@ -18219,11 +15354,6 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--b74f909f-8e52-4b69-b770-162bf59a1b4e", - "uses", - "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60" - ], [ "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "uses", @@ -18249,31 +15379,16 @@ "uses", "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" ], - [ - "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "uses", - "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c" - ], [ "attack-pattern--9c45eaa3-8604-4780-8988-b5074dbb9ecd", "subtechnique-of", "attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db" ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--dc31fe1e-d722-49da-8f5f-92c7b5aff534" - ], [ "malware--8ae43c46-57ef-47d5-a77a-eebb35628db2", "uses", "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" ], - [ - "intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], [ "malware--432555de-63bf-4f2a-a3fa-f720a4561078", "uses", @@ -18285,9 +15400,9 @@ "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4" ], [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", "uses", - "tool--2e45723a-31da-4a7e-aaa6-e01998a6788f" + "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4", @@ -18309,21 +15424,11 @@ "subtechnique-of", "attack-pattern--d456de47-a16f-4e46-8980-e67478a12dcb" ], - [ - "intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6", - "uses", - "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" - ], [ "malware--a8a778f5-0035-4870-bb25-53dc05029586", "uses", "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" ], - [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" - ], [ "malware--69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "uses", @@ -18334,16 +15439,6 @@ "uses", "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4" ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c" - ], - [ - "intrusion-set--7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70", - "uses", - "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - ], [ "malware--d5268dfb-ae2b-4e0e-ac07-02a460613d8a", "uses", @@ -18359,41 +15454,26 @@ "subtechnique-of", "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9" ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" - ], [ "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945", "subtechnique-of", "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" ], [ - "tool--5a63f900-5e7e-4928-a746-dd4558e1df71", - "uses", - "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" - ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", "uses", - "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" + "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", + "tool--5a63f900-5e7e-4928-a746-dd4558e1df71", "uses", - "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073" + "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" ], [ "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4", "uses", "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" - ], [ "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad", "uses", @@ -18414,11 +15494,6 @@ "uses", "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d" - ], [ "malware--c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", "uses", @@ -18485,19 +15560,9 @@ "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", - "uses", - "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d" - ], - [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" - ], - [ - "intrusion-set--6688d679-ccdb-4f12-abf6-c7545dd767a4", + "malware--959f3b19-2dc8-48d5-8942-c66813a5101a", "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" + "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a" ], [ "malware--92b03a94-7147-4952-9d5a-b4d24da7487c", @@ -18529,20 +15594,15 @@ "uses", "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011" - ], [ "malware--36ede314-7db4-4d09-b53d-81bbfbe5f6f8", "uses", "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], [ - "intrusion-set--2e5d3a83-fe00-41a5-9b60-237efc84832f", + "malware--99164b38-1775-40bc-b77b-a2373b14540a", "uses", - "malware--b42378e0-f147-496f-992a-26a49705395b" + "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" ], [ "malware--b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29", @@ -18560,10 +15620,15 @@ "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--68a0c5ed-bee2-4513-830d-5b0d650139bd" ], + [ + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "uses", + "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d" + ], [ "malware--8b880b41-5139-4807-baa9-309690218719", "uses", @@ -18579,16 +15644,6 @@ "uses", "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" ], - [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062" - ], - [ - "intrusion-set--5636b7b3-d99b-4edd-aa05-ee649c1d4ef1", - "uses", - "tool--c11ac61d-50f4-444f-85d8-6f006067f0de" - ], [ "malware--069af411-9b24-4e85-b26c-623d035bbe84", "uses", @@ -18615,14 +15670,9 @@ "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], [ - "intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74", - "uses", - "attack-pattern--6add2ab5-2711-4e9d-87c8-7a0be8531530" - ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", "uses", - "malware--fb575479-14ef-41e9-bfab-0b7cf10bec73" + "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" ], [ "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60", @@ -18644,21 +15694,6 @@ "uses", "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], - [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--806a49c4-970d-43f9-9acc-ac0ee11e6662" - ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e" - ], - [ - "intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" - ], [ "malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", "uses", @@ -18674,16 +15709,16 @@ "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b" - ], [ "malware--da5880b4-f7da-4869-85f2-e0aba84b8565", "uses", "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" ], + [ + "attack-pattern--f4b843c1-7e92-4701-8fed-ce82f8be2636", + "subtechnique-of", + "attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1" + ], [ "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "uses", @@ -18699,11 +15734,6 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6", - "uses", - "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" - ], [ "malware--d5268dfb-ae2b-4e0e-ac07-02a460613d8a", "uses", @@ -18724,21 +15754,11 @@ "uses", "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea" ], - [ - "intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1", - "uses", - "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3" - ], [ "malware--b2d134a1-7bd5-4293-94d4-8fc978cb1cd7", "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--813636db-3939-4a45-bea9-6113e970c029", - "uses", - "tool--96fd6cc4-a693-4118-83ec-619e5352d07d" - ], [ "malware--8dbadf80-468c-4a62-b817-4e4d8b606887", "uses", @@ -18764,21 +15784,6 @@ "uses", "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], - [ - "intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6", - "uses", - "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5" - ], - [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", - "uses", - "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" - ], - [ - "intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6", - "uses", - "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" - ], [ "malware--6b616fc1-1505-48e3-8b2c-0d19337bff38", "uses", @@ -18794,16 +15799,6 @@ "uses", "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39" - ], - [ - "intrusion-set--5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", - "uses", - "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945" - ], [ "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", "uses", @@ -18824,6 +15819,11 @@ "uses", "attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f" ], + [ + "attack-pattern--60c4b628-4807-4b0b-bbf5-fdac8643c337", + "subtechnique-of", + "attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2" + ], [ "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c", "uses", @@ -18839,11 +15839,6 @@ "uses", "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], - [ - "intrusion-set--dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", - "uses", - "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" - ], [ "malware--ecc2f65a-b452-4eaf-9689-7e181f17f7a5", "uses", @@ -18855,9 +15850,9 @@ "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" ], [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", + "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", "uses", - "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f" + "attack-pattern--10ffac09-e42d-4f56-ab20-db94c67d76ff" ], [ "malware--f1314e75-ada8-49f4-b281-b1fb8b48f2a7", @@ -18909,16 +15904,6 @@ "uses", "attack-pattern--69b8fd78-40e8-4600-ae4d-662c9d7afdb3" ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" - ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72" - ], [ "malware--aaf3fa65-8b27-4e68-91de-2b7738fe4c82", "uses", @@ -18944,6 +15929,11 @@ "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], + [ + "attack-pattern--c2f59d25-87fe-44aa-8f83-e8e59d077bf5", + "subtechnique-of", + "attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9" + ], [ "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "uses", @@ -18969,21 +15959,11 @@ "uses", "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" ], - [ - "intrusion-set--fbe9387f-34e6-4828-ac28-3080020c597b", - "uses", - "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3" - ], [ "malware--b1de6916-7a22-4460-8d26-6b5483ffaa2a", "uses", "attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179" ], - [ - "intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383", - "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" - ], [ "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", "uses", @@ -18995,9 +15975,14 @@ "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], [ - "malware--bfd2738c-8b43-43c3-bc9f-d523c8e88bf4", + "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", "uses", - "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" + "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" + ], + [ + "malware--bfd2738c-8b43-43c3-bc9f-d523c8e88bf4", + "uses", + "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" ], [ "malware--b8fdef82-d2cf-4948-8949-6466357b1be1", @@ -19059,11 +16044,6 @@ "uses", "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" ], - [ - "intrusion-set--c416b28c-103b-4df1-909e-78089a7e0e5f", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], [ "malware--8ec6e3b4-b06d-4805-b6aa-af916acc2122", "uses", @@ -19074,11 +16054,6 @@ "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--41868330-6ee2-4d0f-b743-9f2294c3c9b6" - ], [ "malware--b6b3dfc7-9a81-43ff-ac04-698bad48973a", "uses", @@ -19104,11 +16079,6 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "uses", - "attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938" - ], [ "malware--66b1dcde-17a0-4c7b-95fa-b08d430c2131", "uses", @@ -19119,6 +16089,11 @@ "uses", "malware--85b39628-204a-48d2-b377-ec368cbcb7ca" ], + [ + "malware--00806466-754d-44ea-ad6f-0caf59cb8556", + "uses", + "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" + ], [ "malware--95047f03-4811-4300-922e-1ba937d53a61", "uses", @@ -19154,6 +16129,11 @@ "uses", "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], + [ + "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "uses", + "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" + ], [ "malware--b8fdef82-d2cf-4948-8949-6466357b1be1", "uses", @@ -19169,16 +16149,6 @@ "uses", "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a" ], - [ - "intrusion-set--d1acfbb3-647b-4723-9154-800ec119006e", - "uses", - "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" - ], - [ - "intrusion-set--fe98767f-9df8-42b9-83c9-004b1dec8647", - "uses", - "malware--251fbae2-78f6-4de7-84f6-194c727a64ad" - ], [ "attack-pattern--b8cfed42-6a8a-4989-ad72-541af74475ec", "subtechnique-of", @@ -19200,9 +16170,9 @@ "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055" ], [ - "intrusion-set--2fd2be6a-d3a2-4a65-b499-05ea2693abee", + "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" + "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69" ], [ "malware--876f6a77-fbc5-4e13-ab1a-5611986730a3", @@ -19224,25 +16194,20 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--a0cb9370-e39b-44d5-9f50-ef78e412b973", - "uses", - "attack-pattern--eec23884-3fa1-4d8a-ac50-6f104d51e235" - ], [ "malware--9752aef4-a1f3-4328-929f-b64eb0536090", "uses", "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" ], [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", + "malware--8dbadf80-468c-4a62-b817-4e4d8b606887", "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" + "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], [ - "malware--8dbadf80-468c-4a62-b817-4e4d8b606887", + "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", "uses", - "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" + "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], [ "malware--a020a61c-423f-4195-8c46-ba1d21abba37", @@ -19250,19 +16215,19 @@ "attack-pattern--f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755" ], [ - "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", - "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4" + "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63" ], [ - "intrusion-set--76565741-3452-4069-ab08-80c0ea95bbeb", + "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", "uses", - "attack-pattern--54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b" + "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4" ], [ "malware--21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b", @@ -19270,9 +16235,14 @@ "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", + "attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea", + "subtechnique-of", + "attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109" + ], + [ + "malware--b9704a7d-feef-4af9-8898-5280f1686326", "uses", - "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" + "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" ], [ "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498", @@ -19289,35 +16259,20 @@ "uses", "attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783" ], - [ - "intrusion-set--2fd2be6a-d3a2-4a65-b499-05ea2693abee", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], - [ - "intrusion-set--d69e568e-9ac8-4c08-b32c-d93b43ba9172", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" - ], [ "malware--54895630-efd2-4608-9c24-319de972a9eb", "uses", "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5" ], [ - "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60", + "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", "uses", - "attack-pattern--5095a853-299c-4876-abd7-ac0050fb5462" + "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" ], [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", + "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60", "uses", - "attack-pattern--2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64" + "attack-pattern--5095a853-299c-4876-abd7-ac0050fb5462" ], [ "malware--2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", @@ -19354,11 +16309,6 @@ "uses", "attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d" ], - [ - "intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6", - "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" - ], [ "malware--8beac7c2-48d2-4cd9-9b15-6c452f38ac06", "uses", @@ -19369,21 +16319,6 @@ "uses", "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], - [ - "intrusion-set--c5574ca0-d5a4-490a-b207-e4658e5fd1d7", - "uses", - "malware--bb3c1098-d654-4620-bf40-694386d28921" - ], - [ - "intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6", - "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" - ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "malware--92b55426-109f-4d93-899f-1833ce91ff90" - ], [ "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe", "uses", @@ -19430,15 +16365,20 @@ "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077" ], [ - "intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022", + "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "uses", - "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" + "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60" ], [ "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "uses", "attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470" ], + [ + "malware--47124daf-44be-4530-9c63-038bc64318dd", + "uses", + "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" + ], [ "intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f", "uses", @@ -19449,21 +16389,11 @@ "uses", "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" - ], [ "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2", "uses", "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--692074ae-bb62-4a5e-a735-02cb6bde458c" - ], [ "malware--e6ef745b-077f-42e1-a37d-29eecff9c754", "uses", @@ -19484,26 +16414,11 @@ "uses", "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ], - [ - "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", - "uses", - "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073" - ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "malware--af2ad3b7-ab6a-4807-91fd-51bcaff9acbb" - ], [ "malware--92b03a94-7147-4952-9d5a-b4d24da7487c", "uses", "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" - ], [ "malware--071d5d65-83ec-4a55-acfa-be7d5f28ba9a", "uses", @@ -19534,6 +16449,11 @@ "uses", "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" ], + [ + "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "uses", + "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" + ], [ "malware--a5575606-9b85-4e3d-9cd2-40ef30e3672d", "uses", @@ -19554,25 +16474,15 @@ "uses", "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], - [ - "intrusion-set--62a64fd3-aaf7-4d09-a375-d6f8bb118481", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], [ "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2", "uses", "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], [ - "intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022", - "uses", - "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830" - ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", + "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "uses", - "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" + "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" ], [ "attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c", @@ -19629,6 +16539,11 @@ "uses", "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], + [ + "malware--c984b414-b766-44c5-814a-2fe96c913c12", + "uses", + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" + ], [ "malware--b865dded-0553-4962-a44b-6fe7863effed", "uses", @@ -19649,6 +16564,11 @@ "uses", "attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0" ], + [ + "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "uses", + "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" + ], [ "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", "uses", @@ -19659,6 +16579,11 @@ "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], + [ + "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "uses", + "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433" + ], [ "malware--64fa0de0-6240-41f4-8638-f4ca7ed528fd", "uses", @@ -19689,16 +16614,6 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a" - ], - [ - "intrusion-set--6b9ebeb5-20bf-48b0-afb7-988d769a2f01", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], [ "malware--de6cb631-52f6-4169-a73b-7965390b0c30", "uses", @@ -19709,11 +16624,6 @@ "uses", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9" - ], [ "malware--edb24a93-1f7a-4bbf-a738-1397a14662c6", "uses", @@ -19764,16 +16674,6 @@ "uses", "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" ], - [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", - "uses", - "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" - ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055" - ], [ "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498", "uses", @@ -19785,29 +16685,19 @@ "attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf" ], [ - "intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842", - "uses", - "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9" - ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--41868330-6ee2-4d0f-b743-9f2294c3c9b6" - ], - [ - "intrusion-set--ae41895a-243f-4a65-b99b-d85022326c31", + "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", "uses", - "malware--e1161124-f22e-487f-9d5f-ed8efc8dcd61" + "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" ], [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "tool--c4810609-7da6-48ec-8057-1b70a7814db0", "uses", - "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a" + "attack-pattern--edf91964-b26e-4b4a-9600-ccacd7d7df24" ], [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", + "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", "uses", - "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077" + "attack-pattern--7c0f17c9-1af6-4628-9cbd-9e45482dd605" ], [ "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997", @@ -19819,21 +16709,11 @@ "uses", "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88" ], - [ - "intrusion-set--5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", - "uses", - "malware--8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc" - ], [ "malware--876f6a77-fbc5-4e13-ab1a-5611986730a3", "uses", "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" ], - [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" - ], [ "malware--a60657fa-e2e7-4f8f-8128-a882534ae8c5", "uses", @@ -19845,39 +16725,29 @@ "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--b4694861-542c-48ea-9eb1-10d356e7140a" - ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "tool--242f3da3-4425-4d11-8f5c-b842886da966" + "attack-pattern--91177e6d-b616-4a03-ba4b-f3b32f7dda75", + "subtechnique-of", + "attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0" ], [ "malware--72f54d66-675d-4587-9bd3-4ed09f9522e4", "uses", "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], - [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" - ], [ "malware--e9595678-d269-469e-ae6b-75e49259de63", "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ - "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", + "malware--b51797f7-57da-4210-b8ac-b8632ee75d70", "uses", - "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9" + "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], [ - "malware--b51797f7-57da-4210-b8ac-b8632ee75d70", + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", - "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" + "attack-pattern--d467bc38-284b-4a00-96ac-125f447799fc" ], [ "malware--e9e9bfe2-76f4-4870-a2a1-b7af89808613", @@ -19909,6 +16779,11 @@ "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], + [ + "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "uses", + "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" + ], [ "tool--c256da91-6dd5-40b2-beeb-ee3b22ab3d27", "uses", @@ -19919,16 +16794,6 @@ "uses", "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], - [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6" - ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "tool--2e45723a-31da-4a7e-aaa6-e01998a6788f" - ], [ "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498", "uses", @@ -19954,16 +16819,6 @@ "uses", "attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc" - ], - [ - "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", - "uses", - "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - ], [ "malware--fece06b7-d4b1-42cf-b81a-5323c917546e", "uses", @@ -19989,21 +16844,6 @@ "uses", "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], - [ - "intrusion-set--96e239be-ad99-49eb-b127-3007b8c1bec9", - "uses", - "attack-pattern--f244b8dd-af6c-4391-a497-fc03627ce995" - ], - [ - "intrusion-set--fe98767f-9df8-42b9-83c9-004b1dec8647", - "uses", - "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81" - ], - [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", - "uses", - "tool--38952eac-cb1b-4a71-bad2-ee8223a1c8fe" - ], [ "malware--099ecff2-41b8-436d-843c-038a9aa9aa69", "uses", @@ -20029,21 +16869,6 @@ "uses", "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" ], - [ - "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", - "uses", - "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4" - ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "malware--64fa0de0-6240-41f4-8638-f4ca7ed528fd" - ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "tool--30489451-5886-4c46-90c9-0dff9adc5252" - ], [ "malware--3240cbe4-c550-443b-aa76-cc2a7058b870", "uses", @@ -20089,11 +16914,6 @@ "uses", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], [ "intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f", "uses", @@ -20120,9 +16940,9 @@ "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" ], [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "uses", - "attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af" + "attack-pattern--c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b", + "subtechnique-of", + "attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8" ], [ "attack-pattern--e0033c16-a07e-48aa-8204-7c3ca669998c", @@ -20139,11 +16959,6 @@ "uses", "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" - ], [ "malware--db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c", "uses", @@ -20174,11 +16989,6 @@ "uses", "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], - [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "uses", - "malware--56d10a7f-bb42-4267-9b4c-63abb9c06010" - ], [ "malware--68dca94f-c11d-421e-9287-7c501108e18c", "uses", @@ -20204,11 +17014,6 @@ "uses", "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" ], - [ - "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "uses", - "attack-pattern--b0533c6e-8fea-4788-874f-b799cacc4b92" - ], [ "malware--58adaaa8-f1e8-4606-9a08-422e568461eb", "uses", @@ -20249,11 +17054,6 @@ "uses", "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3" - ], [ "malware--68dca94f-c11d-421e-9287-7c501108e18c", "uses", @@ -20269,11 +17069,6 @@ "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--f047ee18-7985-4946-8bfb-4ed754d3a0dd", - "uses", - "malware--b1de6916-7a22-4460-8d26-6b5483ffaa2a" - ], [ "malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", "uses", @@ -20289,11 +17084,6 @@ "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073" - ], [ "malware--5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", "uses", @@ -20304,6 +17094,11 @@ "uses", "attack-pattern--5095a853-299c-4876-abd7-ac0050fb5462" ], + [ + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", + "uses", + "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" + ], [ "malware--5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", "uses", @@ -20329,11 +17124,6 @@ "uses", "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c" - ], [ "malware--64fa0de0-6240-41f4-8638-f4ca7ed528fd", "uses", @@ -20344,11 +17134,6 @@ "subtechnique-of", "attack-pattern--51a14c76-dd3b-440b-9c20-2bf91d25a814" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--677569f9-a8b0-459e-ab24-7f18091fa7bf" - ], [ "malware--21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b", "uses", @@ -20364,11 +17149,6 @@ "subtechnique-of", "attack-pattern--435dfb86-2697-4867-85b5-2fef496c0517" ], - [ - "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", - "uses", - "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - ], [ "malware--6b62e336-176f-417b-856a-8552dd8c44e1", "uses", @@ -20384,46 +17164,21 @@ "uses", "attack-pattern--bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "malware--ccd61dfc-b03f-4689-8c18-7c97eab08472" - ], - [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "uses", - "attack-pattern--0af0ca99-357d-4ba1-805f-674fdfb7bef9" - ], [ "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c", "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d" - ], [ "intrusion-set--277d2f87-2ae5-4730-a3aa-50c1fdff9656", "uses", "malware--69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8" ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073" - ], [ "malware--e066bf86-9cfb-407a-9d25-26fd5d91e360", "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70", - "uses", - "attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529" - ], [ "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997", "uses", @@ -20434,11 +17189,6 @@ "uses", "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "malware--e066bf86-9cfb-407a-9d25-26fd5d91e360" - ], [ "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "uses", @@ -20454,11 +17204,21 @@ "uses", "attack-pattern--5372c5fe-f424-4def-bcd5-d3a8e770f07b" ], + [ + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "uses", + "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" + ], [ "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "uses", "attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011" ], + [ + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "uses", + "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" + ], [ "malware--c4de7d83-e875-4c88-8b5d-06c41e5b7e79", "uses", @@ -20474,6 +17234,11 @@ "uses", "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" ], + [ + "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "uses", + "attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b" + ], [ "malware--de6cb631-52f6-4169-a73b-7965390b0c30", "uses", @@ -20499,11 +17264,6 @@ "uses", "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d" ], - [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", - "uses", - "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf" - ], [ "malware--454fe82d-6fd2-4ac6-91ab-28a33fe01369", "uses", @@ -20534,45 +17294,50 @@ "uses", "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" ], + [ + "malware--c984b414-b766-44c5-814a-2fe96c913c12", + "uses", + "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" + ], + [ + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "uses", + "attack-pattern--f244b8dd-af6c-4391-a497-fc03627ce995" + ], [ "malware--53ab35c2-d00e-491a-8753-41d35ae7e547", "uses", "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062" ], [ - "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", + "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", "uses", - "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" + "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0" ], [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", + "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" + "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", + "malware--20945359-3b39-4542-85ef-08ecb4e1c174", "uses", - "malware--17e919aa-4a49-445c-b103-dbb8df9e7351" + "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c" ], [ "intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258", "uses", "malware--b42378e0-f147-496f-992a-26a49705395b" ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" - ], [ "intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258", "uses", "attack-pattern--b0533c6e-8fea-4788-874f-b799cacc4b92" ], [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", + "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "uses", - "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" + "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d" ], [ "attack-pattern--41868330-6ee2-4d0f-b743-9f2294c3c9b6", @@ -20584,21 +17349,6 @@ "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--5372c5fe-f424-4def-bcd5-d3a8e770f07b" - ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "tool--03342581-f790-4f03-ba41-e82e67392e23" - ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945" - ], [ "malware--aad11e34-02ca-4220-91cd-2ed420af4db3", "uses", @@ -20610,9 +17360,9 @@ "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", + "malware--3d57dcc4-be99-4613-9482-d5218f5ec13e", "uses", - "attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1" + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ "malware--b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29", @@ -20624,6 +17374,11 @@ "uses", "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c" ], + [ + "malware--8393dac0-0583-456a-9372-fd81691bca20", + "uses", + "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077" + ], [ "malware--c8b6cc43-ce61-42ae-87f3-a5f10526f952", "uses", @@ -20655,15 +17410,10 @@ "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c" - ], [ "malware--7551188b-8f91-4d34-8350-0d0c57b2b913", "uses", @@ -20689,11 +17439,6 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "uses", - "attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec" - ], [ "malware--6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", "uses", @@ -20714,11 +17459,6 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--f40eb8ce-2a74-4e56-89a1-227021410142", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" - ], [ "malware--b8fdef82-d2cf-4948-8949-6466357b1be1", "uses", @@ -20730,19 +17470,9 @@ "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], [ - "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "uses", - "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60" - ], - [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", - "uses", - "attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0" - ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", "uses", - "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60" + "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ], [ "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4", @@ -20754,11 +17484,6 @@ "uses", "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" ], - [ - "intrusion-set--813636db-3939-4a45-bea9-6113e970c029", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], [ "attack-pattern--43ba2b05-cf72-4b6c-8243-03a4aba41ee0", "subtechnique-of", @@ -20769,11 +17494,6 @@ "uses", "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4" ], - [ - "intrusion-set--d1acfbb3-647b-4723-9154-800ec119006e", - "uses", - "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f" - ], [ "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "uses", @@ -20820,14 +17540,9 @@ "attack-pattern--635cbe30-392d-4e27-978e-66774357c762" ], [ - "intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0", - "uses", - "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" - ], - [ - "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411", + "malware--b136d088-a829-432c-ac26-5529c26d4c7e", "uses", - "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" + "attack-pattern--c675646d-e204-4aa8-978d-e3d6d65885c4" ], [ "malware--6a92d80f-cc65-45f6-aa66-3cdea6786b3c", @@ -20849,21 +17564,11 @@ "uses", "attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d" ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" - ], [ "malware--e6ef745b-077f-42e1-a37d-29eecff9c754", "uses", "attack-pattern--bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b" ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - ], [ "malware--7343e208-7cab-45f2-a47b-41ba5e2f0fab", "uses", @@ -20894,6 +17599,11 @@ "uses", "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" ], + [ + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "uses", + "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" + ], [ "malware--59a97b15-8189-4d51-9404-e1ce8ea4a069", "uses", @@ -20925,24 +17635,14 @@ "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e" ], [ - "intrusion-set--6688d679-ccdb-4f12-abf6-c7545dd767a4", - "uses", - "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" - ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "malware--67e6d66b-1b82-4699-b47a-e2efb6268d14" - ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "malware--2a70812b-f1ef-44db-8578-a496a227aef2", "uses", - "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" + "attack-pattern--b4b7458f-81f2-4d38-84be-1c5ba0167a52" ], [ - "malware--2a70812b-f1ef-44db-8578-a496a227aef2", + "malware--d9f7383c-95ec-4080-bbce-121c9384457b", "uses", - "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" + "attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc" ], [ "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4", @@ -20959,6 +17659,11 @@ "uses", "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], + [ + "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "uses", + "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062" + ], [ "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2", "uses", @@ -20969,11 +17674,6 @@ "uses", "malware--f5352566-1a64-49ac-8f7f-97e1d1a03300" ], - [ - "intrusion-set--d6e88e18-81e8-4709-82d8-973095da1e70", - "uses", - "malware--3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c" - ], [ "malware--4ab44516-ad75-4e43-a280-705dc0420e2f", "uses", @@ -20994,11 +17694,6 @@ "uses", "attack-pattern--341e222a-a6e3-4f6f-b69c-831d792b1580" ], - [ - "intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8", - "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" - ], [ "malware--b42378e0-f147-496f-992a-26a49705395b", "uses", @@ -21019,25 +17714,20 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4" - ], [ "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa", "uses", "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" ], [ - "malware--53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", + "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", "uses", - "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" + "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "malware--53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", "uses", - "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0" + "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ "malware--1492d0f8-7e14-4af3-9239-bc3fe10d3407", @@ -21060,40 +17750,30 @@ "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ - "intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74", + "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "uses", - "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" + "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0" ], [ "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", "uses", "attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf" ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c" - ], [ "malware--2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "uses", "attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011" ], [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "intrusion-set--090242d7-73fc-4738-af68-20162f7a5aae", "uses", - "malware--76abb3ef-dafd-4762-97cb-a35379429db4" + "attack-pattern--cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8" ], [ "malware--e8268361-a599-4e45-bd3f-71c8c7e700c0", "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", - "uses", - "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662" - ], [ "malware--6b616fc1-1505-48e3-8b2c-0d19337bff38", "uses", @@ -21114,16 +17794,6 @@ "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], - [ - "intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022", - "uses", - "malware--0e18b800-906c-4e44-a143-b11c72b3448b" - ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec" - ], [ "malware--cfc75b0d-e579-40ae-ad07-a1ce00d49a6c", "uses", @@ -21144,6 +17814,11 @@ "uses", "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], + [ + "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", + "uses", + "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" + ], [ "malware--ccd61dfc-b03f-4689-8c18-7c97eab08472", "uses", @@ -21159,6 +17834,11 @@ "uses", "attack-pattern--eec23884-3fa1-4d8a-ac50-6f104d51e235" ], + [ + "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "uses", + "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" + ], [ "malware--0852567d-7958-4f4b-8947-4f840ec8d57d", "uses", @@ -21169,36 +17849,11 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", - "uses", - "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" - ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "malware--cbf646f1-7db5-4dc6-808b-0094313949df" - ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb" - ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "attack-pattern--2db31dcd-54da-405d-acef-b9129b816ed6" - ], [ "malware--7ba0fc46-197d-466d-8b9f-f1c64d5d81e5", "uses", "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" - ], [ "malware--56d10a7f-bb42-4267-9b4c-63abb9c06010", "uses", @@ -21249,11 +17904,6 @@ "uses", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], - [ - "intrusion-set--d69e568e-9ac8-4c08-b32c-d93b43ba9172", - "uses", - "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - ], [ "malware--de6cb631-52f6-4169-a73b-7965390b0c30", "uses", @@ -21274,43 +17924,18 @@ "uses", "attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f" ], - [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "uses", - "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" - ], [ "malware--ecc2f65a-b452-4eaf-9689-7e181f17f7a5", "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], [ - "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064", + "malware--d20b397a-ea47-48a9-b503-2e2a3551e11d", "uses", - "attack-pattern--70e52b04-2a0c-4cea-9d18-7149f1df9dc5" + "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617" - ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" - ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa" - ], - [ - "malware--d20b397a-ea47-48a9-b503-2e2a3551e11d", - "uses", - "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" - ], - [ - "intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f", + "intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f", "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], @@ -21389,11 +18014,6 @@ "uses", "attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f" ], - [ - "intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0", - "uses", - "attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b" - ], [ "malware--17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "uses", @@ -21415,14 +18035,9 @@ "attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af" ], [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--f3d95a1f-bba2-44ce-9af7-37866cd63fd0" - ], - [ - "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064", + "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" + "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" ], [ "malware--cfc75b0d-e579-40ae-ad07-a1ce00d49a6c", @@ -21434,6 +18049,11 @@ "uses", "attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab" ], + [ + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "uses", + "attack-pattern--677569f9-a8b0-459e-ab24-7f18091fa7bf" + ], [ "malware--3249e92a-870b-426d-8790-ba311c1abfb4", "uses", @@ -21465,14 +18085,9 @@ "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" ], [ - "intrusion-set--55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", + "malware--c984b414-b766-44c5-814a-2fe96c913c12", "uses", - "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" - ], - [ - "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", - "uses", - "malware--a5e91d50-24fa-44ec-9894-39a88f658cea" + "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830" ], [ "intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050", @@ -21499,23 +18114,13 @@ "uses", "attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179" ], - [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd" - ], [ "malware--af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "uses", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--b200542e-e877-4395-875b-cf1a44537ca4" ], @@ -21539,31 +18144,11 @@ "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--c416b28c-103b-4df1-909e-78089a7e0e5f", - "uses", - "attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7" - ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" - ], [ "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9", "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "malware--f0fc920e-57a3-4af5-89be-9ea594c8b1ea" - ], - [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], [ "malware--fece06b7-d4b1-42cf-b81a-5323c917546e", "uses", @@ -21600,9 +18185,9 @@ "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ - "intrusion-set--d0b3393b-3bec-4ba3-bda9-199d30db47b6", + "malware--20945359-3b39-4542-85ef-08ecb4e1c174", "uses", - "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" + "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], [ "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", @@ -21624,16 +18209,6 @@ "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" - ], - [ - "intrusion-set--ae41895a-243f-4a65-b99b-d85022326c31", - "uses", - "malware--66b1dcde-17a0-4c7b-95fa-b08d430c2131" - ], [ "malware--8e101fdd-9f7f-4916-bb04-6bd9e94c129c", "uses", @@ -21700,19 +18275,14 @@ "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d" ], [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b" - ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", "uses", - "malware--b8eb28e4-48a6-40ae-951a-328714f75eda" + "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" ], [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", "uses", - "tool--cde2d700-9ed1-46cf-9bce-07364fe8b24f" + "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], [ "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", @@ -21779,26 +18349,11 @@ "uses", "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], - [ - "intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1", - "uses", - "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" - ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9" - ], [ "malware--3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4" - ], [ "malware--fb261c56-b80e-43a9-8351-c84081e7213d", "uses", @@ -21844,31 +18399,16 @@ "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" - ], [ "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", "uses", "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69" ], - [ - "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd", - "uses", - "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58" - ], [ "malware--cfc75b0d-e579-40ae-ad07-a1ce00d49a6c", "uses", "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], - [ - "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", - "uses", - "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" - ], [ "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", "uses", @@ -21904,30 +18444,15 @@ "uses", "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81" - ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "malware--e6ef745b-077f-42e1-a37d-29eecff9c754" - ], [ "malware--b6b3dfc7-9a81-43ff-ac04-698bad48973a", "uses", "attack-pattern--eec23884-3fa1-4d8a-ac50-6f104d51e235" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--f3d95a1f-bba2-44ce-9af7-37866cd63fd0" - ], [ "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" + "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" ], [ "malware--8ae43c46-57ef-47d5-a77a-eebb35628db2", @@ -21959,11 +18484,6 @@ "uses", "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" ], - [ - "intrusion-set--6688d679-ccdb-4f12-abf6-c7545dd767a4", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], [ "malware--ab3580c8-8435-4117-aace-3d9fbe46aa56", "uses", @@ -21975,19 +18495,14 @@ "attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b" ], [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--635cbe30-392d-4e27-978e-66774357c762" - ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "malware--a4f57468-fbd5-49e4-8476-52088220b92d", "uses", - "attack-pattern--b6075259-dba3-44e9-87c7-e954f37ec0d5" + "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" ], [ - "malware--a4f57468-fbd5-49e4-8476-52088220b92d", + "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", "uses", - "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" + "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], [ "malware--67e6d66b-1b82-4699-b47a-e2efb6268d14", @@ -22005,9 +18520,9 @@ "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" ], [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "uses", - "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18" + "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b" ], [ "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", @@ -22029,13 +18544,18 @@ "uses", "attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011" ], + [ + "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "uses", + "attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47" + ], [ "malware--73a4793a-ce55-4159-b2a6-208ef29b326f", "uses", "attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--93591901-3172-4e94-abf8-6034ab26f44a" ], @@ -22059,16 +18579,6 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "uses", - "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" - ], - [ - "intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "uses", - "malware--e066bf86-9cfb-407a-9d25-26fd5d91e360" - ], [ "malware--64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", "uses", @@ -22084,6 +18594,11 @@ "uses", "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], + [ + "attack-pattern--197ef1b9-e764-46c3-b96c-23f77985dc81", + "subtechnique-of", + "attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2" + ], [ "malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", "uses", @@ -22099,16 +18614,6 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--a0cb9370-e39b-44d5-9f50-ef78e412b973", - "uses", - "malware--73a4793a-ce55-4159-b2a6-208ef29b326f" - ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077" - ], [ "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", "uses", @@ -22129,11 +18634,6 @@ "uses", "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" - ], [ "malware--bd0536d7-b081-43ae-a773-cfb057c5b988", "uses", @@ -22144,6 +18644,11 @@ "subtechnique-of", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], + [ + "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "uses", + "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" + ], [ "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", "uses", @@ -22159,11 +18664,6 @@ "uses", "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], - [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" - ], [ "malware--92b03a94-7147-4952-9d5a-b4d24da7487c", "uses", @@ -22180,9 +18680,14 @@ "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", "uses", - "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433" + "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" + ], + [ + "attack-pattern--2339cf19-8f1e-48f7-8a91-0262ba547b6f", + "subtechnique-of", + "attack-pattern--937e4772-8441-4e4a-8bf0-8d447d667e23" ], [ "malware--536be338-e2ef-4a6b-afb6-8d5568b91eb2", @@ -22229,11 +18734,6 @@ "uses", "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], - [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], [ "malware--d1183cb9-258e-4f2f-8415-50ac8252c49e", "uses", @@ -22259,11 +18759,6 @@ "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - ], [ "tool--4b57c098-f043-4da2-83ef-7588a6d426bc", "uses", @@ -22279,11 +18774,6 @@ "uses", "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], - [ - "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064", - "uses", - "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541" - ], [ "attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0", "subtechnique-of", @@ -22294,11 +18784,6 @@ "uses", "attack-pattern--0af0ca99-357d-4ba1-805f-674fdfb7bef9" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9" - ], [ "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e", "subtechnique-of", @@ -22339,6 +18824,11 @@ "uses", "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" ], + [ + "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "uses", + "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" + ], [ "malware--ccd61dfc-b03f-4689-8c18-7c97eab08472", "uses", @@ -22354,11 +18844,6 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", - "uses", - "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" - ], [ "intrusion-set--277d2f87-2ae5-4730-a3aa-50c1fdff9656", "uses", @@ -22369,11 +18854,6 @@ "uses", "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63" - ], [ "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", "uses", @@ -22394,30 +18874,20 @@ "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", - "uses", - "attack-pattern--29be378d-262d-4e99-b00d-852d573628e6" - ], - [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "uses", - "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" - ], [ "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8", "uses", "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], [ - "malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" + "attack-pattern--818302b2-d640-477b-bf88-873120ce85c4", + "subtechnique-of", + "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830" ], [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", + "malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", "uses", - "attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d" + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ "malware--0c824410-58ff-49b2-9cf2-1c96b182bdf0", @@ -22429,30 +18899,25 @@ "uses", "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], - [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", - "uses", - "malware--a2282af0-f9dd-4373-9b92-eaf9e11e0c71" - ], [ "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340", "uses", "attack-pattern--0af0ca99-357d-4ba1-805f-674fdfb7bef9" ], [ - "intrusion-set--c47f937f-1022-4f42-8525-e7a4779a14cb", - "uses", - "malware--ad4f146f-e3ec-444a-ba71-24bffd7f0f8e" + "attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3", + "subtechnique-of", + "attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2" ], [ - "intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f", + "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", "uses", - "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" + "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" ], [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f", "uses", - "malware--da5880b4-f7da-4869-85f2-e0aba84b8565" + "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], [ "malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", @@ -22470,14 +18935,14 @@ "attack-pattern--98034fef-d9fb-4667-8dc4-2eab6231724c" ], [ - "malware--9dbdadb6-fdbf-490f-a35f-38762d06a0d2", + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", - "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" + "attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179" ], [ - "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd", + "malware--9dbdadb6-fdbf-490f-a35f-38762d06a0d2", "uses", - "malware--8caa18af-4758-4fd3-9600-e8af579e89ed" + "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" ], [ "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", @@ -22495,9 +18960,9 @@ "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", "uses", - "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" + "attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1" ], [ "malware--800bdfba-6d66-480f-9f45-15845c05cb5d", @@ -22534,16 +18999,6 @@ "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "tool--a1dd2dbd-1550-44bf-abcc-1a4c52e97719" - ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "malware--199463de-d9be-46d6-bb41-07234c1dd5a6" - ], [ "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe", "uses", @@ -22554,6 +19009,11 @@ "uses", "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" ], + [ + "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", + "uses", + "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" + ], [ "tool--b35068ec-107a-4266-bda8-eb7036267aea", "uses", @@ -22569,6 +19029,16 @@ "subtechnique-of", "attack-pattern--457c7820-d331-465a-915e-42f85500ccc4" ], + [ + "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", + "uses", + "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" + ], + [ + "attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad", + "subtechnique-of", + "attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf" + ], [ "malware--b51797f7-57da-4210-b8ac-b8632ee75d70", "uses", @@ -22589,11 +19059,6 @@ "uses", "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--5372c5fe-f424-4def-bcd5-d3a8e770f07b" - ], [ "malware--071d5d65-83ec-4a55-acfa-be7d5f28ba9a", "uses", @@ -22610,25 +19075,15 @@ "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], [ - "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" - ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" + "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" ], [ "malware--da2ef4a9-7cbe-400a-a379-e2f230f28db3", "uses", "attack-pattern--1b7b1806-7746-41a1-a35d-e48dae25ddba" ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" - ], [ "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83", "uses", @@ -22640,9 +19095,9 @@ "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f" ], [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", + "malware--8393dac0-0583-456a-9372-fd81691bca20", "uses", - "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" + "attack-pattern--93591901-3172-4e94-abf8-6034ab26f44a" ], [ "malware--c2417bab-3189-4d4d-9d60-96de2cdaf0ab", @@ -22659,6 +19114,11 @@ "uses", "attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0" ], + [ + "malware--b9704a7d-feef-4af9-8898-5280f1686326", + "uses", + "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" + ], [ "malware--7551188b-8f91-4d34-8350-0d0c57b2b913", "uses", @@ -22719,21 +19179,11 @@ "uses", "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" ], - [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4" - ], [ "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "uses", "attack-pattern--6495ae23-3ab4-43c5-a94f-5638a2c31fd2" ], - [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", - "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" - ], [ "malware--b4d80f8b-d2b9-4448-8844-4bef777ed676", "uses", @@ -22770,30 +19220,20 @@ "tool--da04ac30-27da-4959-a67d-450ce47d9470" ], [ - "malware--d1531eaa-9e17-473e-a680-3298469662c3", - "uses", - "attack-pattern--d10cbd34-42e3-45c0-84d2-535a09849584" - ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", "uses", - "attack-pattern--bf1b6176-597c-4600-bfcd-ac989670f96b" + "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c" ], [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "malware--d1531eaa-9e17-473e-a680-3298469662c3", "uses", - "tool--294e2560-bd48-44b2-9da2-833b5588ad11" + "attack-pattern--d10cbd34-42e3-45c0-84d2-535a09849584" ], [ "attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b", "subtechnique-of", "attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5" ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" - ], [ "malware--dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2", "uses", @@ -22810,15 +19250,20 @@ "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], [ - "intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648", + "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", "uses", - "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ "malware--6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", "uses", "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa" ], + [ + "attack-pattern--36aa137f-5166-41f8-b2f0-a4cfa1b4133e", + "subtechnique-of", + "attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109" + ], [ "malware--91000a8a-58cc-4aba-9ad0-993ad6302b86", "uses", @@ -22834,26 +19279,26 @@ "uses", "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea" ], + [ + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "uses", + "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" + ], [ "malware--73c4711b-407a-449d-b269-e3b1531fe7a9", "uses", "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", "uses", - "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0" + "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" ], [ "malware--c13d9621-aca7-436b-ab3d-3a95badb3d00", "uses", "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4" - ], [ "malware--d2c7f8ad-3b50-4cfa-bbb1-799eff06fb40", "uses", @@ -22865,9 +19310,14 @@ "attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967" ], [ - "intrusion-set--6688d679-ccdb-4f12-abf6-c7545dd767a4", + "malware--ef2247bf-8062-404b-894f-d65d00564817", "uses", - "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077" + "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" + ], + [ + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", + "uses", + "attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af" ], [ "attack-pattern--8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", @@ -22885,9 +19335,9 @@ "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", + "malware--47124daf-44be-4530-9c63-038bc64318dd", "uses", - "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" + "attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916" ], [ "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad", @@ -22914,16 +19364,6 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "tool--64764dc6-a032-495f-8250-1e4c06bdc163" - ], - [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" - ], [ "malware--28b97733-ef07-4414-aaa5-df50b2d30cc5", "uses", @@ -22944,16 +19384,6 @@ "uses", "attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967" ], - [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "uses", - "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" - ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "tool--9de2308e-7bed-43a3-8e58-f194b3586700" - ], [ "malware--5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", "uses", @@ -22969,11 +19399,6 @@ "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--c5574ca0-d5a4-490a-b207-e4658e5fd1d7", - "uses", - "malware--cb7bcf6f-085f-41db-81ee-4b68481661b5" - ], [ "malware--2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "uses", @@ -22995,17 +19420,12 @@ "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e" ], [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" + "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" ], @@ -23079,16 +19499,21 @@ "uses", "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" - ], [ "attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490", "subtechnique-of", "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6" ], + [ + "malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", + "uses", + "attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5" + ], + [ + "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "uses", + "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" + ], [ "malware--705f0783-5f7d-4491-b6b7-9628e6e006d2", "uses", @@ -23114,11 +19539,6 @@ "uses", "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" ], - [ - "intrusion-set--a0cb9370-e39b-44d5-9f50-ef78e412b973", - "uses", - "attack-pattern--70e52b04-2a0c-4cea-9d18-7149f1df9dc5" - ], [ "malware--96b08451-b27a-4ff6-893f-790e26393a8e", "uses", @@ -23140,55 +19560,30 @@ "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ - "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8", - "uses", - "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0" - ], - [ - "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", - "uses", - "attack-pattern--7d57b371-10c2-45e5-b3cc-83a8fb380e4c" - ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", + "malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328", "uses", - "attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1" + "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], [ - "intrusion-set--fbe9387f-34e6-4828-ac28-3080020c597b", + "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8", "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" + "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0" ], [ "malware--35cd1d01-1ede-44d2-b073-a264d727bc04", "uses", "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c" ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" - ], [ "malware--44c75271-0e4d-496f-ae0a-a6d883a42a65", "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411", - "uses", - "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" - ], [ "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "uses", "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a" ], - [ - "intrusion-set--62a64fd3-aaf7-4d09-a375-d6f8bb118481", - "uses", - "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24" - ], [ "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541", "subtechnique-of", @@ -23205,20 +19600,15 @@ "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "malware--94379dec-5c87-49db-b36e-66abc0b81344" + "attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "subtechnique-of", + "attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf" ], [ "malware--f6d1d2cb-12f5-4221-9636-44606ea1f3f8", "uses", "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" ], - [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], [ "tool--115f88dd-0618-4389-83cb-98d33ae81848", "uses", @@ -23249,11 +19639,6 @@ "uses", "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "malware--5a3a31fe-5a8f-48e1-bff0-a753e5b1be70" - ], [ "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", "uses", @@ -23265,9 +19650,9 @@ "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", + "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", "uses", - "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88" + "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" ], [ "malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1", @@ -23290,9 +19675,9 @@ "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4" ], [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", + "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "uses", - "attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011" + "attack-pattern--34b3f738-bd64-40e5-a112-29b0542bc8bf" ], [ "malware--c2417bab-3189-4d4d-9d60-96de2cdaf0ab", @@ -23309,6 +19694,11 @@ "uses", "attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3" ], + [ + "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "uses", + "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" + ], [ "malware--6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", "uses", @@ -23329,35 +19719,30 @@ "uses", "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" - ], [ "malware--69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "uses", "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475" ], [ - "intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022", + "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", "uses", - "attack-pattern--6495ae23-3ab4-43c5-a94f-5638a2c31fd2" + "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", + "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" + "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" ], [ - "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", + "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "uses", - "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" + "tool--b77b563c-34bb-4fb8-86a3-3694338f7b47" ], [ - "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", + "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", "uses", - "tool--b77b563c-34bb-4fb8-86a3-3694338f7b47" + "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d" ], [ "malware--94379dec-5c87-49db-b36e-66abc0b81344", @@ -23369,11 +19754,6 @@ "uses", "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619" ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc" - ], [ "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5", "subtechnique-of", @@ -23385,9 +19765,9 @@ "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", + "malware--20945359-3b39-4542-85ef-08ecb4e1c174", "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" + "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", @@ -23399,11 +19779,6 @@ "subtechnique-of", "attack-pattern--51ea26b1-ff1e-4faa-b1a0-1114cd298c87" ], - [ - "intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8", - "uses", - "attack-pattern--77eae145-55db-4519-8ae5-77b0c7215d69" - ], [ "malware--cfc75b0d-e579-40ae-ad07-a1ce00d49a6c", "uses", @@ -23414,11 +19789,6 @@ "uses", "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" - ], [ "malware--c2417bab-3189-4d4d-9d60-96de2cdaf0ab", "uses", @@ -23480,29 +19850,14 @@ "attack-pattern--6495ae23-3ab4-43c5-a94f-5638a2c31fd2" ], [ - "malware--94379dec-5c87-49db-b36e-66abc0b81344", - "uses", - "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433" - ], - [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", - "uses", - "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" - ], - [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1" - ], - [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", - "uses", - "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" + "attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54", + "subtechnique-of", + "attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2" ], [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "malware--94379dec-5c87-49db-b36e-66abc0b81344", "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" + "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433" ], [ "malware--2dd34b01-6110-4aac-835d-b5e7b936b0be", @@ -23544,6 +19899,11 @@ "uses", "attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c" ], + [ + "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "uses", + "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" + ], [ "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", "uses", @@ -23565,14 +19925,14 @@ "attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179" ], [ - "malware--65341f30-bec6-4b1d-8abf-1a5620446c29", + "malware--ade37ada-14af-4b44-b36c-210eec255d53", "uses", - "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" + "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055" ], [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", + "malware--65341f30-bec6-4b1d-8abf-1a5620446c29", "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" + "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" ], [ "malware--ade37ada-14af-4b44-b36c-210eec255d53", @@ -23644,11 +20004,6 @@ "uses", "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" - ], [ "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2", "uses", @@ -23659,11 +20014,6 @@ "uses", "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c" - ], [ "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "uses", @@ -23689,11 +20039,6 @@ "uses", "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], - [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" - ], [ "malware--aad11e34-02ca-4220-91cd-2ed420af4db3", "uses", @@ -23704,36 +20049,16 @@ "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" - ], [ "malware--ade37ada-14af-4b44-b36c-210eec255d53", "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" - ], [ "malware--fc774af4-533b-4724-96d2-ac1026316794", "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--d1acfbb3-647b-4723-9154-800ec119006e", - "uses", - "malware--196f1f32-e0c2-4d46-99cd-234d4b6befe1" - ], - [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "attack-pattern--e74de37c-a829-446c-937d-56a44f0e9306" - ], [ "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2", "uses", @@ -23759,36 +20084,16 @@ "uses", "attack-pattern--37b11151-1776-4f8f-b328-30939fbf2ceb" ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4" - ], [ "malware--64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", "uses", "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4" ], - [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], [ "tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4", "uses", "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" ], - [ - "intrusion-set--d0b3393b-3bec-4ba3-bda9-199d30db47b6", - "uses", - "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81" - ], [ "malware--bb3c1098-d654-4620-bf40-694386d28921", "uses", @@ -23799,28 +20104,23 @@ "uses", "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4" ], + [ + "malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", + "uses", + "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" + ], [ "attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "subtechnique-of", "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830" ], [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "malware--e9595678-d269-469e-ae6b-75e49259de63", "uses", - "tool--4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b" + "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "uses", - "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb" - ], - [ - "malware--e9595678-d269-469e-ae6b-75e49259de63", - "uses", - "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" - ], - [ - "malware--ccd61dfc-b03f-4689-8c18-7c97eab08472", + "malware--ccd61dfc-b03f-4689-8c18-7c97eab08472", "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], @@ -23829,25 +20129,15 @@ "uses", "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" - ], [ "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "uses", "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" ], [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" - ], - [ - "intrusion-set--fe98767f-9df8-42b9-83c9-004b1dec8647", - "uses", - "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60" + "attack-pattern--e3b168bd-fcd7-439e-9382-2e6c2f63514d", + "subtechnique-of", + "attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109" ], [ "malware--e494ad79-37ee-4cd0-866b-299c521d8b94", @@ -23855,7 +20145,7 @@ "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611" ], @@ -23874,11 +20164,6 @@ "uses", "attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4" ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - ], [ "malware--1f6e3702-7ca1-4582-b2e7-4591297d05a8", "uses", @@ -23894,16 +20179,6 @@ "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" - ], - [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", - "uses", - "malware--099ecff2-41b8-436d-843c-038a9aa9aa69" - ], [ "malware--f108215f-3487-489d-be8b-80e346d32518", "uses", @@ -23949,6 +20224,11 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], + [ + "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "uses", + "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" + ], [ "malware--ab3580c8-8435-4117-aace-3d9fbe46aa56", "uses", @@ -23964,21 +20244,11 @@ "uses", "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd" - ], [ "malware--687c23e4-4e25-4ee7-a870-c5e002511f54", "uses", "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "tool--7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1" - ], [ "malware--e2031fd5-02c2-43d4-85e2-b64f474530c2", "uses", @@ -24009,11 +20279,6 @@ "uses", "attack-pattern--5372c5fe-f424-4def-bcd5-d3a8e770f07b" ], - [ - "intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6", - "uses", - "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c" - ], [ "malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541", "uses", @@ -24030,9 +20295,9 @@ "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", "uses", - "malware--00806466-754d-44ea-ad6f-0caf59cb8556" + "attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617" ], [ "malware--5bcd5511-6756-4824-a692-e8bb109364af", @@ -24040,25 +20305,20 @@ "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], [ - "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", - "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" + "attack-pattern--f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a" ], [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", "uses", - "attack-pattern--b77cf5f3-6060-475d-bd60-40ccbf28fdc2" + "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], [ "malware--e494ad79-37ee-4cd0-866b-299c521d8b94", "uses", "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" ], - [ - "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee", - "uses", - "attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335" - ], [ "malware--8c553311-0baa-4146-997a-f79acef3d831", "uses", @@ -24095,45 +20355,35 @@ "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" ], [ - "malware--123bd7b3-675c-4b1a-8482-c55782b20e2b", + "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" + "attack-pattern--d467bc38-284b-4a00-96ac-125f447799fc" ], [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", + "malware--123bd7b3-675c-4b1a-8482-c55782b20e2b", "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" + "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62", "subtechnique-of", "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830" ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" - ], [ "malware--7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77", "uses", "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ], [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", + "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", "uses", - "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0" + "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" ], [ "malware--04fc1842-f9e4-47cf-8cb8-5c61becad142", "uses", "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "tool--7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1" - ], [ "malware--6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", "uses", @@ -24144,96 +20394,46 @@ "uses", "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" - ], [ "malware--5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", "uses", "attack-pattern--7d57b371-10c2-45e5-b3cc-83a8fb380e4c" ], - [ - "intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1", - "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" - ], [ "malware--fbb470da-1d44-4f29-bbb3-9efbe20f94a3", "uses", "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" ], - [ - "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411", - "uses", - "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" - ], [ "malware--4d56e6e9-1a6d-46e3-896c-dfdf3cc96e62", "uses", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "tool--90ec2b22-7061-4469-b539-0989ec4f96c2" - ], - [ - "intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383", - "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" - ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "attack-pattern--b4694861-542c-48ea-9eb1-10d356e7140a" - ], [ "malware--eff1a885-6f90-42a1-901f-eef6e7a1905e", "uses", "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65" ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" - ], - [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], [ "malware--09b2cd76-c674-47cc-9f57-d2f2ad150a46", "uses", "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72" ], [ - "intrusion-set--d69e568e-9ac8-4c08-b32c-d93b43ba9172", - "uses", - "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b" + "attack-pattern--ed730f20-0e44-48b9-85f8-0e2adeb76867", + "subtechnique-of", + "attack-pattern--937e4772-8441-4e4a-8bf0-8d447d667e23" ], [ "malware--199463de-d9be-46d6-bb41-07234c1dd5a6", "uses", "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa" ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab" - ], - [ - "intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6", - "uses", - "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830" - ], [ "malware--aad11e34-02ca-4220-91cd-2ed420af4db3", "uses", @@ -24255,14 +20455,14 @@ "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], [ - "malware--60d50676-459a-47dd-92e9-a827a9fe9c58", + "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", "uses", - "attack-pattern--6495ae23-3ab4-43c5-a94f-5638a2c31fd2" + "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "malware--60d50676-459a-47dd-92e9-a827a9fe9c58", "uses", - "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" + "attack-pattern--6495ae23-3ab4-43c5-a94f-5638a2c31fd2" ], [ "tool--b52d6583-14a2-4ddc-8527-87fd2142558f", @@ -24279,21 +20479,11 @@ "uses", "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" ], - [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "uses", - "attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529" - ], [ "malware--2daa14d6-cbf3-4308-bb8e-213c324a08e4", "uses", "attack-pattern--9c99724c-a483-4d60-ad9d-7f004e42e8e8" ], - [ - "intrusion-set--76565741-3452-4069-ab08-80c0ea95bbeb", - "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" - ], [ "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", "uses", @@ -24304,11 +20494,6 @@ "uses", "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--99709758-2b96-48f2-a68a-ad7fbd828091" - ], [ "malware--35cd1d01-1ede-44d2-b073-a264d727bc04", "uses", @@ -24319,11 +20504,6 @@ "uses", "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ], - [ - "intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], [ "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", "uses", @@ -24340,9 +20520,9 @@ "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa" ], [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "uses", - "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" + "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa" ], [ "malware--1492d0f8-7e14-4af3-9239-bc3fe10d3407", @@ -24354,16 +20534,6 @@ "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "attack-pattern--b4694861-542c-48ea-9eb1-10d356e7140a" - ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179" - ], [ "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa", "uses", @@ -24384,11 +20554,6 @@ "uses", "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "malware--6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb" - ], [ "malware--0a607c53-df52-45da-a75d-0e53df4dad5f", "uses", @@ -24419,11 +20584,6 @@ "subtechnique-of", "attack-pattern--3d333250-30e4-4a82-9edc-756c68afc529" ], - [ - "intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a", - "uses", - "malware--64fa0de0-6240-41f4-8638-f4ca7ed528fd" - ], [ "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0", "uses", @@ -24434,11 +20594,6 @@ "uses", "attack-pattern--a750a9f6-0bde-4bb3-9aae-1e2786e9780c" ], - [ - "intrusion-set--f9c06633-dcff-48a1-8588-759e7cec5694", - "uses", - "attack-pattern--bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b" - ], [ "malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", "uses", @@ -24474,31 +20629,11 @@ "uses", "attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec" ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" - ], [ "malware--6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb", "uses", "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619" ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" - ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e" - ], - [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "attack-pattern--1e9eb839-294b-48cc-b0d3-c45555a2a004" - ], [ "malware--c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", "uses", @@ -24529,11 +20664,6 @@ "uses", "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6" ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830" - ], [ "malware--4ab44516-ad75-4e43-a280-705dc0420e2f", "uses", @@ -24544,6 +20674,11 @@ "uses", "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" ], + [ + "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", + "uses", + "attack-pattern--2cd950a6-16c4-404a-aa01-044322395107" + ], [ "malware--7ba0fc46-197d-466d-8b9f-f1c64d5d81e5", "uses", @@ -24559,20 +20694,15 @@ "uses", "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4" ], - [ - "intrusion-set--fe98767f-9df8-42b9-83c9-004b1dec8647", - "uses", - "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24" - ], [ "malware--59a97b15-8189-4d51-9404-e1ce8ea4a069", "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], [ - "intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8", + "malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", "uses", - "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0" + "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ "malware--432555de-63bf-4f2a-a3fa-f720a4561078", @@ -24585,25 +20715,20 @@ "attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d" ], [ - "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340", + "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", "uses", - "malware--53ab35c2-d00e-491a-8753-41d35ae7e547" + "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56" ], [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", + "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340", "uses", - "attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc" + "malware--53ab35c2-d00e-491a-8753-41d35ae7e547" ], [ "malware--687c23e4-4e25-4ee7-a870-c5e002511f54", "uses", "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662" - ], [ "attack-pattern--e74de37c-a829-446c-937d-56a44f0e9306", "subtechnique-of", @@ -24629,96 +20754,56 @@ "uses", "attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf" ], - [ - "intrusion-set--5cbe0d3b-6fb1-471f-b591-4b192915116d", - "uses", - "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - ], - [ - "intrusion-set--f047ee18-7985-4946-8bfb-4ed754d3a0dd", - "uses", - "malware--8b880b41-5139-4807-baa9-309690218719" - ], [ "malware--1492d0f8-7e14-4af3-9239-bc3fe10d3407", "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", "uses", - "attack-pattern--bf147104-abf9-4221-95d1-e81585859441" + "attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336" ], [ "malware--5e814485-012d-423d-b769-026bfed0f451", "uses", "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], - [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "uses", - "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea" - ], [ "malware--72f54d66-675d-4587-9bd3-4ed09f9522e4", "uses", "attack-pattern--806a49c4-970d-43f9-9acc-ac0ee11e6662" ], - [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", - "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" - ], [ "malware--3d8e547d-9456-4f32-a895-dc86134e282f", "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], [ - "malware--2f1a9fd0-3b7c-4d77-a358-78db13adbe78", + "tool--c4810609-7da6-48ec-8057-1b70a7814db0", "uses", - "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" + "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f" ], [ - "malware--aaf3fa65-8b27-4e68-91de-2b7738fe4c82", + "malware--2f1a9fd0-3b7c-4d77-a358-78db13adbe78", "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" + "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", + "malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328", "uses", - "malware--b4d80f8b-d2b9-4448-8844-4bef777ed676" + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", + "malware--aaf3fa65-8b27-4e68-91de-2b7738fe4c82", "uses", - "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" + "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" ], [ "malware--d6b3fcd0-1c86-4350-96f0-965ed02fcc51", "uses", "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], - [ - "intrusion-set--5cbe0d3b-6fb1-471f-b591-4b192915116d", - "uses", - "malware--9e9b9415-a7df-406b-b14d-92bfe6809fbe" - ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619" - ], - [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", - "uses", - "tool--03342581-f790-4f03-ba41-e82e67392e23" - ], - [ - "intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1", - "uses", - "malware--56e6b6c2-e573-4969-8bab-783205cebbbf" - ], [ "malware--051eaca1-958f-4091-9e5f-a9acd8f820b5", "uses", @@ -24745,7 +20830,7 @@ "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d" ], @@ -24759,21 +20844,6 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--2fd2be6a-d3a2-4a65-b499-05ea2693abee", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63" - ], - [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "uses", - "malware--4f6aa78c-c3d4-4883-9840-96ca2f5d6d47" - ], [ "tool--5a63f900-5e7e-4928-a746-dd4558e1df71", "uses", @@ -24800,9 +20870,9 @@ "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", + "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", "uses", - "attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0" + "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72" ], [ "malware--5189f018-fea2-45d7-b0ed-23f9ee0a46f3", @@ -24819,21 +20889,11 @@ "uses", "attack-pattern--5e4a2073-9643-44cb-a0b5-e7f4048446c7" ], - [ - "intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74", - "uses", - "tool--b76b2d94-60e4-4107-a903-4a3a7622fb3b" - ], [ "attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", "subtechnique-of", "attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db" ], - [ - "intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0", - "uses", - "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" - ], [ "tool--4b57c098-f043-4da2-83ef-7588a6d426bc", "uses", @@ -24842,17 +20902,7 @@ [ "malware--f9b05f33-d45d-4e4d-aafe-c208d38a0080", "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" - ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" - ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "malware--cfc75b0d-e579-40ae-ad07-a1ce00d49a6c" + "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], [ "malware--79499993-a8d6-45eb-b343-bf58dea5bdde", @@ -24874,11 +20924,6 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475" - ], [ "malware--f8dfbc54-b070-4224-b560-79aaa5f835bd", "uses", @@ -24935,24 +20980,24 @@ "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], [ - "malware--687c23e4-4e25-4ee7-a870-c5e002511f54", + "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" + "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c" ], [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", + "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" + "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6" ], [ - "malware--09b2cd76-c674-47cc-9f57-d2f2ad150a46", + "malware--687c23e4-4e25-4ee7-a870-c5e002511f54", "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" + "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "malware--09b2cd76-c674-47cc-9f57-d2f2ad150a46", "uses", - "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" + "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ "malware--f6ae7a52-f3b6-4525-9daf-640c083f006e", @@ -24970,14 +21015,14 @@ "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], [ - "malware--eff1a885-6f90-42a1-901f-eef6e7a1905e", + "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "uses", - "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c" + "malware--d9f7383c-95ec-4080-bbce-121c9384457b" ], [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "malware--eff1a885-6f90-42a1-901f-eef6e7a1905e", "uses", - "attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc" + "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c" ], [ "attack-pattern--ce4b7013-640e-48a9-b501-d0025a95f4bf", @@ -24989,25 +21034,15 @@ "uses", "attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3" ], - [ - "intrusion-set--f9c06633-dcff-48a1-8588-759e7cec5694", - "uses", - "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - ], [ "malware--35cd1d01-1ede-44d2-b073-a264d727bc04", "uses", "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" - ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541" + "attack-pattern--808e6329-ca91-4b87-ac2d-8eadc5f8f327", + "subtechnique-of", + "attack-pattern--457c7820-d331-465a-915e-42f85500ccc4" ], [ "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", @@ -25015,9 +21050,9 @@ "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0" ], [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", + "malware--47124daf-44be-4530-9c63-038bc64318dd", "uses", - "attack-pattern--6add2ab5-2711-4e9d-87c8-7a0be8531530" + "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" ], [ "malware--dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", @@ -25034,11 +21069,6 @@ "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", - "uses", - "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619" - ], [ "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4", "uses", @@ -25064,11 +21094,6 @@ "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383", - "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" - ], [ "malware--bd0536d7-b081-43ae-a773-cfb057c5b988", "uses", @@ -25084,16 +21109,6 @@ "uses", "attack-pattern--edf91964-b26e-4b4a-9600-ccacd7d7df24" ], - [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", - "uses", - "malware--aae22730-e571-4d17-b037-65f2a3e26213" - ], - [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" - ], [ "malware--35cd1d01-1ede-44d2-b073-a264d727bc04", "uses", @@ -25124,30 +21139,20 @@ "uses", "attack-pattern--d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c" - ], [ "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--d1acfbb3-647b-4723-9154-800ec119006e", - "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" - ], [ "tool--a1dd2dbd-1550-44bf-abcc-1a4c52e97719", "uses", "attack-pattern--650c784b-7504-4df7-ab2c-4ea882384d1e" ], [ - "intrusion-set--6b9ebeb5-20bf-48b0-afb7-988d769a2f01", + "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" + "attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6" ], [ "malware--b9799466-9dd7-4098-b2d6-f999ce50b9a8", @@ -25159,25 +21164,15 @@ "uses", "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], - [ - "intrusion-set--7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70", - "uses", - "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" - ], [ "malware--211cfe9f-2676-4e1c-a5f5-2c8091da2a68", "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433" - ], - [ - "intrusion-set--fbe9387f-34e6-4828-ac28-3080020c597b", + "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", "uses", - "attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2" + "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], [ "malware--3d8e547d-9456-4f32-a895-dc86134e282f", @@ -25194,11 +21189,6 @@ "uses", "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "malware--5a3a31fe-5a8f-48e1-bff0-a753e5b1be70" - ], [ "malware--94379dec-5c87-49db-b36e-66abc0b81344", "uses", @@ -25209,11 +21199,6 @@ "uses", "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" - ], [ "tool--ca656c25-44f1-471b-9d9f-e2a3bbb84973", "uses", @@ -25230,15 +21215,10 @@ "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--e624264c-033a-424d-9fd7-fc9c3bbdb03e" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], [ "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8", "uses", @@ -25304,6 +21284,11 @@ "uses", "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], + [ + "malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328", + "uses", + "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830" + ], [ "malware--17e919aa-4a49-445c-b103-dbb8df9e7351", "uses", @@ -25315,9 +21300,9 @@ "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ], [ - "intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383", + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", - "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" + "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4" ], [ "attack-pattern--6495ae23-3ab4-43c5-a94f-5638a2c31fd2", @@ -25334,26 +21319,11 @@ "uses", "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], - [ - "intrusion-set--6688d679-ccdb-4f12-abf6-c7545dd767a4", - "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" - ], [ "malware--da5880b4-f7da-4869-85f2-e0aba84b8565", "uses", "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" ], - [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56" - ], - [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" - ], [ "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "uses", @@ -25379,40 +21349,20 @@ "subtechnique-of", "attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd" ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f" - ], - [ - "intrusion-set--7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70", - "uses", - "attack-pattern--389735f1-f21c-4208-b8f0-f8031e7169b8" - ], - [ - "intrusion-set--dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", - "uses", - "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5" - ], - [ - "intrusion-set--76565741-3452-4069-ab08-80c0ea95bbeb", - "uses", - "malware--cb741463-f0fe-42e0-8d45-bc7e8335f5ae" - ], [ "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "uses", "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541" ], [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "uses", - "malware--8ae43c46-57ef-47d5-a77a-eebb35628db2" + "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" ], [ - "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", + "malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", "uses", - "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" + "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ "malware--f8dfbc54-b070-4224-b560-79aaa5f835bd", @@ -25424,11 +21374,6 @@ "uses", "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" ], - [ - "intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], [ "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "uses", @@ -25474,11 +21419,6 @@ "uses", "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "tool--d8d19e33-94fd-4aa3-b94a-08ee801a2153" - ], [ "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "subtechnique-of", @@ -25494,11 +21434,6 @@ "uses", "attack-pattern--e624264c-033a-424d-9fd7-fc9c3bbdb03e" ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "tool--03342581-f790-4f03-ba41-e82e67392e23" - ], [ "attack-pattern--910906dd-8c0a-475a-9cc1-5e029e2fad58", "subtechnique-of", @@ -25509,11 +21444,6 @@ "uses", "attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5" ], - [ - "intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8", - "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" - ], [ "malware--e8545794-b98c-492b-a5b3-4b5a02682e37", "uses", @@ -25524,11 +21454,6 @@ "uses", "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "malware--d2c7f8ad-3b50-4cfa-bbb1-799eff06fb40" - ], [ "malware--69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "uses", @@ -25549,16 +21474,6 @@ "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "uses", - "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" - ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "malware--1d808f62-cf63-4063-9727-ff6132514c22" - ], [ "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", "uses", @@ -25584,41 +21499,26 @@ "uses", "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], - [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", - "uses", - "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6" - ], [ "malware--f99f3dcc-683f-4936-8791-075ac5e58f10", "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], [ - "malware--4a98e44a-bd52-461e-af1e-a4457de87a36", - "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" - ], - [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", + "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", "uses", - "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662" + "attack-pattern--41d9846c-f6af-4302-a654-24bba2729bc6" ], [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", + "malware--4a98e44a-bd52-461e-af1e-a4457de87a36", "uses", - "tool--c9703cd3-141c-43a0-a926-380082be5d04" + "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], [ "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0", "uses", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], - [ - "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", - "uses", - "tool--cde2d700-9ed1-46cf-9bce-07364fe8b24f" - ], [ "malware--f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e", "uses", @@ -25634,11 +21534,6 @@ "uses", "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--f005e783-57d4-4837-88ad-dbe7faee1c51" - ], [ "attack-pattern--86a96bf6-cf8b-411c-aaeb-8959944d64f7", "subtechnique-of", @@ -25674,11 +21569,6 @@ "uses", "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "malware--b865dded-0553-4962-a44b-6fe7863effed" - ], [ "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "uses", @@ -25720,35 +21610,15 @@ "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" ], [ - "intrusion-set--d69e568e-9ac8-4c08-b32c-d93b43ba9172", - "uses", - "attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7" - ], - [ - "intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8", - "uses", - "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - ], - [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" + "attack-pattern--2b5aa86b-a0df-4382-848d-30abea443327", + "subtechnique-of", + "attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1" ], [ "malware--68dca94f-c11d-421e-9287-7c501108e18c", "uses", "attack-pattern--b200542e-e877-4395-875b-cf1a44537ca4" ], - [ - "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", - "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" - ], - [ - "intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40", - "uses", - "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" - ], [ "malware--53ab35c2-d00e-491a-8753-41d35ae7e547", "uses", @@ -25789,6 +21659,11 @@ "uses", "attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830" ], + [ + "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "uses", + "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541" + ], [ "malware--04fc1842-f9e4-47cf-8cb8-5c61becad142", "uses", @@ -25800,29 +21675,24 @@ "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", + "tool--c4810609-7da6-48ec-8057-1b70a7814db0", "uses", - "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" + "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055" ], [ "malware--60c18d06-7b91-4742-bae3-647845cd9d81", "uses", "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34" - ], [ "malware--8901ac23-6b50-410c-b0dd-d8174a86f9b3", "uses", "attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc" ], [ - "intrusion-set--d1acfbb3-647b-4723-9154-800ec119006e", + "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", "uses", - "malware--96566860-9f11-4b6f-964d-1c924e4f24a4" + "attack-pattern--29ba5a15-3b7b-4732-b817-65ea8f6468e6" ], [ "malware--0c824410-58ff-49b2-9cf2-1c96b182bdf0", @@ -25844,21 +21714,11 @@ "uses", "attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755" ], - [ - "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], [ "malware--aa1462a1-d065-416c-b354-bedd04998c7f", "uses", "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72" ], - [ - "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", - "uses", - "attack-pattern--f6ad61ee-65f3-4bd0-a3f5-2f0accb36317" - ], [ "malware--222ba512-32d9-49ac-aefd-50ce981ce2ce", "uses", @@ -25870,15 +21730,20 @@ "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], [ - "intrusion-set--f40eb8ce-2a74-4e56-89a1-227021410142", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" + "attack-pattern--34ab90a3-05f6-4259-8f21-621081fdaba5", + "subtechnique-of", + "attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109" ], [ "malware--4d56e6e9-1a6d-46e3-896c-dfdf3cc96e62", "uses", "attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0" ], + [ + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "uses", + "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b" + ], [ "tool--26c87906-d750-42c5-946c-d4162c73fc7b", "uses", @@ -25894,16 +21759,6 @@ "subtechnique-of", "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60" - ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "malware--d69c8146-ab35-4d50-8382-6fc80e641d43" - ], [ "malware--64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", "uses", @@ -25915,14 +21770,9 @@ "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0" - ], - [ - "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", + "malware--47124daf-44be-4530-9c63-038bc64318dd", "uses", - "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9" + "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4" ], [ "malware--8c553311-0baa-4146-997a-f79acef3d831", @@ -25959,11 +21809,6 @@ "uses", "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830" ], - [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "uses", - "tool--03342581-f790-4f03-ba41-e82e67392e23" - ], [ "malware--a5575606-9b85-4e3d-9cd2-40ef30e3672d", "uses", @@ -25980,14 +21825,9 @@ "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ - "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], - [ - "intrusion-set--b74f909f-8e52-4b69-b770-162bf59a1b4e", + "malware--ade37ada-14af-4b44-b36c-210eec255d53", "uses", - "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" + "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062" ], [ "malware--00806466-754d-44ea-ad6f-0caf59cb8556", @@ -26060,14 +21900,14 @@ "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], [ - "malware--64fa0de0-6240-41f4-8638-f4ca7ed528fd", + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "uses", - "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b" + "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", + "malware--64fa0de0-6240-41f4-8638-f4ca7ed528fd", "uses", - "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24" + "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b" ], [ "malware--8d9e758b-735f-4cbc-ba7c-32cd15138b2a", @@ -26084,11 +21924,6 @@ "subtechnique-of", "attack-pattern--d456de47-a16f-4e46-8980-e67478a12dcb" ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "malware--b45747dc-87ca-4597-a245-7e16a61bc491" - ], [ "malware--a4f57468-fbd5-49e4-8476-52088220b92d", "uses", @@ -26104,11 +21939,6 @@ "uses", "attack-pattern--a2029942-0a85-4947-b23c-ca434698171d" ], - [ - "intrusion-set--88489675-d216-4884-a98f-49a89fcc1643", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], [ "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8", "uses", @@ -26205,7 +22035,7 @@ "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf" ], @@ -26224,11 +22054,6 @@ "uses", "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72" ], - [ - "intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], [ "malware--c13d9621-aca7-436b-ab3d-3a95badb3d00", "uses", @@ -26249,16 +22074,6 @@ "uses", "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" - ], - [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825" - ], [ "malware--64fa0de0-6240-41f4-8638-f4ca7ed528fd", "uses", @@ -26279,11 +22094,6 @@ "uses", "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "malware--08d20cd2-f084-45ee-8558-fa6ef5a18519" - ], [ "malware--2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "uses", @@ -26294,6 +22104,16 @@ "uses", "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ], + [ + "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "uses", + "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475" + ], + [ + "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "uses", + "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5" + ], [ "malware--73a4793a-ce55-4159-b2a6-208ef29b326f", "uses", @@ -26309,25 +22129,20 @@ "uses", "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830" ], - [ - "intrusion-set--f40eb8ce-2a74-4e56-89a1-227021410142", - "uses", - "tool--cde2d700-9ed1-46cf-9bce-07364fe8b24f" - ], [ "malware--e1161124-f22e-487f-9d5f-ed8efc8dcd61", "uses", "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], [ - "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "malware--8393dac0-0583-456a-9372-fd81691bca20", "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" + "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" ], [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", + "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", "uses", - "malware--53d47b09-09c2-4015-8d37-6633ecd53f79" + "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], [ "malware--8ae43c46-57ef-47d5-a77a-eebb35628db2", @@ -26405,25 +22220,20 @@ "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" ], [ - "malware--12a7450d-b03e-4990-a5b8-b405ab9c803b", + "malware--ef2247bf-8062-404b-894f-d65d00564817", "uses", - "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" + "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], [ - "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee", + "malware--12a7450d-b03e-4990-a5b8-b405ab9c803b", "uses", - "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" + "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" ], [ "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "uses", "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" - ], [ "malware--a5575606-9b85-4e3d-9cd2-40ef30e3672d", "uses", @@ -26454,11 +22264,6 @@ "uses", "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5" ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "malware--ecc2f65a-b452-4eaf-9689-7e181f17f7a5" - ], [ "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "uses", @@ -26470,14 +22275,14 @@ "attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47" ], [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "malware--454fe82d-6fd2-4ac6-91ab-28a33fe01369", "uses", - "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6" + "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" ], [ - "malware--454fe82d-6fd2-4ac6-91ab-28a33fe01369", + "malware--c984b414-b766-44c5-814a-2fe96c913c12", "uses", - "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" + "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ "malware--53a42597-1974-4b8e-84fd-3675e8992053", @@ -26490,14 +22295,14 @@ "attack-pattern--1b7b1806-7746-41a1-a35d-e48dae25ddba" ], [ - "intrusion-set--d0b3393b-3bec-4ba3-bda9-199d30db47b6", + "malware--b8fdef82-d2cf-4948-8949-6466357b1be1", "uses", - "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9" + "attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3" ], [ - "malware--b8fdef82-d2cf-4948-8949-6466357b1be1", + "malware--c984b414-b766-44c5-814a-2fe96c913c12", "uses", - "attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3" + "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea" ], [ "malware--b2d134a1-7bd5-4293-94d4-8fc978cb1cd7", @@ -26520,14 +22325,14 @@ "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ - "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad", + "malware--ade37ada-14af-4b44-b36c-210eec255d53", "uses", - "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" + "attack-pattern--341e222a-a6e3-4f6f-b69c-831d792b1580" ], [ - "intrusion-set--d519164e-f5fa-4b8c-a1fb-cf0172ad0983", + "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad", "uses", - "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541" + "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" ], [ "malware--95047f03-4811-4300-922e-1ba937d53a61", @@ -26544,11 +22349,6 @@ "uses", "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" ], - [ - "intrusion-set--813636db-3939-4a45-bea9-6113e970c029", - "uses", - "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88" - ], [ "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", "uses", @@ -26560,9 +22360,14 @@ "attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643" ], [ - "intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842", + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", - "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" + "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" + ], + [ + "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "uses", + "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], [ "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", @@ -26579,6 +22384,11 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], + [ + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "uses", + "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" + ], [ "malware--6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb", "uses", @@ -26604,21 +22414,11 @@ "uses", "tool--b77b563c-34bb-4fb8-86a3-3694338f7b47" ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926" - ], [ "malware--1492d0f8-7e14-4af3-9239-bc3fe10d3407", "uses", "attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47" ], - [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], [ "malware--9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", "uses", @@ -26634,21 +22434,6 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383", - "uses", - "attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179" - ], - [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", - "uses", - "attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916" - ], - [ - "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411", - "uses", - "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" - ], [ "malware--eff1a885-6f90-42a1-901f-eef6e7a1905e", "uses", @@ -26660,14 +22445,14 @@ "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], [ - "malware--56d10a7f-bb42-4267-9b4c-63abb9c06010", + "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", "uses", - "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" + "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433" ], [ - "intrusion-set--5cbe0d3b-6fb1-471f-b591-4b192915116d", + "malware--56d10a7f-bb42-4267-9b4c-63abb9c06010", "uses", - "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81" + "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], [ "tool--c8655260-9f4b-44e3-85e1-6538a5f6e4f4", @@ -26689,21 +22474,11 @@ "uses", "attack-pattern--c8e87b83-edbb-48d4-9295-4974897525b7" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055" - ], [ "malware--b8fdef82-d2cf-4948-8949-6466357b1be1", "uses", "attack-pattern--635cbe30-392d-4e27-978e-66774357c762" ], - [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "uses", - "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" - ], [ "malware--6b616fc1-1505-48e3-8b2c-0d19337bff38", "uses", @@ -26720,15 +22495,25 @@ "attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967" ], [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", "uses", - "attack-pattern--910906dd-8c0a-475a-9cc1-5e029e2fad58" + "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ "malware--92b03a94-7147-4952-9d5a-b4d24da7487c", "uses", "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062" ], + [ + "malware--3d57dcc4-be99-4613-9482-d5218f5ec13e", + "uses", + "attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7" + ], + [ + "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "uses", + "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" + ], [ "malware--d9f7383c-95ec-4080-bbce-121c9384457b", "uses", @@ -26764,16 +22549,6 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--d69e568e-9ac8-4c08-b32c-d93b43ba9172", - "uses", - "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60" - ], - [ - "intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1", - "uses", - "attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab" - ], [ "malware--5dd649c0-bca4-488b-bd85-b180474ec62e", "uses", @@ -26799,6 +22574,11 @@ "uses", "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e" ], + [ + "tool--975737f1-b10d-476f-8bda-3ec26ea57172", + "uses", + "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" + ], [ "malware--efece7e8-e40b-49c2-9f84-c55c5c93d05c", "uses", @@ -26815,20 +22595,15 @@ "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0" ], [ - "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064", - "uses", - "attack-pattern--b0533c6e-8fea-4788-874f-b799cacc4b92" + "attack-pattern--24286c33-d4a4-4419-85c2-1d094a896c26", + "subtechnique-of", + "attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f" ], [ "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83", "uses", "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" ], - [ - "intrusion-set--55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "uses", - "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5" - ], [ "attack-pattern--2cd950a6-16c4-404a-aa01-044322395107", "subtechnique-of", @@ -26855,34 +22630,24 @@ "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], [ - "malware--a8a778f5-0035-4870-bb25-53dc05029586", - "uses", - "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077" - ], - [ - "attack-pattern--98034fef-d9fb-4667-8dc4-2eab6231724c", - "subtechnique-of", - "attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db" - ], - [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", + "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", "uses", - "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839" + "attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916" ], [ - "intrusion-set--d0b3393b-3bec-4ba3-bda9-199d30db47b6", + "malware--3d57dcc4-be99-4613-9482-d5218f5ec13e", "uses", - "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" + "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5" ], [ - "intrusion-set--813636db-3939-4a45-bea9-6113e970c029", + "malware--a8a778f5-0035-4870-bb25-53dc05029586", "uses", - "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f" + "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077" ], [ - "intrusion-set--5636b7b3-d99b-4edd-aa05-ee649c1d4ef1", - "uses", - "tool--bba595da-b73a-4354-aa6c-224d4de7cb4e" + "attack-pattern--98034fef-d9fb-4667-8dc4-2eab6231724c", + "subtechnique-of", + "attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db" ], [ "malware--0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", @@ -26890,25 +22655,15 @@ "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4" - ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", "uses", - "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" + "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b" ], [ "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", "uses", "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa" - ], [ "malware--de6cb631-52f6-4169-a73b-7965390b0c30", "uses", @@ -26930,19 +22685,14 @@ "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ], [ - "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", - "uses", - "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" - ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", + "malware--8beac7c2-48d2-4cd9-9b15-6c452f38ac06", "uses", - "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0" + "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" ], [ - "malware--8beac7c2-48d2-4cd9-9b15-6c452f38ac06", + "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", "uses", - "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" + "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" ], [ "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe", @@ -26964,6 +22714,11 @@ "uses", "attack-pattern--0a5231ec-41af-4a35-83d0-6bdf11f28c65" ], + [ + "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "uses", + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" + ], [ "malware--b2203c59-4089-4ee4-bfe1-28fa25f0dbfe", "uses", @@ -26975,14 +22730,14 @@ "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", "uses", - "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4" + "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5" ], [ - "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", + "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", "uses", - "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5" + "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ "malware--6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", @@ -26994,11 +22749,6 @@ "uses", "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055" ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f" - ], [ "malware--53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", "uses", @@ -27024,21 +22774,11 @@ "uses", "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" ], - [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88" - ], [ "malware--bfd2738c-8b43-43c3-bc9f-d523c8e88bf4", "uses", "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], - [ - "intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6", - "uses", - "attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b" - ], [ "tool--ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", "uses", @@ -27054,11 +22794,6 @@ "uses", "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "attack-pattern--6e3bd510-6b33-41a4-af80-2d80f3ee0071" - ], [ "malware--53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", "uses", @@ -27134,11 +22869,6 @@ "uses", "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" ], - [ - "intrusion-set--f9c06633-dcff-48a1-8588-759e7cec5694", - "uses", - "malware--de6cb631-52f6-4169-a73b-7965390b0c30" - ], [ "malware--67e6d66b-1b82-4699-b47a-e2efb6268d14", "uses", @@ -27159,11 +22889,6 @@ "uses", "attack-pattern--d10cbd34-42e3-45c0-84d2-535a09849584" ], - [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "uses", - "attack-pattern--840a987a-99bd-4a80-a5c9-0cb2baa6cade" - ], [ "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e", "subtechnique-of", @@ -27184,31 +22909,31 @@ "uses", "attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2" ], + [ + "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "uses", + "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" + ], [ "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2", "uses", "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1" ], [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "uses", - "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" + "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" ], [ "malware--efece7e8-e40b-49c2-9f84-c55c5c93d05c", "uses", "attack-pattern--4eeaf8a9-c86b-4954-a663-9555fb406466" ], - [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], [ "malware--d6b3fcd0-1c86-4350-96f0-965ed02fcc51", "uses", @@ -27219,11 +22944,6 @@ "uses", "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ], - [ - "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], [ "malware--f6ae7a52-f3b6-4525-9daf-640c083f006e", "uses", @@ -27254,16 +22974,6 @@ "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" - ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "malware--09b2cd76-c674-47cc-9f57-d2f2ad150a46" - ], [ "malware--c541efb4-e7b1-4ad6-9da8-b4e113f5dd42", "uses", @@ -27279,6 +22989,11 @@ "uses", "attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b" ], + [ + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "uses", + "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" + ], [ "malware--94379dec-5c87-49db-b36e-66abc0b81344", "uses", @@ -27310,20 +23025,15 @@ "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328", "uses", - "malware--b7e9880a-7a7c-4162-bddb-e28e8ef2bf1f" + "attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783" ], [ "malware--65ffc206-d7c1-45b3-b543-f6b726e7840d", "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "tool--cf23bf4a-e003-4116-bbae-1ea6c558d565" - ], [ "malware--5a84dc36-df0d-4053-9b7c-f0c388a57283", "uses", @@ -27342,7 +23052,12 @@ [ "malware--67e6d66b-1b82-4699-b47a-e2efb6268d14", "uses", - "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" + "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" + ], + [ + "malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", + "uses", + "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ "malware--b9799466-9dd7-4098-b2d6-f999ce50b9a8", @@ -27359,11 +23074,6 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee", - "uses", - "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea" - ], [ "malware--da5880b4-f7da-4869-85f2-e0aba84b8565", "uses", @@ -27374,16 +23084,6 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a" - ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c" - ], [ "malware--f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e", "uses", @@ -27405,14 +23105,14 @@ "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" ], [ - "intrusion-set--fbe9387f-34e6-4828-ac28-3080020c597b", + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", - "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf" + "attack-pattern--806a49c4-970d-43f9-9acc-ac0ee11e6662" ], [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "uses", - "attack-pattern--6495ae23-3ab4-43c5-a94f-5638a2c31fd2" + "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0" ], [ "malware--b4d80f8b-d2b9-4448-8844-4bef777ed676", @@ -27464,11 +23164,6 @@ "uses", "attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d" ], - [ - "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "uses", - "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf" - ], [ "malware--8c050cea-86e1-4b63-bf21-7af4fa483349", "uses", @@ -27505,14 +23200,14 @@ "attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af" ], [ - "tool--9de2308e-7bed-43a3-8e58-f194b3586700", + "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", "uses", - "attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011" + "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18" ], [ - "intrusion-set--62a64fd3-aaf7-4d09-a375-d6f8bb118481", + "tool--9de2308e-7bed-43a3-8e58-f194b3586700", "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" + "attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011" ], [ "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", @@ -27524,11 +23219,6 @@ "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "uses", - "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" - ], [ "malware--64fa0de0-6240-41f4-8638-f4ca7ed528fd", "uses", @@ -27550,19 +23240,14 @@ "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" ], [ - "malware--8b880b41-5139-4807-baa9-309690218719", - "uses", - "attack-pattern--a3e1e6c5-9c74-4fc0-a16c-a9d228c17829" - ], - [ - "intrusion-set--6b9ebeb5-20bf-48b0-afb7-988d769a2f01", + "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", "uses", - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39" + "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" ], [ - "intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40", + "malware--8b880b41-5139-4807-baa9-309690218719", "uses", - "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945" + "attack-pattern--a3e1e6c5-9c74-4fc0-a16c-a9d228c17829" ], [ "intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f", @@ -27570,9 +23255,9 @@ "attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b" ], [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", + "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" + "malware--432555de-63bf-4f2a-a3fa-f720a4561078" ], [ "malware--53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", @@ -27589,11 +23274,6 @@ "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--813636db-3939-4a45-bea9-6113e970c029", - "uses", - "attack-pattern--d40239b3-05ff-46d8-9bdd-b46d13463ef9" - ], [ "malware--65341f30-bec6-4b1d-8abf-1a5620446c29", "uses", @@ -27609,6 +23289,11 @@ "uses", "attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d" ], + [ + "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "uses", + "attack-pattern--e624264c-033a-424d-9fd7-fc9c3bbdb03e" + ], [ "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", "uses", @@ -27624,21 +23309,6 @@ "uses", "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c" - ], - [ - "intrusion-set--76565741-3452-4069-ab08-80c0ea95bbeb", - "uses", - "malware--b4d80f8b-d2b9-4448-8844-4bef777ed676" - ], - [ - "intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022", - "uses", - "tool--242f3da3-4425-4d11-8f5c-b842886da966" - ], [ "malware--b7e9880a-7a7c-4162-bddb-e28e8ef2bf1f", "uses", @@ -27654,11 +23324,6 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830" - ], [ "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "uses", @@ -27669,21 +23334,11 @@ "uses", "attack-pattern--edf91964-b26e-4b4a-9600-ccacd7d7df24" ], - [ - "intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0", - "uses", - "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" - ], [ "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4", "uses", "attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b" ], - [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", - "uses", - "attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d" - ], [ "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340", "uses", @@ -27694,11 +23349,6 @@ "uses", "attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b" ], - [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "tool--9a2640c2-9f43-46fe-b13f-bde881e55555" - ], [ "malware--a5575606-9b85-4e3d-9cd2-40ef30e3672d", "uses", @@ -27729,21 +23379,6 @@ "uses", "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], - [ - "intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8", - "uses", - "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" - ], - [ - "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "uses", - "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - ], - [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "uses", - "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830" - ], [ "malware--cf8df906-179c-4a78-bd6e-6605e30f6624", "uses", @@ -27784,30 +23419,20 @@ "uses", "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" ], - [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "uses", - "attack-pattern--830c9528-df21-472c-8c14-a036bf17d665" - ], [ "malware--53486bc7-7748-4716-8190-e4f1fde04c53", "uses", "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], [ - "malware--dcac85c1-6485-4790-84f6-de5e6f6b91dd", - "uses", - "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4" - ], - [ - "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", + "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", "uses", - "tool--2e45723a-31da-4a7e-aaa6-e01998a6788f" + "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" ], [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", + "malware--dcac85c1-6485-4790-84f6-de5e6f6b91dd", "uses", - "malware--7451bcf9-e6e6-4a70-bc3d-1599173d0035" + "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4" ], [ "attack-pattern--8868cb5b-d575-4a60-acb2-07d37389a2fd", @@ -27865,35 +23490,25 @@ "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--2db31dcd-54da-405d-acef-b9129b816ed6" ], - [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" - ], [ "malware--d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb", "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf" + "attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc", + "subtechnique-of", + "attack-pattern--cca0ccb6-a068-4574-a722-b1556f86833a" ], [ "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44", "uses", "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d" ], - [ - "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd", - "uses", - "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - ], [ "malware--8e101fdd-9f7f-4916-bb04-6bd9e94c129c", "uses", @@ -27904,11 +23519,6 @@ "uses", "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433" ], - [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "uses", - "attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7" - ], [ "tool--13cd9151-83b7-410d-9f98-25d0f0d1d80d", "uses", @@ -27944,16 +23554,6 @@ "uses", "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], - [ - "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", - "uses", - "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" - ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055" - ], [ "malware--dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", "uses", @@ -27969,11 +23569,6 @@ "uses", "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81" ], - [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", - "uses", - "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" - ], [ "malware--c13d9621-aca7-436b-ab3d-3a95badb3d00", "uses", @@ -27989,25 +23584,20 @@ "uses", "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c" ], - [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "uses", - "attack-pattern--9e7452df-5144-4b6e-b04a-b66dd4016747" - ], [ "malware--efece7e8-e40b-49c2-9f84-c55c5c93d05c", "uses", "attack-pattern--c0dfe7b0-b873-4618-9ff8-53e31f70907f" ], [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", + "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa", "uses", - "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" + "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" ], [ - "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa", + "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", "uses", - "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" + "attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755" ], [ "malware--21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b", @@ -28019,11 +23609,6 @@ "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], - [ - "intrusion-set--f9c06633-dcff-48a1-8588-759e7cec5694", - "uses", - "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839" - ], [ "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "uses", @@ -28080,9 +23665,9 @@ "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073" ], [ - "intrusion-set--62a64fd3-aaf7-4d09-a375-d6f8bb118481", + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", - "malware--cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e" + "attack-pattern--b0533c6e-8fea-4788-874f-b799cacc4b92" ], [ "malware--6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", @@ -28104,11 +23689,6 @@ "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", - "uses", - "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9" - ], [ "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2", "uses", @@ -28129,16 +23709,6 @@ "uses", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], - [ - "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee", - "uses", - "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" - ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" - ], [ "tool--0a68f1f1-da74-4d28-8d9a-696c082706cc", "uses", @@ -28165,9 +23735,9 @@ "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" ], [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", "uses", - "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" + "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ "intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f", @@ -28179,6 +23749,11 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], + [ + "malware--c984b414-b766-44c5-814a-2fe96c913c12", + "uses", + "attack-pattern--f4c1826f-a322-41cd-9557-562100848c84" + ], [ "malware--b2d134a1-7bd5-4293-94d4-8fc978cb1cd7", "uses", @@ -28199,46 +23774,16 @@ "uses", "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" ], - [ - "intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" - ], [ "malware--fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa", "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839" - ], - [ - "intrusion-set--f9c06633-dcff-48a1-8588-759e7cec5694", - "uses", - "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6" - ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c" - ], - [ - "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "uses", - "attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d" - ], [ "malware--b8eb28e4-48a6-40ae-951a-328714f75eda", "uses", "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" - ], [ "malware--b879758f-bbc4-4cab-b5ba-177ac9b009b4", "uses", @@ -28249,21 +23794,11 @@ "uses", "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179" - ], [ "malware--7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77", "uses", "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" ], - [ - "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], [ "malware--c2417bab-3189-4d4d-9d60-96de2cdaf0ab", "uses", @@ -28279,11 +23814,6 @@ "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" - ], [ "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4", "uses", @@ -28304,11 +23834,6 @@ "uses", "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--1b7b1806-7746-41a1-a35d-e48dae25ddba" - ], [ "malware--8c050cea-86e1-4b63-bf21-7af4fa483349", "uses", @@ -28370,9 +23895,9 @@ "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", "uses", - "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" + "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c" ], [ "malware--7551188b-8f91-4d34-8350-0d0c57b2b913", @@ -28385,7 +23910,7 @@ "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], @@ -28399,11 +23924,6 @@ "uses", "attack-pattern--b6075259-dba3-44e9-87c7-e954f37ec0d5" ], - [ - "intrusion-set--b74f909f-8e52-4b69-b770-162bf59a1b4e", - "uses", - "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839" - ], [ "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "uses", @@ -28414,21 +23934,6 @@ "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619" - ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - ], - [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--2bce5b30-7014-4a5d-ade7-12913fe6ac36" - ], [ "malware--1492d0f8-7e14-4af3-9239-bc3fe10d3407", "uses", @@ -28445,9 +23950,9 @@ "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e" ], [ - "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee", + "malware--20945359-3b39-4542-85ef-08ecb4e1c174", "uses", - "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ "malware--aa1462a1-d065-416c-b354-bedd04998c7f", @@ -28465,14 +23970,14 @@ "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" ], [ - "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", + "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", "uses", - "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" + "attack-pattern--42fe883a-21ea-4cfb-b94a-78b6476dcc83" ], [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", + "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "uses", - "tool--d8d19e33-94fd-4aa3-b94a-08ee801a2153" + "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" ], [ "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4", @@ -28500,9 +24005,9 @@ "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" ], [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "malware--8393dac0-0583-456a-9372-fd81691bca20", "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" + "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" ], [ "malware--308b3d68-a084-4dfb-885a-3125e1a9c1e8", @@ -28525,54 +24030,29 @@ "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945" ], [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "uses", - "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c" - ], - [ - "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "uses", - "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062" - ], - [ - "tool--da04ac30-27da-4959-a67d-450ce47d9470", - "uses", - "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" - ], - [ - "intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383", - "uses", - "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" - ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a" - ], - [ - "malware--b143dfa4-e944-43ff-8429-bfffc308c517", + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", - "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" + "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58" ], [ - "intrusion-set--55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", + "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "uses", - "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81" + "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062" ], [ - "malware--e9595678-d269-469e-ae6b-75e49259de63", + "tool--da04ac30-27da-4959-a67d-450ce47d9470", "uses", - "attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c" + "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", + "malware--b143dfa4-e944-43ff-8429-bfffc308c517", "uses", - "attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b" + "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" ], [ - "intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842", + "malware--e9595678-d269-469e-ae6b-75e49259de63", "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" + "attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c" ], [ "malware--dcac85c1-6485-4790-84f6-de5e6f6b91dd", @@ -28589,56 +24069,31 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" - ], [ "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "uses", "attack-pattern--69b8fd78-40e8-4600-ae4d-662c9d7afdb3" ], [ - "malware--f01e2711-4b48-4192-a2e8-5f56c945ca19", + "malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328", "uses", - "attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7" + "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "malware--f01e2711-4b48-4192-a2e8-5f56c945ca19", "uses", - "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" + "attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7" ], [ "attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42", "subtechnique-of", "attack-pattern--f4c1826f-a322-41cd-9557-562100848c84" ], - [ - "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--8c41090b-aa47-4331-986b-8c9a51a91103" - ], - [ - "intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74", - "uses", - "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" - ], [ "attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771", "subtechnique-of", "attack-pattern--f4c1826f-a322-41cd-9557-562100848c84" ], - [ - "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd", - "uses", - "attack-pattern--dc31fe1e-d722-49da-8f5f-92c7b5aff534" - ], [ "malware--6b616fc1-1505-48e3-8b2c-0d19337bff38", "uses", @@ -28664,25 +24119,15 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" - ], - [ - "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" - ], [ "malware--7551188b-8f91-4d34-8350-0d0c57b2b913", "uses", "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945" ], [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "malware--a04d9a4c-bb52-40bf-98ec-e350c2d6a862", "uses", - "attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27" + "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b" ], [ "malware--e9595678-d269-469e-ae6b-75e49259de63", @@ -28705,9 +24150,14 @@ "attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967" ], [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", + "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" + "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c" + ], + [ + "malware--99164b38-1775-40bc-b77b-a2373b14540a", + "uses", + "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], [ "malware--64fa0de0-6240-41f4-8638-f4ca7ed528fd", @@ -28764,11 +24214,6 @@ "uses", "malware--007b44b6-e4c5-480b-b5b9-56f2081b1b7b" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "malware--f108215f-3487-489d-be8b-80e346d32518" - ], [ "tool--115f88dd-0618-4389-83cb-98d33ae81848", "uses", @@ -28779,11 +24224,6 @@ "uses", "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e" ], - [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "uses", - "malware--11194d8b-fdce-45d2-8047-df15bb8f16bd" - ], [ "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa", "uses", @@ -28794,11 +24234,6 @@ "uses", "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619" ], - [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", - "uses", - "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" - ], [ "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "uses", @@ -28830,35 +24265,20 @@ "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], [ - "malware--b9799466-9dd7-4098-b2d6-f999ce50b9a8", - "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" - ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "malware--0998045d-f96e-4284-95ce-3c8219707486" - ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", + "malware--c984b414-b766-44c5-814a-2fe96c913c12", "uses", - "attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc" + "attack-pattern--c3888c54-775d-4b2f-b759-75a2ececcbfd" ], [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "malware--b9799466-9dd7-4098-b2d6-f999ce50b9a8", "uses", - "tool--3ffbdc1f-d2bf-41ab-91a2-c7b857e98079" + "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], [ "malware--8c050cea-86e1-4b63-bf21-7af4fa483349", "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", - "uses", - "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - ], [ "malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", "uses", @@ -28874,21 +24294,6 @@ "uses", "attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611" ], - [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", - "uses", - "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945" - ], - [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "uses", - "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055" - ], - [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", - "uses", - "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" - ], [ "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "uses", @@ -28900,9 +24305,9 @@ "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6" ], [ - "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd", + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "uses", - "attack-pattern--830c9528-df21-472c-8c14-a036bf17d665" + "attack-pattern--f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a" ], [ "malware--f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e", @@ -28924,11 +24329,6 @@ "uses", "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], - [ - "intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0", - "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" - ], [ "malware--21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b", "uses", @@ -28939,11 +24339,6 @@ "uses", "attack-pattern--35187df2-31ed-43b6-a1f5-2f1d3d58d3f1" ], - [ - "intrusion-set--88489675-d216-4884-a98f-49a89fcc1643", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], [ "malware--b2d134a1-7bd5-4293-94d4-8fc978cb1cd7", "uses", @@ -28959,6 +24354,11 @@ "uses", "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf" ], + [ + "attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b", + "subtechnique-of", + "attack-pattern--3fc01293-ef5e-41c6-86ce-61f10706b64a" + ], [ "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44", "uses", @@ -28979,16 +24379,6 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "tool--c9cd7ec9-40b7-49db-80be-1399eddd9c52" - ], - [ - "intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c", - "uses", - "malware--691c60e2-273d-4d56-9ce6-b67e0f8719ad" - ], [ "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c", "uses", @@ -29014,26 +24404,11 @@ "uses", "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--f7c0689c-4dbd-489b-81be-7cb7c7079ade" - ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" - ], [ "malware--0817aaf2-afea-4c32-9285-4dcd1df5bf14", "uses", "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ], - [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4" - ], [ "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "uses", @@ -29044,11 +24419,6 @@ "uses", "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--677569f9-a8b0-459e-ab24-7f18091fa7bf" - ], [ "malware--a8a778f5-0035-4870-bb25-53dc05029586", "uses", @@ -29065,14 +24435,9 @@ "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ - "intrusion-set--f40eb8ce-2a74-4e56-89a1-227021410142", - "uses", - "attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336" - ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea" + "attack-pattern--f870408c-b1cd-49c7-a5c7-0ef0fc496cc6", + "subtechnique-of", + "attack-pattern--cca0ccb6-a068-4574-a722-b1556f86833a" ], [ "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", @@ -29099,11 +24464,6 @@ "uses", "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5" - ], [ "malware--687c23e4-4e25-4ee7-a870-c5e002511f54", "uses", @@ -29114,11 +24474,6 @@ "uses", "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f" ], - [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", - "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" - ], [ "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082", "subtechnique-of", @@ -29154,16 +24509,6 @@ "subtechnique-of", "attack-pattern--435dfb86-2697-4867-85b5-2fef496c0517" ], - [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "uses", - "attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470" - ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - ], [ "malware--3d8e547d-9456-4f32-a895-dc86134e282f", "uses", @@ -29185,9 +24530,9 @@ "attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf" ], [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", "uses", - "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" + "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], [ "malware--32066e94-3112-48ca-b9eb-ba2b59d2f023", @@ -29214,11 +24559,6 @@ "uses", "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c" ], - [ - "intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], [ "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8", "uses", @@ -29235,9 +24575,14 @@ "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d" ], [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "attack-pattern--f9cc4d06-775f-4ee1-b401-4e2cc0da30ba", + "subtechnique-of", + "attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9" + ], + [ + "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", "uses", - "malware--b9eec47e-98f4-4b3c-b574-3fa8a87ebe05" + "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118" ], [ "malware--222ba512-32d9-49ac-aefd-50ce981ce2ce", @@ -29289,21 +24634,6 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "uses", - "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c" - ], - [ - "intrusion-set--c5574ca0-d5a4-490a-b207-e4658e5fd1d7", - "uses", - "malware--dfb5fa9b-3051-4b97-8035-08f80aef945b" - ], - [ - "intrusion-set--2fd2be6a-d3a2-4a65-b499-05ea2693abee", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], [ "malware--1d1fce2f-0db5-402b-9843-4278a0694637", "uses", @@ -29320,9 +24650,9 @@ "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", + "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", "uses", - "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" + "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], [ "malware--94379dec-5c87-49db-b36e-66abc0b81344", @@ -29335,40 +24665,25 @@ "attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0" ], [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "uses", - "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" + "attack-pattern--1d24cdee-9ea2-4189-b08e-af110bf2435d" ], [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" + "attack-pattern--7efba77e-3bc4-4ca5-8292-d8201dcd64b5", + "subtechnique-of", + "attack-pattern--1f9012ef-1e10-4e48-915e-e03563435fe8" ], [ "malware--e066bf86-9cfb-407a-9d25-26fd5d91e360", "uses", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475" - ], [ "malware--11194d8b-fdce-45d2-8047-df15bb8f16bd", "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "uses", - "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4" - ], - [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", - "uses", - "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" - ], [ "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", "uses", @@ -29410,9 +24725,9 @@ "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", "uses", - "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" + "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a" ], [ "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", @@ -29429,6 +24744,16 @@ "uses", "attack-pattern--69b8fd78-40e8-4600-ae4d-662c9d7afdb3" ], + [ + "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "uses", + "attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c" + ], + [ + "tool--975737f1-b10d-476f-8bda-3ec26ea57172", + "uses", + "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" + ], [ "malware--32066e94-3112-48ca-b9eb-ba2b59d2f023", "uses", @@ -29444,11 +24769,6 @@ "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--b4694861-542c-48ea-9eb1-10d356e7140a" - ], [ "malware--66b1dcde-17a0-4c7b-95fa-b08d430c2131", "uses", @@ -29475,9 +24795,9 @@ "attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2" ], [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", "uses", - "malware--051eaca1-958f-4091-9e5f-a9acd8f820b5" + "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ "intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f", @@ -29489,11 +24809,6 @@ "uses", "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], - [ - "intrusion-set--62a64fd3-aaf7-4d09-a375-d6f8bb118481", - "uses", - "malware--4ab44516-ad75-4e43-a280-705dc0420e2f" - ], [ "malware--e6ef745b-077f-42e1-a37d-29eecff9c754", "uses", @@ -29509,6 +24824,11 @@ "uses", "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" ], + [ + "attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "subtechnique-of", + "attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1" + ], [ "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", "uses", @@ -29524,11 +24844,6 @@ "uses", "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58" ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662" - ], [ "attack-pattern--09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", "subtechnique-of", @@ -29544,11 +24859,6 @@ "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--edf91964-b26e-4b4a-9600-ccacd7d7df24" - ], [ "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", "uses", @@ -29569,16 +24879,6 @@ "uses", "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" ], - [ - "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "tool--242f3da3-4425-4d11-8f5c-b842886da966" - ], [ "malware--37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "uses", @@ -29590,9 +24890,9 @@ "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", + "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", "uses", - "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" + "attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852" ], [ "malware--9b19d6b4-cfcb-492f-8ca8-8449e7331573", @@ -29605,9 +24905,9 @@ "attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc" ], [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", + "malware--20945359-3b39-4542-85ef-08ecb4e1c174", "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" + "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], [ "malware--12a7450d-b03e-4990-a5b8-b405ab9c803b", @@ -29615,14 +24915,14 @@ "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ - "malware--17e919aa-4a49-445c-b103-dbb8df9e7351", + "tool--975737f1-b10d-476f-8bda-3ec26ea57172", "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" + "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], [ - "intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6", + "malware--17e919aa-4a49-445c-b103-dbb8df9e7351", "uses", - "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ "malware--069af411-9b24-4e85-b26c-623d035bbe84", @@ -29644,16 +24944,6 @@ "subtechnique-of", "attack-pattern--830c9528-df21-472c-8c14-a036bf17d665" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619" - ], - [ - "intrusion-set--5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", - "uses", - "malware--7bec698a-7e20-4fd3-bb6a-12787770fb1a" - ], [ "malware--b6b3dfc7-9a81-43ff-ac04-698bad48973a", "uses", @@ -29679,16 +24969,6 @@ "uses", "attack-pattern--d10cbd34-42e3-45c0-84d2-535a09849584" ], - [ - "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", - "uses", - "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a" - ], - [ - "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], [ "malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1", "uses", @@ -29719,21 +24999,11 @@ "uses", "attack-pattern--d467bc38-284b-4a00-96ac-125f447799fc" ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - ], [ "malware--b42378e0-f147-496f-992a-26a49705395b", "uses", "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], - [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", - "uses", - "attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc" - ], [ "malware--fb575479-14ef-41e9-bfab-0b7cf10bec73", "uses", @@ -29750,25 +25020,30 @@ "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea" ], [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", + "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa", "uses", - "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c" + "attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830" ], [ - "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa", + "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", "uses", - "attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830" + "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062" ], [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", + "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" + "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475" ], [ "malware--5be33fef-39c0-4532-84ee-bea31e1b5324", "uses", "attack-pattern--b200542e-e877-4395-875b-cf1a44537ca4" ], + [ + "attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421", + "subtechnique-of", + "attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1" + ], [ "malware--09b2cd76-c674-47cc-9f57-d2f2ad150a46", "uses", @@ -29814,6 +25089,11 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], + [ + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "uses", + "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6" + ], [ "malware--cf8df906-179c-4a78-bd6e-6605e30f6624", "uses", @@ -29835,14 +25115,14 @@ "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541" ], [ - "malware--7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77", + "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", "uses", - "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" + "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", + "malware--7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77", "uses", - "attack-pattern--4fe28b27-b13c-453e-a386-c2ef362a573b" + "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" ], [ "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", @@ -29864,16 +25144,6 @@ "uses", "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72" ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65" - ], - [ - "intrusion-set--d519164e-f5fa-4b8c-a1fb-cf0172ad0983", - "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" - ], [ "malware--58adaaa8-f1e8-4606-9a08-422e568461eb", "uses", @@ -29884,11 +25154,6 @@ "uses", "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60" - ], [ "malware--754effde-613c-4244-a83e-fb659b2a4d06", "uses", @@ -29899,11 +25164,6 @@ "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], - [ - "intrusion-set--f9c06633-dcff-48a1-8588-759e7cec5694", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" - ], [ "malware--53ab35c2-d00e-491a-8753-41d35ae7e547", "uses", @@ -29919,11 +25179,6 @@ "uses", "attack-pattern--1d24cdee-9ea2-4189-b08e-af110bf2435d" ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b" - ], [ "malware--b879758f-bbc4-4cab-b5ba-177ac9b009b4", "uses", @@ -29944,21 +25199,6 @@ "uses", "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "malware--5e814485-012d-423d-b769-026bfed0f451" - ], - [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", - "uses", - "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" - ], - [ - "intrusion-set--76565741-3452-4069-ab08-80c0ea95bbeb", - "uses", - "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8" - ], [ "malware--1f6e3702-7ca1-4582-b2e7-4591297d05a8", "uses", @@ -29969,11 +25209,6 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "uses", - "malware--72f54d66-675d-4587-9bd3-4ed09f9522e4" - ], [ "malware--7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77", "uses", @@ -29999,11 +25234,6 @@ "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", - "uses", - "attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643" - ], [ "malware--432555de-63bf-4f2a-a3fa-f720a4561078", "uses", @@ -30019,11 +25249,6 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--7ecc3b4f-5cdb-457e-b55a-df376b359446", - "uses", - "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa" - ], [ "malware--44c75271-0e4d-496f-ae0a-a6d883a42a65", "uses", @@ -30044,16 +25269,6 @@ "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70", - "uses", - "attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2" - ], - [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], [ "malware--1cc934e4-b01d-4543-a011-b988dfc1a458", "uses", @@ -30064,26 +25279,11 @@ "uses", "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], [ "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340", "uses", "attack-pattern--6495ae23-3ab4-43c5-a94f-5638a2c31fd2" ], - [ - "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee", - "uses", - "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c" - ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18" - ], [ "malware--35cd1d01-1ede-44d2-b073-a264d727bc04", "uses", @@ -30099,16 +25299,6 @@ "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" - ], - [ - "intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], [ "malware--f25aab1a-0cef-4910-a85d-bb38b32ea41a", "uses", @@ -30119,6 +25309,11 @@ "uses", "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], + [ + "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "uses", + "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4" + ], [ "malware--edf5aee2-9b1c-4252-8e64-25b12f14c8b3", "uses", @@ -30129,20 +25324,15 @@ "uses", "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa" ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "tool--65370d0b-3bd4-4653-8cf9-daf56f6be830" - ], [ "tool--da04ac30-27da-4959-a67d-450ce47d9470", "uses", "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ], [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" + "attack-pattern--0dda99f0-4701-48ca-9774-8504922e92d3", + "subtechnique-of", + "attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109" ], [ "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", @@ -30170,7 +25360,7 @@ "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f" ], @@ -30215,9 +25405,14 @@ "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", + "attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928", + "subtechnique-of", + "attack-pattern--cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8" + ], + [ + "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", "uses", - "attack-pattern--29ba5a15-3b7b-4732-b817-65ea8f6468e6" + "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], [ "malware--aad11e34-02ca-4220-91cd-2ed420af4db3", @@ -30225,7 +25420,7 @@ "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6" ], @@ -30234,16 +25429,31 @@ "uses", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], + [ + "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "uses", + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" + ], [ "malware--8caa18af-4758-4fd3-9600-e8af579e89ed", "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], + [ + "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "uses", + "attack-pattern--54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b" + ], [ "malware--308b3d68-a084-4dfb-885a-3125e1a9c1e8", "uses", "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" ], + [ + "attack-pattern--d245808a-7086-4310-984a-a84aaaa43f8f", + "subtechnique-of", + "attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754" + ], [ "malware--b7e9880a-7a7c-4162-bddb-e28e8ef2bf1f", "uses", @@ -30255,14 +25465,14 @@ "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], [ - "malware--2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", + "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" + "attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916" ], [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "malware--2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", "uses", - "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541" + "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad", @@ -30270,35 +25480,15 @@ "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" ], [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], - [ - "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", - "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" - ], - [ - "intrusion-set--6b9ebeb5-20bf-48b0-afb7-988d769a2f01", - "uses", - "malware--8ec6e3b4-b06d-4805-b6aa-af916acc2122" - ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", + "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "uses", - "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81" + "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" ], [ "malware--099ecff2-41b8-436d-843c-038a9aa9aa69", "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", - "uses", - "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" - ], [ "malware--9e9b9415-a7df-406b-b14d-92bfe6809fbe", "uses", @@ -30309,25 +25499,15 @@ "uses", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" - ], [ "malware--69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "uses", "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839" ], [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - ], - [ - "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "uses", - "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" + "attack-pattern--2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64" ], [ "intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258", @@ -30344,11 +25524,6 @@ "uses", "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], - [ - "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee", - "uses", - "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf" - ], [ "malware--37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "uses", @@ -30359,6 +25534,11 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], + [ + "malware--00806466-754d-44ea-ad6f-0caf59cb8556", + "uses", + "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735" + ], [ "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", "uses", @@ -30389,11 +25569,6 @@ "uses", "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661" - ], [ "malware--11194d8b-fdce-45d2-8047-df15bb8f16bd", "uses", @@ -30404,11 +25579,6 @@ "uses", "attack-pattern--d10cbd34-42e3-45c0-84d2-535a09849584" ], - [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" - ], [ "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44", "uses", @@ -30419,26 +25589,11 @@ "uses", "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], - [ - "intrusion-set--5636b7b3-d99b-4edd-aa05-ee649c1d4ef1", - "uses", - "malware--c2417bab-3189-4d4d-9d60-96de2cdaf0ab" - ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c" - ], [ "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa", "uses", "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" - ], [ "attack-pattern--7610cada-1499-41a4-b3dd-46467b68d177", "subtechnique-of", @@ -30449,36 +25604,21 @@ "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--62a64fd3-aaf7-4d09-a375-d6f8bb118481", - "uses", - "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" - ], [ "malware--ade37ada-14af-4b44-b36c-210eec255d53", "uses", "attack-pattern--f2857333-11d4-45bf-b064-2c28d8525be5" ], [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", + "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", "uses", - "tool--242f3da3-4425-4d11-8f5c-b842886da966" + "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], [ "malware--24b4ce59-eaac-4c8b-8634-9b093b7ccd92", "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d" - ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--b200542e-e877-4395-875b-cf1a44537ca4" - ], [ "malware--56d10a7f-bb42-4267-9b4c-63abb9c06010", "uses", @@ -30509,6 +25649,11 @@ "uses", "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" ], + [ + "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", + "uses", + "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" + ], [ "malware--fc774af4-533b-4724-96d2-ac1026316794", "uses", @@ -30524,6 +25669,11 @@ "uses", "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475" ], + [ + "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "uses", + "attack-pattern--b6075259-dba3-44e9-87c7-e954f37ec0d5" + ], [ "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2", "uses", @@ -30539,36 +25689,16 @@ "uses", "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d" - ], [ "malware--cf8df906-179c-4a78-bd6e-6605e30f6624", "uses", "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a" ], - [ - "intrusion-set--c5947e1c-1cbc-434c-94b8-27c7e3be0fff", - "uses", - "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - ], [ "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "uses", "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], - [ - "intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "uses", - "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72" - ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" - ], [ "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60", "uses", @@ -30590,7 +25720,7 @@ "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72" ], @@ -30615,12 +25745,7 @@ "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830" ], [ - "intrusion-set--813636db-3939-4a45-bea9-6113e970c029", - "uses", - "attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd" - ], - [ - "intrusion-set--7ecc3b4f-5cdb-457e-b55a-df376b359446", + "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", "uses", "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e" ], @@ -30639,31 +25764,11 @@ "uses", "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055" ], - [ - "intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "uses", - "attack-pattern--f3d95a1f-bba2-44ce-9af7-37866cd63fd0" - ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "tool--a52edc76-328d-4596-85e7-d56ef5a9eb69" - ], [ "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad", "uses", "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69" ], - [ - "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", - "uses", - "attack-pattern--a6937325-9321-4e2e-bb2b-3ed2d40b2a9d" - ], - [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", - "uses", - "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - ], [ "malware--b879758f-bbc4-4cab-b5ba-177ac9b009b4", "uses", @@ -30674,11 +25779,6 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022", - "uses", - "attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d" - ], [ "malware--69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "uses", @@ -30689,11 +25789,6 @@ "uses", "attack-pattern--29be378d-262d-4e99-b00d-852d573628e6" ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72" - ], [ "malware--60d50676-459a-47dd-92e9-a827a9fe9c58", "uses", @@ -30737,23 +25832,13 @@ [ "malware--17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], - [ - "intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" + "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", "uses", "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5" - ], [ "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "uses", @@ -30774,21 +25859,11 @@ "uses", "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073" ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9" - ], [ "malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541", "uses", "attack-pattern--b4b7458f-81f2-4d38-84be-1c5ba0167a52" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" - ], [ "malware--069af411-9b24-4e85-b26c-623d035bbe84", "uses", @@ -30804,6 +25879,11 @@ "uses", "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], + [ + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "uses", + "attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0" + ], [ "malware--1d1fce2f-0db5-402b-9843-4278a0694637", "uses", @@ -30824,11 +25904,6 @@ "uses", "attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d" ], - [ - "intrusion-set--5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", - "uses", - "malware--e8268361-a599-4e45-bd3f-71c8c7e700c0" - ], [ "malware--75bba379-4ba1-467e-8c60-ec2b269ee984", "uses", @@ -30839,21 +25914,6 @@ "uses", "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc" - ], - [ - "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", - "uses", - "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c" - ], - [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", - "uses", - "attack-pattern--92a78814-b191-47ca-909c-1ccfe3777414" - ], [ "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "uses", @@ -30890,30 +25950,20 @@ "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ - "attack-pattern--bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "attack-pattern--baf60e1a-afe5-4d31-830f-1b1ba2351884", "subtechnique-of", - "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0" - ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c" + "attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f" ], [ - "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064", - "uses", - "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" + "attack-pattern--bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "subtechnique-of", + "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0" ], [ "malware--09b2cd76-c674-47cc-9f57-d2f2ad150a46", "uses", "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" ], - [ - "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", - "uses", - "attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b" - ], [ "malware--c8b6cc43-ce61-42ae-87f3-a5f10526f952", "uses", @@ -30945,14 +25995,14 @@ "attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5" ], [ - "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "malware--8393dac0-0583-456a-9372-fd81691bca20", "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" + "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" ], [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", "uses", - "attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b" + "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], [ "malware--fc774af4-533b-4724-96d2-ac1026316794", @@ -30974,21 +26024,11 @@ "uses", "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58" - ], [ "malware--8ec6e3b4-b06d-4805-b6aa-af916acc2122", "uses", "attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179" ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf" - ], [ "malware--800bdfba-6d66-480f-9f45-15845c05cb5d", "uses", @@ -31029,21 +26069,11 @@ "subtechnique-of", "attack-pattern--54a649ff-439a-41a4-9856-8d144a2551ba" ], - [ - "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", - "uses", - "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055" - ], [ "attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", "subtechnique-of", "attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81" - ], [ "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "uses", @@ -31084,11 +26114,6 @@ "uses", "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce" ], - [ - "intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8", - "uses", - "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c" - ], [ "malware--60d50676-459a-47dd-92e9-a827a9fe9c58", "uses", @@ -31099,40 +26124,30 @@ "uses", "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077" ], - [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "attack-pattern--f6ad61ee-65f3-4bd0-a3f5-2f0accb36317" - ], [ "malware--166c0eca-02fd-424a-92c0-6b5106994d31", "uses", "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa" ], - [ - "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", - "uses", - "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" - ], [ "malware--cfc75b0d-e579-40ae-ad07-a1ce00d49a6c", "uses", "attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf" ], [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", + "malware--6a92d80f-cc65-45f6-aa66-3cdea6786b3c", "uses", - "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" + "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" ], [ - "malware--6a92d80f-cc65-45f6-aa66-3cdea6786b3c", + "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", "uses", - "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" + "attack-pattern--f7c0689c-4dbd-489b-81be-7cb7c7079ade" ], [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "uses", - "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88" + "attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b" ], [ "malware--f01e2711-4b48-4192-a2e8-5f56c945ca19", @@ -31144,11 +26159,6 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9" - ], [ "malware--166c0eca-02fd-424a-92c0-6b5106994d31", "uses", @@ -31160,14 +26170,14 @@ "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--99709758-2b96-48f2-a68a-ad7fbd828091" ], [ - "intrusion-set--5cbe0d3b-6fb1-471f-b591-4b192915116d", + "malware--d6b3fcd0-1c86-4350-96f0-965ed02fcc51", "uses", - "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082" + "attack-pattern--f4c1826f-a322-41cd-9557-562100848c84" ], [ "malware--5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", @@ -31184,11 +26194,6 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", - "uses", - "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4" - ], [ "malware--06d735e7-1db1-4dbe-ab4b-acbe419f902b", "uses", @@ -31209,11 +26214,6 @@ "uses", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], - [ - "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", - "uses", - "attack-pattern--b4b7458f-81f2-4d38-84be-1c5ba0167a52" - ], [ "attack-pattern--e51137a5-1cdc-499e-911a-abaedaa5ac86", "subtechnique-of", @@ -31244,16 +26244,6 @@ "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" - ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], [ "malware--1f6e3702-7ca1-4582-b2e7-4591297d05a8", "uses", @@ -31265,9 +26255,9 @@ "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], [ - "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "uses", - "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" + "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], [ "malware--d9f7383c-95ec-4080-bbce-121c9384457b", @@ -31299,16 +26289,6 @@ "subtechnique-of", "attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab" ], - [ - "intrusion-set--ae41895a-243f-4a65-b99b-d85022326c31", - "uses", - "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" - ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" - ], [ "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "uses", @@ -31334,6 +26314,11 @@ "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], + [ + "malware--ade37ada-14af-4b44-b36c-210eec255d53", + "uses", + "attack-pattern--84e02621-8fdf-470f-bd58-993bb6a89d91" + ], [ "malware--35cd1d01-1ede-44d2-b073-a264d727bc04", "uses", @@ -31344,15 +26329,20 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], + [ + "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", + "uses", + "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69" + ], [ "malware--4d56e6e9-1a6d-46e3-896c-dfdf3cc96e62", "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", + "tool--c4810609-7da6-48ec-8057-1b70a7814db0", "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" + "attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc" ], [ "malware--8901ac23-6b50-410c-b0dd-d8174a86f9b3", @@ -31374,16 +26364,6 @@ "uses", "attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" - ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88" - ], [ "malware--a4f57468-fbd5-49e4-8476-52088220b92d", "uses", @@ -31404,20 +26384,15 @@ "uses", "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" ], - [ - "intrusion-set--fbe9387f-34e6-4828-ac28-3080020c597b", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], [ "malware--a705b085-1eae-455e-8f4d-842483d814eb", "uses", "attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f" ], [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", "uses", - "malware--a4f57468-fbd5-49e4-8476-52088220b92d" + "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], [ "malware--5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", @@ -31430,9 +26405,9 @@ "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], [ - "intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8", + "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "uses", - "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" + "malware--1cdbbcab-903a-414d-8eb0-439a97343737" ], [ "intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258", @@ -31469,11 +26444,6 @@ "uses", "attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c" ], - [ - "intrusion-set--f40eb8ce-2a74-4e56-89a1-227021410142", - "uses", - "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" - ], [ "malware--f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e", "uses", @@ -31499,11 +26469,6 @@ "uses", "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055" ], - [ - "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "uses", - "attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab" - ], [ "malware--9e9b9415-a7df-406b-b14d-92bfe6809fbe", "uses", @@ -31514,11 +26479,6 @@ "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--d519164e-f5fa-4b8c-a1fb-cf0172ad0983", - "uses", - "attack-pattern--92a78814-b191-47ca-909c-1ccfe3777414" - ], [ "malware--65ffc206-d7c1-45b3-b543-f6b726e7840d", "uses", @@ -31539,11 +26499,6 @@ "uses", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], - [ - "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411", - "uses", - "malware--687c23e4-4e25-4ee7-a870-c5e002511f54" - ], [ "attack-pattern--a01bf75f-00b2-4568-a58f-565ff9bf202b", "subtechnique-of", @@ -31570,15 +26525,10 @@ "attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], - [ - "intrusion-set--d1acfbb3-647b-4723-9154-800ec119006e", - "uses", - "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - ], [ "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997", "uses", @@ -31589,11 +26539,6 @@ "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e" - ], [ "attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298", "subtechnique-of", @@ -31619,11 +26564,6 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], [ "malware--cfc75b0d-e579-40ae-ad07-a1ce00d49a6c", "uses", @@ -31634,11 +26574,6 @@ "uses", "attack-pattern--64196062-5210-42c3-9a02-563a0d1797ef" ], - [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "uses", - "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" - ], [ "malware--495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", "uses", @@ -31649,11 +26584,6 @@ "uses", "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" ], - [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "uses", - "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" - ], [ "malware--af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "uses", @@ -31679,26 +26609,11 @@ "uses", "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], - [ - "intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842", - "uses", - "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" - ], - [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "uses", - "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18" - ], [ "malware--cb7bcf6f-085f-41db-81ee-4b68481661b5", "uses", "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56" ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3" - ], [ "malware--dfb5fa9b-3051-4b97-8035-08f80aef945b", "uses", @@ -31715,14 +26630,9 @@ "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], [ - "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", - "uses", - "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" - ], - [ - "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", + "malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", "uses", - "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384" + "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d" ], [ "malware--76abb3ef-dafd-4762-97cb-a35379429db4", @@ -31739,31 +26649,21 @@ "uses", "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" ], - [ - "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", - "uses", - "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" - ], [ "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8", "uses", "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a" ], [ - "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "tool--c4810609-7da6-48ec-8057-1b70a7814db0", "uses", - "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c" + "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" ], [ "malware--92b03a94-7147-4952-9d5a-b4d24da7487c", "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "tool--90ac9266-68ce-46f2-b24f-5eb3b2a8ea38" - ], [ "malware--b51797f7-57da-4210-b8ac-b8632ee75d70", "uses", @@ -31779,31 +26679,21 @@ "uses", "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c" ], - [ - "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], [ "malware--58adaaa8-f1e8-4606-9a08-422e568461eb", "uses", "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e" ], [ - "intrusion-set--b74f909f-8e52-4b69-b770-162bf59a1b4e", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" + "attack-pattern--274770e0-2612-4ccf-a678-ef8e7bad365d", + "subtechnique-of", + "attack-pattern--81033c3b-16a4-46e4-8fed-9b030dd03c4a" ], [ "malware--d1183cb9-258e-4f2f-8415-50ac8252c49e", "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a" - ], [ "malware--92b55426-109f-4d93-899f-1833ce91ff90", "uses", @@ -31820,54 +26710,29 @@ "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - ], - [ - "intrusion-set--5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", - "uses", - "malware--800bdfba-6d66-480f-9f45-15845c05cb5d" - ], - [ - "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "uses", - "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" - ], - [ - "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd", - "uses", - "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" + "attack-pattern--17fd695c-b88c-455a-a3d1-43b6cb728532", + "subtechnique-of", + "attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0" ], [ "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0", "subtechnique-of", "attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8" ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1" - ], [ "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4", "uses", "attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d" ], [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "uses", - "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670" - ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", + "malware--edb24a93-1f7a-4bbf-a738-1397a14662c6", "uses", - "attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af" + "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d" ], [ - "malware--edb24a93-1f7a-4bbf-a738-1397a14662c6", + "malware--959f3b19-2dc8-48d5-8942-c66813a5101a", "uses", - "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d" + "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" ], [ "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", @@ -31880,20 +26745,30 @@ "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662" ], [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", + "malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", "uses", - "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475" + "attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755" ], [ "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", "uses", "malware--64fa0de0-6240-41f4-8638-f4ca7ed528fd" ], + [ + "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "uses", + "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" + ], [ "malware--11e36d5b-6a92-4bf9-8eb7-85eb24f59e22", "uses", "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], + [ + "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "uses", + "attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82" + ], [ "malware--da2ef4a9-7cbe-400a-a379-e2f230f28db3", "uses", @@ -31924,6 +26799,16 @@ "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], + [ + "malware--ade37ada-14af-4b44-b36c-210eec255d53", + "uses", + "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" + ], + [ + "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "uses", + "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c" + ], [ "attack-pattern--806a49c4-970d-43f9-9acc-ac0ee11e6662", "subtechnique-of", @@ -31939,21 +26824,6 @@ "uses", "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" ], - [ - "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], - [ - "intrusion-set--d1acfbb3-647b-4723-9154-800ec119006e", - "uses", - "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" - ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "tool--b76b2d94-60e4-4107-a903-4a3a7622fb3b" - ], [ "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "uses", @@ -31984,21 +26854,6 @@ "uses", "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5" ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72" - ], - [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", - "uses", - "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf" - ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" - ], [ "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", "uses", @@ -32020,24 +26875,24 @@ "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" ], [ - "malware--2daa14d6-cbf3-4308-bb8e-213c324a08e4", + "malware--8393dac0-0583-456a-9372-fd81691bca20", "uses", - "attack-pattern--bf1b6176-597c-4600-bfcd-ac989670f96b" + "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" ], [ - "malware--f8dfbc54-b070-4224-b560-79aaa5f835bd", + "malware--2daa14d6-cbf3-4308-bb8e-213c324a08e4", "uses", - "attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4" + "attack-pattern--bf1b6176-597c-4600-bfcd-ac989670f96b" ], [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", + "malware--c984b414-b766-44c5-814a-2fe96c913c12", "uses", - "attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336" + "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a" ], [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", + "malware--f8dfbc54-b070-4224-b560-79aaa5f835bd", "uses", - "attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926" + "attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4" ], [ "malware--cb741463-f0fe-42e0-8d45-bc7e8335f5ae", @@ -32049,16 +26904,6 @@ "uses", "tool--c8655260-9f4b-44e3-85e1-6538a5f6e4f4" ], - [ - "intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022", - "uses", - "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81" - ], - [ - "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], [ "malware--fc774af4-533b-4724-96d2-ac1026316794", "uses", @@ -32084,16 +26929,6 @@ "uses", "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], - [ - "intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383", - "uses", - "attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c" - ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" - ], [ "malware--d1b7830a-fced-4be3-a99c-f495af9d9e1b", "uses", @@ -32129,11 +26964,6 @@ "subtechnique-of", "attack-pattern--f4c1826f-a322-41cd-9557-562100848c84" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - ], [ "malware--49abab73-3c5c-476e-afd5-69b5c732d845", "uses", @@ -32165,14 +26995,14 @@ "attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f" ], [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", "uses", - "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662" + "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63" ], [ - "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", + "malware--8393dac0-0583-456a-9372-fd81691bca20", "uses", - "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63" + "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b" ], [ "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4", @@ -32184,25 +27014,15 @@ "uses", "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" ], - [ - "intrusion-set--88489675-d216-4884-a98f-49a89fcc1643", - "uses", - "malware--5763217a-05b6-4edd-9bca-057e47b5e403" - ], - [ - "intrusion-set--5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", - "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" - ], [ "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "uses", "attack-pattern--69b8fd78-40e8-4600-ae4d-662c9d7afdb3" ], [ - "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", + "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" + "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055" ], [ "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", @@ -32210,15 +27030,20 @@ "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], [ - "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", + "malware--b9704a7d-feef-4af9-8898-5280f1686326", "uses", - "malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541" + "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ "malware--efece7e8-e40b-49c2-9f84-c55c5c93d05c", "uses", "attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643" ], + [ + "malware--1cdbbcab-903a-414d-8eb0-439a97343737", + "uses", + "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" + ], [ "malware--6a92d80f-cc65-45f6-aa66-3cdea6786b3c", "uses", @@ -32249,11 +27074,6 @@ "uses", "attack-pattern--5372c5fe-f424-4def-bcd5-d3a8e770f07b" ], - [ - "intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" - ], [ "intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f", "uses", @@ -32269,31 +27089,11 @@ "uses", "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88" ], - [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "uses", - "tool--33b9e38f-103c-412d-bdcf-904a91fff1e4" - ], - [ - "intrusion-set--c47f937f-1022-4f42-8525-e7a4779a14cb", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], [ "malware--5e814485-012d-423d-b769-026bfed0f451", "uses", "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--a01bf75f-00b2-4568-a58f-565ff9bf202b" - ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" - ], [ "malware--60c18d06-7b91-4742-bae3-647845cd9d81", "uses", @@ -32314,21 +27114,6 @@ "uses", "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34" ], - [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81" - ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916" - ], [ "malware--cf8df906-179c-4a78-bd6e-6605e30f6624", "uses", @@ -32350,9 +27135,9 @@ "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", + "malware--20945359-3b39-4542-85ef-08ecb4e1c174", "uses", - "attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d" + "attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d" ], [ "malware--9dbdadb6-fdbf-490f-a35f-38762d06a0d2", @@ -32364,26 +27149,6 @@ "uses", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], - [ - "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "uses", - "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58" - ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662" - ], - [ - "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", - "uses", - "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" - ], - [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "uses", - "malware--56f46b17-8cfa-46c0-b501-dd52fef394e2" - ], [ "malware--b8eb28e4-48a6-40ae-951a-328714f75eda", "uses", @@ -32424,11 +27189,6 @@ "uses", "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529" - ], [ "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c", "uses", @@ -32439,11 +27199,6 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], - [ - "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "uses", - "malware--ae9d818d-95d0-41da-b045-9cabea1ca164" - ], [ "malware--35cd1d01-1ede-44d2-b073-a264d727bc04", "uses", @@ -32459,6 +27214,11 @@ "uses", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" ], + [ + "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", + "uses", + "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" + ], [ "malware--8dbadf80-468c-4a62-b817-4e4d8b606887", "uses", @@ -32474,11 +27234,6 @@ "uses", "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" ], - [ - "intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74", - "uses", - "attack-pattern--b4694861-542c-48ea-9eb1-10d356e7140a" - ], [ "malware--65ffc206-d7c1-45b3-b543-f6b726e7840d", "uses", @@ -32489,16 +27244,6 @@ "uses", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "uses", - "tool--0c8465c0-d0b4-4670-992e-4eee8d7ff952" - ], - [ - "intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383", - "uses", - "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6" - ], [ "intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f", "uses", @@ -32510,30 +27255,15 @@ "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0" ], [ - "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", + "malware--8393dac0-0583-456a-9372-fd81691bca20", "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" + "attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad" ], [ "malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1", "uses", "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], - [ - "intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "uses", - "tool--bba595da-b73a-4354-aa6c-224d4de7cb4e" - ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529" - ], [ "malware--1f6e3702-7ca1-4582-b2e7-4591297d05a8", "uses", @@ -32544,11 +27274,6 @@ "uses", "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--a6937325-9321-4e2e-bb2b-3ed2d40b2a9d" - ], [ "malware--b9799466-9dd7-4098-b2d6-f999ce50b9a8", "uses", @@ -32559,16 +27284,6 @@ "uses", "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" - ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "malware--56f46b17-8cfa-46c0-b501-dd52fef394e2" - ], [ "tool--4b57c098-f043-4da2-83ef-7588a6d426bc", "uses", @@ -32594,11 +27309,6 @@ "uses", "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" ], - [ - "intrusion-set--62a64fd3-aaf7-4d09-a375-d6f8bb118481", - "uses", - "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" - ], [ "malware--0efefea5-78da-4022-92bc-d726139e8883", "uses", @@ -32619,30 +27329,20 @@ "uses", "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf" ], - [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--60b508a1-6a5e-46b1-821a-9f7b78752abf" - ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073" - ], [ "malware--cf8df906-179c-4a78-bd6e-6605e30f6624", "uses", "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5" ], [ - "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", + "malware--d1531eaa-9e17-473e-a680-3298469662c3", "uses", - "malware--5f9f7648-04ba-4a9f-bb4c-2a13e74572bd" + "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], [ - "malware--d1531eaa-9e17-473e-a680-3298469662c3", + "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "uses", - "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" + "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c" ], [ "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c", @@ -32669,16 +27369,6 @@ "uses", "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161" ], - [ - "intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6", - "uses", - "attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab" - ], - [ - "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee", - "uses", - "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" - ], [ "malware--e48df773-7c95-4a4c-ba70-ea3d15900148", "uses", @@ -32699,16 +27389,6 @@ "uses", "attack-pattern--768dce68-8d0d-477a-b01d-0eea98b963a1" ], - [ - "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "uses", - "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90" - ], - [ - "intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8", - "uses", - "malware--b2d134a1-7bd5-4293-94d4-8fc978cb1cd7" - ], [ "malware--a4f57468-fbd5-49e4-8476-52088220b92d", "uses", @@ -32744,31 +27424,16 @@ "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "tool--9de2308e-7bed-43a3-8e58-f194b3586700" - ], [ "malware--dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2", "uses", "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" ], - [ - "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee", - "uses", - "attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab" - ], [ "malware--754effde-613c-4244-a83e-fb659b2a4d06", "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "uses", - "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" - ], [ "malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1", "uses", @@ -32780,14 +27445,14 @@ "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], [ - "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4", - "uses", - "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" + "attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120", + "subtechnique-of", + "attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b" ], [ - "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", + "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4", "uses", - "attack-pattern--2db31dcd-54da-405d-acef-b9129b816ed6" + "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ "malware--53ab35c2-d00e-491a-8753-41d35ae7e547", @@ -32839,11 +27504,6 @@ "uses", "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72" ], - [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c" - ], [ "intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258", "uses", @@ -32860,14 +27520,9 @@ "attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b" ], [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - ], - [ - "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", + "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" + "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", @@ -32880,9 +27535,14 @@ "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b" ], [ - "malware--5967cc93-57c9-404a-8ffd-097edfa7bdfc", + "malware--5967cc93-57c9-404a-8ffd-097edfa7bdfc", + "uses", + "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" + ], + [ + "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", "uses", - "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" + "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ], [ "malware--60c18d06-7b91-4742-bae3-647845cd9d81", @@ -32894,11 +27554,6 @@ "uses", "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c" - ], [ "malware--58adaaa8-f1e8-4606-9a08-422e568461eb", "uses", @@ -32914,21 +27569,11 @@ "uses", "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72" - ], [ "malware--0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", "uses", "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" ], - [ - "intrusion-set--fbe9387f-34e6-4828-ac28-3080020c597b", - "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" - ], [ "malware--196f1f32-e0c2-4d46-99cd-234d4b6befe1", "uses", @@ -32940,7 +27585,7 @@ "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ - "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "uses", "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88" ], @@ -32954,21 +27599,6 @@ "uses", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--6836813e-8ec8-4375-b459-abb388cb1a35" - ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27" - ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d" - ], [ "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72", "subtechnique-of", @@ -33019,11 +27649,6 @@ "uses", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], - [ - "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", - "uses", - "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" - ], [ "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "uses", @@ -33035,9 +27660,9 @@ "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ - "intrusion-set--92d5b3fd-3b39-438e-af68-770e447beada", + "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", "uses", - "malware--e48df773-7c95-4a4c-ba70-ea3d15900148" + "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ "malware--166c0eca-02fd-424a-92c0-6b5106994d31", @@ -33059,11 +27684,6 @@ "uses", "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" ], - [ - "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "uses", - "malware--db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c" - ], [ "attack-pattern--f005e783-57d4-4837-88ad-dbe7faee1c51", "subtechnique-of", @@ -33079,11 +27699,6 @@ "uses", "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ], - [ - "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "uses", - "attack-pattern--60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65" - ], [ "tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf", "uses", @@ -33094,11 +27709,6 @@ "subtechnique-of", "attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf" ], - [ - "intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8", - "uses", - "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830" - ], [ "malware--e8545794-b98c-492b-a5b3-4b5a02682e37", "uses", @@ -33115,35 +27725,25 @@ "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], [ - "malware--e8545794-b98c-492b-a5b3-4b5a02682e37", + "malware--ade37ada-14af-4b44-b36c-210eec255d53", "uses", - "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" + "attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d" ], [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "malware--e8545794-b98c-492b-a5b3-4b5a02682e37", "uses", - "attack-pattern--890c9858-598c-401d-a4d5-c67ebcdd703a" + "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579" ], [ "malware--5763217a-05b6-4edd-9bca-057e47b5e403", "uses", "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" ], - [ - "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "uses", - "attack-pattern--0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3" - ], [ "intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258", "uses", "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662" ], - [ - "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", - "uses", - "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" - ], [ "malware--9af05de0-bc09-4511-a350-5eb8b06185c1", "uses", @@ -33154,11 +27754,6 @@ "uses", "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], - [ - "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" - ], [ "malware--5967cc93-57c9-404a-8ffd-097edfa7bdfc", "uses", @@ -33170,9 +27765,9 @@ "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" ], [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", "uses", - "tool--4664b683-f578-434f-919b-1c1aad2a1111" + "attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af" ], [ "malware--efece7e8-e40b-49c2-9f84-c55c5c93d05c", @@ -33210,9 +27805,9 @@ "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" ], [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", "uses", - "tool--03342581-f790-4f03-ba41-e82e67392e23" + "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" ], [ "malware--c13d9621-aca7-436b-ab3d-3a95badb3d00", @@ -33229,11 +27824,6 @@ "uses", "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" ], - [ - "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "uses", - "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" - ], [ "malware--5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", "uses", @@ -33259,11 +27849,6 @@ "uses", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ], - [ - "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", - "uses", - "malware--a5528622-3a8a-4633-86ce-8cdaf8423858" - ], [ "tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4", "uses", @@ -33284,6 +27869,11 @@ "uses", "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" ], + [ + "malware--b9704a7d-feef-4af9-8898-5280f1686326", + "uses", + "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32" + ], [ "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8", "uses", @@ -33294,21 +27884,11 @@ "uses", "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" ], - [ - "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "uses", - "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e" - ], [ "malware--ecc2f65a-b452-4eaf-9689-7e181f17f7a5", "uses", "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" ], - [ - "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411", - "uses", - "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" - ], [ "malware--a5575606-9b85-4e3d-9cd2-40ef30e3672d", "uses", @@ -33319,6 +27899,11 @@ "uses", "attack-pattern--f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a" ], + [ + "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", + "uses", + "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" + ], [ "malware--ecc2f65a-b452-4eaf-9689-7e181f17f7a5", "uses", @@ -33345,29 +27930,34 @@ "attack-pattern--41868330-6ee2-4d0f-b743-9f2294c3c9b6" ], [ - "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", + "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "uses", - "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60" + "attack-pattern--d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c" ], [ - "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", + "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", "uses", - "attack-pattern--d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c" + "attack-pattern--f2857333-11d4-45bf-b064-2c28d8525be5" ], [ "malware--1f6e3702-7ca1-4582-b2e7-4591297d05a8", "uses", "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" ], + [ + "attack-pattern--34b3f738-bd64-40e5-a112-29b0542bc8bf", + "subtechnique-of", + "attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf" + ], [ "malware--59a97b15-8189-4d51-9404-e1ce8ea4a069", "uses", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ], [ - "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", + "malware--b9704a7d-feef-4af9-8898-5280f1686326", "uses", - "malware--c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9" + "attack-pattern--635cbe30-392d-4e27-978e-66774357c762" ], [ "intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050", @@ -33395,9 +27985,9 @@ "attack-pattern--a01bf75f-00b2-4568-a58f-565ff9bf202b" ], [ - "intrusion-set--6688d679-ccdb-4f12-abf6-c7545dd767a4", - "uses", - "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63" + "attack-pattern--69f897fd-12a9-4c89-ad6a-46d2f3c38262", + "subtechnique-of", + "attack-pattern--5282dd9a-d26d-4e16-88b7-7c0f4553daf4" ], [ "malware--e8545794-b98c-492b-a5b3-4b5a02682e37", @@ -33419,6 +28009,11 @@ "uses", "tool--0a68f1f1-da74-4d28-8d9a-696c082706cc" ], + [ + "malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", + "uses", + "attack-pattern--573ad264-1371-4ae0-8482-d2673b719dba" + ], [ "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", "uses", @@ -33429,31 +28024,16 @@ "uses", "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077" ], - [ - "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", - "uses", - "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4" - ], [ "malware--2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "uses", "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b" ], - [ - "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "uses", - "attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b" - ], [ "malware--f8dfbc54-b070-4224-b560-79aaa5f835bd", "uses", "attack-pattern--f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a" ], - [ - "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "uses", - "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18" - ], [ "malware--8be7c69e-d8e3-4970-9668-61de08e508cc", "uses", @@ -33489,6 +28069,16 @@ "uses", "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" ], + [ + "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "uses", + "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060" + ], + [ + "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", + "uses", + "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b" + ], [ "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "uses", @@ -33514,11 +28104,36 @@ "uses", "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2" ], + [ + "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", + "uses", + "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2" + ], + [ + "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", + "uses", + "attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31" + ], + [ + "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "uses", + "attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2" + ], + [ + "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "uses", + "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b" + ], [ "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "uses", "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a" ], + [ + "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", + "uses", + "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2" + ], [ "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "uses", @@ -33529,21 +28144,46 @@ "uses", "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380" ], + [ + "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "uses", + "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5" + ], [ "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "uses", "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19" ], + [ + "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "uses", + "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6" + ], [ "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9", "uses", "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692" ], + [ + "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "uses", + "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760" + ], + [ + "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "uses", + "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a" + ], [ "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "uses", "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760" ], + [ + "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "uses", + "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b" + ], [ "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "uses", @@ -33579,6 +28219,11 @@ "uses", "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a" ], + [ + "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", + "uses", + "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380" + ], [ "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "uses", @@ -33589,6 +28234,11 @@ "uses", "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7" ], + [ + "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", + "uses", + "attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa" + ], [ "malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca", "uses", @@ -33609,6 +28259,11 @@ "uses", "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e" ], + [ + "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "uses", + "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380" + ], [ "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", "uses", @@ -33649,6 +28304,11 @@ "uses", "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5" ], + [ + "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "uses", + "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44" + ], [ "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", "uses", @@ -33659,6 +28319,11 @@ "uses", "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62" ], + [ + "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "uses", + "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f" + ], [ "malware--a6228601-03f6-4949-ae22-c1087627a637", "uses", @@ -33674,6 +28339,11 @@ "uses", "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec" ], + [ + "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "uses", + "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160" + ], [ "malware--c8770c81-c29f-40d2-a140-38544206b2b4", "uses", @@ -33709,6 +28379,11 @@ "uses", "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274" ], + [ + "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", + "uses", + "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77" + ], [ "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "uses", @@ -33739,6 +28414,11 @@ "uses", "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2" ], + [ + "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "uses", + "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e" + ], [ "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "uses", @@ -33754,6 +28434,11 @@ "uses", "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" ], + [ + "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", + "uses", + "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77" + ], [ "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "uses", @@ -33809,6 +28494,21 @@ "uses", "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad" ], + [ + "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "uses", + "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77" + ], + [ + "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", + "uses", + "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd" + ], + [ + "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "uses", + "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b" + ], [ "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "uses", @@ -33824,11 +28524,21 @@ "uses", "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2" ], + [ + "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "uses", + "attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad" + ], [ "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "uses", "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673" ], + [ + "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "uses", + "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44" + ], [ "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "uses", @@ -33844,11 +28554,6 @@ "uses", "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "malware--56660521-6db4-4e5a-a927-464f22954b7c" - ], [ "malware--21170624-89db-4e99-bf27-58d26be07c3a", "uses", @@ -33859,16 +28564,41 @@ "uses", "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4" ], + [ + "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "uses", + "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f" + ], [ "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "uses", "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a" ], + [ + "malware--21170624-89db-4e99-bf27-58d26be07c3a", + "uses", + "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b" + ], [ "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "uses", "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f" ], + [ + "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "uses", + "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6" + ], + [ + "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "uses", + "attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2" + ], + [ + "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "uses", + "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2" + ], [ "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", "uses", @@ -33879,6 +28609,11 @@ "uses", "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b" ], + [ + "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "uses", + "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160" + ], [ "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "uses", @@ -33894,6 +28629,11 @@ "uses", "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd" ], + [ + "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "uses", + "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd" + ], [ "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "uses", @@ -33925,9 +28665,14 @@ "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760" ], [ - "malware--21170624-89db-4e99-bf27-58d26be07c3a", + "malware--21170624-89db-4e99-bf27-58d26be07c3a", + "uses", + "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69" + ], + [ + "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "uses", - "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69" + "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0" ], [ "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", @@ -33939,6 +28684,11 @@ "uses", "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a" ], + [ + "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "uses", + "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060" + ], [ "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0", "uses", @@ -33969,6 +28719,11 @@ "uses", "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad" ], + [ + "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", + "uses", + "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84" + ], [ "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "uses", @@ -33990,9 +28745,24 @@ "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd" ], [ - "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", + "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "uses", - "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760" + "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8" + ], + [ + "malware--366c800f-97a8-48d5-b0a6-79d00198252a", + "uses", + "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b" + ], + [ + "malware--108b2817-bc01-404e-8e1b-8cdeec846326", + "uses", + "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2" + ], + [ + "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "uses", + "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2" ], [ "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", @@ -34069,11 +28839,26 @@ "uses", "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673" ], + [ + "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "uses", + "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a" + ], + [ + "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "uses", + "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060" + ], [ "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "uses", "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2" ], + [ + "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "uses", + "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160" + ], [ "malware--c709da93-20c3-4d17-ab68-48cba76b2137", "uses", @@ -34084,6 +28869,11 @@ "uses", "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0" ], + [ + "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", + "uses", + "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" + ], [ "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", "uses", @@ -34099,6 +28889,11 @@ "uses", "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" ], + [ + "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "uses", + "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a" + ], [ "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "uses", @@ -34124,6 +28919,11 @@ "uses", "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e" ], + [ + "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "uses", + "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848" + ], [ "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "uses", @@ -34139,6 +28939,11 @@ "uses", "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172" ], + [ + "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", + "uses", + "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd" + ], [ "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "uses", @@ -34160,14 +28965,14 @@ "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77" ], [ - "tool--da21929e-40c0-443d-bdf4-6b60d15448b4", + "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "uses", - "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060" + "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2" ], [ - "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", + "tool--da21929e-40c0-443d-bdf4-6b60d15448b4", "uses", - "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6" + "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060" ], [ "malware--89c3dbf6-f281-41b7-be1d-a0e641014853", @@ -34199,6 +29004,11 @@ "uses", "attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de" ], + [ + "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "uses", + "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62" + ], [ "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "uses", @@ -34259,6 +29069,21 @@ "uses", "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6" ], + [ + "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "uses", + "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a" + ], + [ + "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", + "uses", + "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7" + ], + [ + "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", + "uses", + "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172" + ], [ "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "uses", @@ -34284,11 +29109,21 @@ "uses", "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77" ], + [ + "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", + "uses", + "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7" + ], [ "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "uses", "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b" ], + [ + "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", + "uses", + "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b" + ], [ "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "uses", @@ -34304,6 +29139,11 @@ "uses", "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a" ], + [ + "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", + "uses", + "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a" + ], [ "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "uses", @@ -34334,6 +29174,11 @@ "uses", "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a" ], + [ + "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "uses", + "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77" + ], [ "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", "uses", @@ -34349,6 +29194,26 @@ "uses", "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760" ], + [ + "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "uses", + "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6" + ], + [ + "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "uses", + "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7" + ], + [ + "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "uses", + "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b" + ], + [ + "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "uses", + "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060" + ], [ "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "uses", @@ -34369,6 +29234,21 @@ "uses", "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6" ], + [ + "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", + "uses", + "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7" + ], + [ + "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", + "uses", + "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6" + ], + [ + "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "uses", + "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8" + ], [ "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "uses", @@ -34415,20 +29295,25 @@ "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb" ], [ - "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", + "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "uses", - "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4" + "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7" ], [ - "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", + "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "uses", - "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878" + "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4" ], [ "malware--22b596a6-d288-4409-8520-5f2846f85514", "uses", "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0" ], + [ + "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "uses", + "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760" + ], [ "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "uses", @@ -34469,6 +29354,16 @@ "uses", "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4" ], + [ + "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "uses", + "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd" + ], + [ + "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "uses", + "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b" + ], [ "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "uses", @@ -34527,7 +29422,12 @@ [ "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "uses", - "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060" + "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b" + ], + [ + "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", + "uses", + "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a" ], [ "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", @@ -34569,6 +29469,16 @@ "uses", "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760" ], + [ + "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", + "uses", + "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf" + ], + [ + "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "uses", + "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a" + ], [ "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "uses", @@ -34649,6 +29559,11 @@ "uses", "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060" ], + [ + "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "uses", + "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760" + ], [ "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "uses", @@ -34674,6 +29589,16 @@ "uses", "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2" ], + [ + "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "uses", + "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6" + ], + [ + "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", + "uses", + "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6" + ], [ "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "uses", @@ -34684,6 +29609,26 @@ "uses", "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a" ], + [ + "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "uses", + "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77" + ], + [ + "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", + "uses", + "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b" + ], + [ + "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "uses", + "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e" + ], + [ + "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "uses", + "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2" + ], [ "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "uses", @@ -34699,6 +29644,11 @@ "uses", "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" ], + [ + "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "uses", + "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6" + ], [ "malware--21170624-89db-4e99-bf27-58d26be07c3a", "uses", @@ -34714,6 +29664,11 @@ "uses", "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6" ], + [ + "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "uses", + "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483" + ], [ "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "uses", @@ -34729,6 +29684,11 @@ "uses", "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2" ], + [ + "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "uses", + "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4" + ], [ "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "uses", @@ -34754,6 +29714,11 @@ "uses", "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a" ], + [ + "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", + "uses", + "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2" + ], [ "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "uses", @@ -34794,6 +29759,11 @@ "uses", "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172" ], + [ + "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", + "uses", + "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b" + ], [ "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "uses", @@ -34834,6 +29804,11 @@ "uses", "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd" ], + [ + "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", + "uses", + "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62" + ], [ "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "uses", @@ -34849,6 +29824,11 @@ "uses", "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2" ], + [ + "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", + "uses", + "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a" + ], [ "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "uses", @@ -34909,6 +29889,16 @@ "uses", "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8" ], + [ + "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "uses", + "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060" + ], + [ + "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", + "uses", + "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6" + ], [ "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "uses", @@ -34919,6 +29909,16 @@ "uses", "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160" ], + [ + "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", + "uses", + "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84" + ], + [ + "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "uses", + "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" + ], [ "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "uses", @@ -34929,6 +29929,11 @@ "uses", "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760" ], + [ + "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "uses", + "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77" + ], [ "malware--d1c600f8-0fb6-4367-921b-85b71947d950", "uses", @@ -35024,6 +30029,16 @@ "uses", "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd" ], + [ + "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "uses", + "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2" + ], + [ + "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "uses", + "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2" + ], [ "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "uses", @@ -35034,6 +30049,21 @@ "uses", "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0" ], + [ + "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", + "uses", + "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060" + ], + [ + "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "uses", + "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2" + ], + [ + "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "uses", + "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec" + ], [ "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", "uses", @@ -35049,6 +30079,11 @@ "uses", "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a" ], + [ + "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "uses", + "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f" + ], [ "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "uses", @@ -35099,6 +30134,16 @@ "uses", "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1" ], + [ + "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "uses", + "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a" + ], + [ + "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "uses", + "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f" + ], [ "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "uses", @@ -35109,6 +30154,11 @@ "uses", "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd" ], + [ + "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "uses", + "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6" + ], [ "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "uses", @@ -35124,6 +30174,11 @@ "uses", "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060" ], + [ + "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "uses", + "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd" + ], [ "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "uses", @@ -35184,6 +30239,16 @@ "uses", "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673" ], + [ + "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", + "uses", + "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a" + ], + [ + "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", + "uses", + "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673" + ], [ "malware--f79c01eb-2954-40d8-a819-00b342f47ce7", "uses", @@ -35199,6 +30264,11 @@ "uses", "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f" ], + [ + "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "uses", + "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" + ], [ "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", "uses", @@ -35214,6 +30284,16 @@ "uses", "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5" ], + [ + "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", + "uses", + "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a" + ], + [ + "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", + "uses", + "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b" + ], [ "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", "uses", @@ -35224,6 +30304,11 @@ "uses", "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2" ], + [ + "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "uses", + "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f" + ], [ "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "uses", @@ -35249,16 +30334,31 @@ "uses", "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a" ], + [ + "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", + "uses", + "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f" + ], [ "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "uses", "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6" ], + [ + "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "uses", + "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" + ], [ "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "uses", "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060" ], + [ + "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", + "uses", + "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77" + ], [ "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "uses", @@ -35269,6 +30369,11 @@ "uses", "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172" ], + [ + "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "uses", + "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b" + ], [ "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "uses", @@ -35284,6 +30389,21 @@ "uses", "attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69" ], + [ + "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "uses", + "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a" + ], + [ + "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "uses", + "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e" + ], + [ + "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "uses", + "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" + ], [ "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "uses", @@ -35314,6 +30434,11 @@ "uses", "attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5" ], + [ + "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "uses", + "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f" + ], [ "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "uses", @@ -35334,6 +30459,11 @@ "uses", "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7" ], + [ + "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "uses", + "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f" + ], [ "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "uses", @@ -35349,6 +30479,11 @@ "uses", "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7" ], + [ + "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "uses", + "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a" + ], [ "malware--936be60d-90eb-4c36-9247-4b31128432c4", "uses", @@ -35369,11 +30504,26 @@ "uses", "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2" ], + [ + "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", + "uses", + "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a" + ], + [ + "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", + "uses", + "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b" + ], [ "malware--a6228601-03f6-4949-ae22-c1087627a637", "uses", "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c" ], + [ + "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", + "uses", + "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673" + ], [ "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "uses", @@ -35384,6 +30534,11 @@ "uses", "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2" ], + [ + "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "uses", + "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2" + ], [ "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "uses", @@ -35394,6 +30549,16 @@ "uses", "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd" ], + [ + "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "uses", + "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4" + ], + [ + "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", + "uses", + "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2" + ], [ "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "uses", @@ -35444,6 +30609,11 @@ "uses", "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a" ], + [ + "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "uses", + "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a" + ], [ "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", "uses", @@ -35464,11 +30634,26 @@ "uses", "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a" ], + [ + "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "uses", + "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7" + ], [ "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "uses", "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec" ], + [ + "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "uses", + "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69" + ], + [ + "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "uses", + "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2" + ], [ "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "uses", @@ -35484,11 +30669,21 @@ "uses", "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b" ], + [ + "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", + "uses", + "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4" + ], [ "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "uses", "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4" ], + [ + "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "uses", + "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" + ], [ "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "uses", @@ -35499,11 +30694,6 @@ "uses", "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a" ], - [ - "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", - "uses", - "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673" - ], [ "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", "uses", @@ -35564,6 +30754,11 @@ "uses", "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172" ], + [ + "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "uses", + "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19" + ], [ "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "uses", @@ -35609,6 +30804,11 @@ "uses", "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad" ], + [ + "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "uses", + "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2" + ], [ "malware--936be60d-90eb-4c36-9247-4b31128432c4", "uses", @@ -35669,16 +30869,31 @@ "uses", "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69" ], + [ + "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "uses", + "attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de" + ], [ "malware--a6228601-03f6-4949-ae22-c1087627a637", "uses", "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2" ], + [ + "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "uses", + "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6" + ], [ "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", "uses", "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1" ], + [ + "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", + "uses", + "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760" + ], [ "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "uses", @@ -35689,6 +30904,11 @@ "uses", "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760" ], + [ + "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", + "uses", + "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760" + ], [ "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "uses", @@ -35729,6 +30949,16 @@ "uses", "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd" ], + [ + "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "uses", + "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2" + ], + [ + "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "uses", + "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b" + ], [ "malware--d89c132d-7752-4c7f-9372-954a71522985", "uses", @@ -35749,6 +30979,16 @@ "uses", "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2" ], + [ + "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", + "uses", + "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7" + ], + [ + "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "uses", + "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2" + ], [ "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "uses", @@ -35764,6 +31004,16 @@ "uses", "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a" ], + [ + "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "uses", + "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4" + ], + [ + "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", + "uses", + "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380" + ], [ "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", "uses", @@ -35789,6 +31039,11 @@ "uses", "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf" ], + [ + "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "uses", + "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673" + ], [ "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "uses", @@ -35819,6 +31074,11 @@ "uses", "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf" ], + [ + "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", + "uses", + "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f" + ], [ "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "uses", @@ -35869,11 +31129,6 @@ "uses", "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6" ], - [ - "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", - "uses", - "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7" - ], [ "malware--a6228601-03f6-4949-ae22-c1087627a637", "uses", @@ -35894,11 +31149,6 @@ "uses", "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb" ], - [ - "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", - "uses", - "malware--a5528622-3a8a-4633-86ce-8cdaf8423858" - ], [ "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "uses", @@ -35934,11 +31184,6 @@ "related-to", "attack-pattern--7718e92f-b011-4f88-b822-ae245a1de407" ], - [ - "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "uses", - "attack-pattern--20a66013-8dab-4ca3-a67d-766c842c561c" - ], [ "attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc6682c6", "related-to", @@ -35954,11 +31199,6 @@ "related-to", "attack-pattern--4900fabf-1142-4c1f-92f5-0b590e049077" ], - [ - "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "uses", - "attack-pattern--fddd81e9-dd3d-477e-9773-4fb8ae227234" - ], [ "attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc", "related-to", @@ -35969,11 +31209,6 @@ "related-to", "attack-pattern--54eb2bab-125f-4d1c-b999-0c692860bafe" ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768" - ], [ "attack-pattern--2b9a666e-bd59-4f67-9031-ed41b428e04a", "related-to", @@ -35984,11 +31219,6 @@ "uses", "attack-pattern--9108e212-1c94-4f8d-be76-1aad9b4c86a4" ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc6682c6" - ], [ "attack-pattern--59369f72-3005-4e54-9095-3d00efcece73", "related-to", @@ -35999,11 +31229,6 @@ "related-to", "attack-pattern--028ad431-84c5-4eb7-a364-2b797c234f88" ], - [ - "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "uses", - "attack-pattern--795c1a92-3a26-453e-b99a-6a566aa94dc6" - ], [ "attack-pattern--0722cd65-0c83-4c89-9502-539198467ab1", "related-to", @@ -36069,26 +31294,11 @@ "related-to", "attack-pattern--795c1a92-3a26-453e-b99a-6a566aa94dc6" ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "attack-pattern--27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768" - ], [ "attack-pattern--78e41091-d10d-4001-b202-89612892b6ff", "related-to", "attack-pattern--7860e21e-7514-4a3f-8a9d-56405ccfdb0c" ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "attack-pattern--aadaee0d-794c-4642-8293-7ec22a99fb1a" - ], - [ - "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "uses", - "attack-pattern--9108e212-1c94-4f8d-be76-1aad9b4c86a4" - ], [ "attack-pattern--e6ca2820-a564-4b74-b42a-b6bdf052e5b6", "related-to", @@ -36099,21 +31309,11 @@ "related-to", "attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc6682c6" ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "attack-pattern--54eb2bab-125f-4d1c-b999-0c692860bafe" - ], [ "attack-pattern--784ff1bc-1483-41fe-a172-4cd9ae25c06b", "related-to", "attack-pattern--028ad431-84c5-4eb7-a364-2b797c234f88" ], - [ - "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "uses", - "attack-pattern--271e6d40-e191-421a-8f87-a8102452c201" - ], [ "attack-pattern--73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a", "related-to", @@ -36164,11 +31364,6 @@ "related-to", "attack-pattern--c721b235-679a-4d76-9ae9-e08921fccf84" ], - [ - "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "uses", - "attack-pattern--c2ffd229-11bb-4fd8-9208-edbe97b14c93" - ], [ "attack-pattern--0722cd65-0c83-4c89-9502-539198467ab1", "related-to", @@ -36214,16 +31409,6 @@ "related-to", "attack-pattern--af358cad-eb71-4e91-a752-236edc237dae" ], - [ - "intrusion-set--d6e88e18-81e8-4709-82d8-973095da1e70", - "uses", - "attack-pattern--e51398e6-53dc-4e9f-a323-e54683d8672b" - ], - [ - "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "uses", - "attack-pattern--4900fabf-1142-4c1f-92f5-0b590e049077" - ], [ "attack-pattern--5b6ce031-bb86-407a-9984-2b9700ac4549", "related-to", @@ -36234,11 +31419,6 @@ "related-to", "attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc" ], - [ - "intrusion-set--d6e88e18-81e8-4709-82d8-973095da1e70", - "uses", - "attack-pattern--5b6ce031-bb86-407a-9984-2b9700ac4549" - ], [ "intrusion-set--090242d7-73fc-4738-af68-20162f7a5aae", "uses", @@ -36248,10 +31428,5 @@ "attack-pattern--a757670d-d600-48d9-8ae9-601d42c184a5", "related-to", "attack-pattern--74a3288e-eee9-4f8e-973a-fbc128e033f1" - ], - [ - "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "uses", - "attack-pattern--45242287-2964-4a3e-9373-159fad4d8195" ] ] \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json index 618190182..5fcda737c 100644 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json +++ b/cdas/assets/mitre_cti/threat-actors/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json @@ -1,9 +1,12 @@ { "id": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "name": "Dragonfly", - "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems. (Citation: Symantec Dragonfly)\n\nA similar group emerged in 2015 and was identified by Symantec as [Dragonfly 2.0](https://attack.mitre.org/groups/G0074). There is debate over the extent of the overlap between [Dragonfly](https://attack.mitre.org/groups/G0035) and [Dragonfly 2.0](https://attack.mitre.org/groups/G0074), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Symantec Dragonfly Sept 2017) (Citation: Fortune Dragonfly 2.0 Sept 2017)", + "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems. (Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)\n\nA similar group emerged in 2015 and was identified by Symantec as [Dragonfly 2.0](https://attack.mitre.org/groups/G0074). There is debate over the extent of the overlap between [Dragonfly](https://attack.mitre.org/groups/G0035) and [Dragonfly 2.0](https://attack.mitre.org/groups/G0074), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )", "aliases": [ "Dragonfly", + "TG-4192", + "Crouching Yeti", + "IRON LIBERTY", "Energetic Bear" ], "sophistication": "strategic", diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json index b9b6efea9..58ed6952f 100644 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json +++ b/cdas/assets/mitre_cti/threat-actors/intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json @@ -4,6 +4,8 @@ "description": "[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)", "aliases": [ "FIN6", + "Magecart Group 6", + "SKELETON SPIDER", "ITG08" ], "sophistication": "strategic", diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf.json deleted file mode 100644 index 6826af143..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "name": "Gamaredon Group", - "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. The name [Gamaredon Group](https://attack.mitre.org/groups/G0047) comes from a misspelling of the word \"Armageddon\", which was detected in the adversary's early campaigns.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)", - "aliases": [ - "Gamaredon Group" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "Russia", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--2e5d3a83-fe00-41a5-9b60-237efc84832f.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--2e5d3a83-fe00-41a5-9b60-237efc84832f.json deleted file mode 100644 index c55352ae0..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--2e5d3a83-fe00-41a5-9b60-237efc84832f.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--2e5d3a83-fe00-41a5-9b60-237efc84832f", - "name": "Moafee", - "description": "[Moafee](https://attack.mitre.org/groups/G0002) is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group [DragonOK](https://attack.mitre.org/groups/G0017). (Citation: Haq 2014)", - "aliases": [ - "Moafee" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--2fd2be6a-d3a2-4a65-b499-05ea2693abee.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--2fd2be6a-d3a2-4a65-b499-05ea2693abee.json deleted file mode 100644 index 604457868..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--2fd2be6a-d3a2-4a65-b499-05ea2693abee.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--2fd2be6a-d3a2-4a65-b499-05ea2693abee", - "name": "Gallmaker", - "description": "[Gallmaker](https://attack.mitre.org/groups/G0084) is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.(Citation: Symantec Gallmaker Oct 2018)", - "aliases": [ - "Gallmaker" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74.json deleted file mode 100644 index f7d8d6a85..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "id": "intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74", - "name": "Leafminer", - "description": "[Leafminer](https://attack.mitre.org/groups/G0077) is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. (Citation: Symantec Leafminer July 2018)", - "aliases": [ - "Leafminer", - "Raspite" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json deleted file mode 100644 index 56c64fa48..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "name": "FIN7", - "description": "[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. They often use point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. [FIN7](https://attack.mitre.org/groups/G0046) is sometimes referred to as [Carbanak](https://attack.mitre.org/groups/G0008) Group, but these appear to be two groups using the same [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately. (Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017) (Citation: FireEye CARBANAK June 2017) (Citation: FireEye FIN7 Aug 2018)", - "aliases": [ - "FIN7" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json deleted file mode 100644 index 9d8718cdd..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "id": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "name": "Sandworm Team", - "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive Russian threat group that has been attributed to Russian GRU Unit 74455 by the U.S. Department of Justice and U.K. National Cyber Security Centre. [Sandworm Team](https://attack.mitre.org/groups/G0034)'s most notable attacks include the 2015 and 2016 targeting of Ukrainian electrical companies and 2017's [NotPetya](https://attack.mitre.org/software/S0368) attacks. [Sandworm Team](https://attack.mitre.org/groups/G0034) has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)", - "aliases": [ - "Sandworm Team", - "ELECTRUM", - "Telebots", - "IRON VIKING", - "BlackEnergy (Group)", - "Quedagh", - "VOODOO BEAR" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0.json deleted file mode 100644 index 5b8a2aaa8..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "id": "intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0", - "name": "Machete", - "description": "[Machete](https://attack.mitre.org/groups/G0095) is a group that has been active since at least 2010, targeting high-profile government entities in Latin American countries.(Citation: Cylance Machete Mar 2017)(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019)", - "aliases": [ - "Machete", - "El Machete" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648.json deleted file mode 100644 index f6ca6e9fa..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "id": "intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "name": "APT18", - "description": "[APT18](https://attack.mitre.org/groups/G0026) is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. (Citation: Dell Lateral Movement)", - "aliases": [ - "APT18", - "TG-0416", - "Dynamite Panda", - "Threat Group-0416" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad.json deleted file mode 100644 index f9551a353..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", - "name": "Rocke", - "description": "[Rocke](https://attack.mitre.org/groups/G0106) is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name [Rocke](https://attack.mitre.org/groups/G0106) comes from the email address \"rocke@live.cn\" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between [Rocke](https://attack.mitre.org/groups/G0106) and the Iron Cybercrime Group, though this attribution has not been confirmed.(Citation: Talos Rocke August 2018)", - "aliases": [ - "Rocke" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80.json deleted file mode 100644 index f85874861..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "id": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "name": "APT39", - "description": "[APT39](https://attack.mitre.org/groups/G0087) is an Iranian cyber espionage group that has been active since at least 2014. They have targeted the telecommunication and travel industries to collect personal information that aligns with Iran's national priorities. (Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)", - "aliases": [ - "APT39", - "Chafer" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c.json deleted file mode 100644 index c33d1317c..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "id": "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", - "name": "APT37", - "description": "[APT37](https://attack.mitre.org/groups/G0067) is a suspected North Korean cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. [APT37](https://attack.mitre.org/groups/G0067) has also been linked to following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, Northern Korean Human Rights, and Evil New Year 2018. (Citation: FireEye APT37 Feb 2018) (Citation: Securelist ScarCruft Jun 2016) (Citation: Talos Group123)\n\nNorth Korean group definitions are known to have significant overlap, and the name [Lazarus Group](https://attack.mitre.org/groups/G0032) is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.(Citation: US-CERT HIDDEN COBRA June 2017) Some organizations track North Korean clusters or groups such as Bluenoroff,(Citation: Kaspersky Lazarus Under The Hood Blog 2017) [APT37](https://attack.mitre.org/groups/G0067), and [APT38](https://attack.mitre.org/groups/G0082) separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.", - "aliases": [ - "APT37", - "ScarCruft", - "Reaper", - "Group123", - "TEMP.Reaper" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json deleted file mode 100644 index 309645b3a..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "id": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "name": "OilRig", - "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. (Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018) This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.", - "aliases": [ - "OilRig", - "IRN2", - "HELIX KITTEN", - "APT34" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--55033a4d-3ffe-46b2-99b4-2c1541e9ce1c.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--55033a4d-3ffe-46b2-99b4-2c1541e9ce1c.json deleted file mode 100644 index 2e0538aad..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--55033a4d-3ffe-46b2-99b4-2c1541e9ce1c.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "id": "intrusion-set--55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "name": "Carbanak", - "description": "[Carbanak](https://attack.mitre.org/groups/G0008) is a threat group that mainly targets banks. It also refers to malware of the same name ([Carbanak](https://attack.mitre.org/software/S0030)). It is sometimes referred to as [FIN7](https://attack.mitre.org/groups/G0046), but these appear to be two groups using the same [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately. (Citation: Kaspersky Carbanak) (Citation: FireEye FIN7 April 2017)", - "aliases": [ - "Carbanak", - "Anunak", - "Carbon Spider" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924.json deleted file mode 100644 index 61ed71452..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "id": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", - "name": "Tropic Trooper", - "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. [Tropic Trooper](https://attack.mitre.org/groups/G0081) focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper May 2020)", - "aliases": [ - "Tropic Trooper", - "Pirate Panda", - "KeyBoy" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--5636b7b3-d99b-4edd-aa05-ee649c1d4ef1.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--5636b7b3-d99b-4edd-aa05-ee649c1d4ef1.json deleted file mode 100644 index a84e44942..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--5636b7b3-d99b-4edd-aa05-ee649c1d4ef1.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--5636b7b3-d99b-4edd-aa05-ee649c1d4ef1", - "name": "Orangeworm", - "description": "[Orangeworm](https://attack.mitre.org/groups/G0071) is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage. (Citation: Symantec Orangeworm April 2018)", - "aliases": [ - "Orangeworm" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--59140a2e-d117-4206-9b2c-2a8662bd9d46.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--59140a2e-d117-4206-9b2c-2a8662bd9d46.json deleted file mode 100644 index 2df0f0f99..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--59140a2e-d117-4206-9b2c-2a8662bd9d46.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--59140a2e-d117-4206-9b2c-2a8662bd9d46", - "name": "Taidoor", - "description": "[Taidoor](https://attack.mitre.org/groups/G0015) is a threat group that has operated since at least 2009 and has primarily targeted the Taiwanese government. (Citation: TrendMicro Taidoor)", - "aliases": [ - "Taidoor" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--5cbe0d3b-6fb1-471f-b591-4b192915116d.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--5cbe0d3b-6fb1-471f-b591-4b192915116d.json deleted file mode 100644 index a2c73b80e..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--5cbe0d3b-6fb1-471f-b591-4b192915116d.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--5cbe0d3b-6fb1-471f-b591-4b192915116d", - "name": "Suckfly", - "description": "[Suckfly](https://attack.mitre.org/groups/G0039) is a China-based threat group that has been active since at least 2014. (Citation: Symantec Suckfly March 2016)", - "aliases": [ - "Suckfly" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--5ce5392a-3a6c-4e07-9df3-9b6a9159ac45.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--5ce5392a-3a6c-4e07-9df3-9b6a9159ac45.json deleted file mode 100644 index 9b989c487..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--5ce5392a-3a6c-4e07-9df3-9b6a9159ac45.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "id": "intrusion-set--5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", - "name": "Putter Panda", - "description": "[Putter Panda](https://attack.mitre.org/groups/G0024) is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA\u2019s 3rd General Staff Department (GSD). (Citation: CrowdStrike Putter Panda)", - "aliases": [ - "Putter Panda", - "APT2", - "MSUpdater" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1.json deleted file mode 100644 index 231ee73d8..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1", - "name": "Sharpshooter", - "description": "Operation [Sharpshooter](https://attack.mitre.org/groups/G0104) is the name of a cyber espionage campaign discovered in October 2018 targeting nuclear, defense, energy, and financial companies. Though overlaps between this adversary and [Lazarus Group](https://attack.mitre.org/groups/G0032) have been noted, definitive links have not been established.(Citation: McAfee Sharpshooter December 2018)", - "aliases": [ - "Sharpshooter" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--62a64fd3-aaf7-4d09-a375-d6f8bb118481.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--62a64fd3-aaf7-4d09-a375-d6f8bb118481.json deleted file mode 100644 index 3043092ed..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--62a64fd3-aaf7-4d09-a375-d6f8bb118481.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--62a64fd3-aaf7-4d09-a375-d6f8bb118481", - "name": "TA459", - "description": "[TA459](https://attack.mitre.org/groups/G0062) is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. (Citation: Proofpoint TA459 April 2017)", - "aliases": [ - "TA459" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--6688d679-ccdb-4f12-abf6-c7545dd767a4.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--6688d679-ccdb-4f12-abf6-c7545dd767a4.json deleted file mode 100644 index b2551ca64..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--6688d679-ccdb-4f12-abf6-c7545dd767a4.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--6688d679-ccdb-4f12-abf6-c7545dd767a4", - "name": "The White Company", - "description": "[The White Company](https://attack.mitre.org/groups/G0089) is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.(Citation: Cylance Shaheen Nov 2018)", - "aliases": [ - "The White Company" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c.json deleted file mode 100644 index 19e4ed889..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "id": "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "name": "Ke3chang", - "description": "[Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted several industries, including oil, government, military, and more. (Citation: Villeneuve et al 2014) (Citation: NCC Group APT15 Alive and Strong) (Citation: APT15 Intezer June 2018)", - "aliases": [ - "Ke3chang", - "APT15", - "Mirage", - "Vixen Panda", - "GREF", - "Playful Dragon", - "RoyalAPT" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662.json deleted file mode 100644 index fa1212630..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "id": "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", - "name": "APT1", - "description": "[APT1](https://attack.mitre.org/groups/G0006) is a Chinese threat group that has been attributed to the 2nd Bureau of the People\u2019s Liberation Army (PLA) General Staff Department\u2019s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)", - "aliases": [ - "APT1", - "Comment Crew", - "Comment Group", - "Comment Panda" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e.json deleted file mode 100644 index ebc74a9b9..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", - "name": "Frankenstein", - "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) is a campaign carried out between January and April 2019 by unknown threat actors. The campaign name comes from the actors' ability to piece together several unrelated components.(Citation: Talos Frankenstein June 2019) ", - "aliases": [ - "Frankenstein" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--6b9ebeb5-20bf-48b0-afb7-988d769a2f01.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--6b9ebeb5-20bf-48b0-afb7-988d769a2f01.json deleted file mode 100644 index 9c92c211a..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--6b9ebeb5-20bf-48b0-afb7-988d769a2f01.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--6b9ebeb5-20bf-48b0-afb7-988d769a2f01", - "name": "DarkHydrus", - "description": "[DarkHydrus](https://attack.mitre.org/groups/G0079) is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. (Citation: Unit 42 DarkHydrus July 2018) (Citation: Unit 42 Playbook Dec 2017)", - "aliases": [ - "DarkHydrus" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8.json deleted file mode 100644 index 0102dd7f6..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8", - "name": "BlackTech", - "description": "[BlackTech](https://attack.mitre.org/groups/G0098) is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong.(Citation: TrendMicro BlackTech June 2017)", - "aliases": [ - "BlackTech" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e.json deleted file mode 100644 index 20145cdcd..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "id": "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", - "name": "Leviathan", - "description": "[Leviathan](https://attack.mitre.org/groups/G0065) is a cyber espionage group that has been active since at least 2013. The group generally targets defense and government organizations, but has also targeted a range of industries including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities in the United States, Western Europe, and along the South China Sea. (Citation: Proofpoint Leviathan Oct 2017) (Citation: FireEye Periscope March 2018)", - "aliases": [ - "Leviathan", - "TEMP.Jumper", - "APT40", - "TEMP.Periscope" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40.json deleted file mode 100644 index 30aa06918..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40", - "name": "Group5", - "description": "[Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [njRAT](https://attack.mitre.org/software/S0385) and [NanoCore](https://attack.mitre.org/software/S0336), as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)", - "aliases": [ - "Group5" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee.json deleted file mode 100644 index 7595cc710..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee", - "name": "Blue Mockingbird", - "description": "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.(Citation: RedCanary Mockingbird May 2020)", - "aliases": [ - "Blue Mockingbird" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--76565741-3452-4069-ab08-80c0ea95bbeb.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--76565741-3452-4069-ab08-80c0ea95bbeb.json deleted file mode 100644 index 579e230d5..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--76565741-3452-4069-ab08-80c0ea95bbeb.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--76565741-3452-4069-ab08-80c0ea95bbeb", - "name": "SilverTerrier", - "description": "[SilverTerrier](https://attack.mitre.org/groups/G0083) is a Nigerian threat group that has been seen active since 2014. [SilverTerrier](https://attack.mitre.org/groups/G0083) mainly targets organizations in high technology, higher education, and manufacturing.(Citation: Unit42 SilverTerrier 2018)(Citation: Unit42 SilverTerrier 2016)", - "aliases": [ - "SilverTerrier" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71.json deleted file mode 100644 index 64b24d2e2..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "id": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "name": "Dragonfly 2.0", - "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least March 2016. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) and [Dragonfly](https://attack.mitre.org/groups/G0035), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)", - "aliases": [ - "Dragonfly 2.0", - "Berserk Bear" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70.json deleted file mode 100644 index c7fa5ec0e..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70", - "name": "Stolen Pencil", - "description": "[Stolen Pencil](https://attack.mitre.org/groups/G0086) is a threat group likely originating from DPRK that has been active since at least May 2018. The group appears to have targeted academic institutions, but its motives remain unclear.(Citation: Netscout Stolen Pencil Dec 2018)", - "aliases": [ - "Stolen Pencil" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6.json deleted file mode 100644 index 91f690eb3..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "id": "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", - "name": "Turla", - "description": "[Turla](https://attack.mitre.org/groups/G0010) is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. [Turla](https://attack.mitre.org/groups/G0010)\u2019s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines. (Citation: Kaspersky Turla) (Citation: ESET Gazer Aug 2017) (Citation: CrowdStrike VENOMOUS BEAR) (Citation: ESET Turla Mosquito Jan 2018)", - "aliases": [ - "Turla", - "Waterbug", - "WhiteBear", - "VENOMOUS BEAR", - "Snake", - "Krypton" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--7ecc3b4f-5cdb-457e-b55a-df376b359446.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--7ecc3b4f-5cdb-457e-b55a-df376b359446.json deleted file mode 100644 index 7fad0f4b7..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--7ecc3b4f-5cdb-457e-b55a-df376b359446.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--7ecc3b4f-5cdb-457e-b55a-df376b359446", - "name": "Poseidon Group", - "description": "[Poseidon Group](https://attack.mitre.org/groups/G0033) is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the [Poseidon Group](https://attack.mitre.org/groups/G0033) as a security firm. (Citation: Kaspersky Poseidon Group)", - "aliases": [ - "Poseidon Group" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d.json deleted file mode 100644 index 82a27a5dd..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "id": "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", - "name": "TA505", - "description": "[TA505](https://attack.mitre.org/groups/G0092) is a financially motivated threat group that has been active since at least 2014. The group is known for frequently changing malware and driving global trends in criminal malware distribution.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)", - "aliases": [ - "TA505", - "Hive0065" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--813636db-3939-4a45-bea9-6113e970c029.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--813636db-3939-4a45-bea9-6113e970c029.json deleted file mode 100644 index ef8e0ea13..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--813636db-3939-4a45-bea9-6113e970c029.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--813636db-3939-4a45-bea9-6113e970c029", - "name": "DarkVishnya", - "description": "[DarkVishnya](https://attack.mitre.org/groups/G0105) is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.(Citation: Securelist DarkVishnya Dec 2018)", - "aliases": [ - "DarkVishnya" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022.json deleted file mode 100644 index 9ab5ca806..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022", - "name": "FIN5", - "description": "[FIN5](https://attack.mitre.org/groups/G0053) is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. (Citation: FireEye Respond Webinar July 2017) (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)", - "aliases": [ - "FIN5" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--88489675-d216-4884-a98f-49a89fcc1643.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--88489675-d216-4884-a98f-49a89fcc1643.json deleted file mode 100644 index 7d02916a8..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--88489675-d216-4884-a98f-49a89fcc1643.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--88489675-d216-4884-a98f-49a89fcc1643", - "name": "Mofang", - "description": "[Mofang](https://attack.mitre.org/groups/G0103) is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries.(Citation: FOX-IT May 2016 Mofang)", - "aliases": [ - "Mofang" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--88b7dbc2-32d3-4e31-af2f-3fc24e1582d7.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--88b7dbc2-32d3-4e31-af2f-3fc24e1582d7.json deleted file mode 100644 index f3cf5241e..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--88b7dbc2-32d3-4e31-af2f-3fc24e1582d7.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "id": "intrusion-set--88b7dbc2-32d3-4e31-af2f-3fc24e1582d7", - "name": "Lotus Blossom", - "description": "[Lotus Blossom](https://attack.mitre.org/groups/G0030) is a threat group that has targeted government and military organizations in Southeast Asia. (Citation: Lotus Blossom Jun 2015)", - "aliases": [ - "Lotus Blossom", - "DRAGONFISH", - "Spring Dragon" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8.json deleted file mode 100644 index 4389ba0c1..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8", - "name": "Stealth Falcon", - "description": "[Stealth Falcon](https://attack.mitre.org/groups/G0038) is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. (Citation: Citizen Lab Stealth Falcon May 2016)", - "aliases": [ - "Stealth Falcon" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542.json deleted file mode 100644 index 75b53fd8b..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "id": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "name": "APT29", - "description": "[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to the Russian government and has operated since at least 2008. (Citation: F-Secure The Dukes) (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee starting in the summer of 2015. (Citation: Crowdstrike DNC June 2016)", - "aliases": [ - "APT29", - "YTTRIUM", - "The Dukes", - "Cozy Bear", - "CozyDuke" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12.json deleted file mode 100644 index c0e227383..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", - "name": "Dark Caracal", - "description": "[Dark Caracal](https://attack.mitre.org/groups/G0070) is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. (Citation: Lookout Dark Caracal Jan 2018)", - "aliases": [ - "Dark Caracal" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063.json deleted file mode 100644 index 6529845b8..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "id": "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "name": "Cleaver", - "description": "[Cleaver](https://attack.mitre.org/groups/G0003) is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. (Citation: Cylance Cleaver) Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). (Citation: Dell Threat Group 2889)", - "aliases": [ - "Cleaver", - "Threat Group 2889", - "TG-2889" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--92d5b3fd-3b39-438e-af68-770e447beada.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--92d5b3fd-3b39-438e-af68-770e447beada.json deleted file mode 100644 index 37f889059..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--92d5b3fd-3b39-438e-af68-770e447beada.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--92d5b3fd-3b39-438e-af68-770e447beada", - "name": "Charming Kitten", - "description": "[Charming Kitten](https://attack.mitre.org/groups/G0058) is an Iranian cyber espionage group that has been active since approximately 2014. They appear to focus on targeting individuals of interest to Iran who work in academic research, human rights, and media, with most victims having been located in Iran, the US, Israel, and the UK. [[Charming Kitten](https://attack.mitre.org/groups/G0058) often tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. The group's TTPs overlap extensively with another group, [Magic Hound](https://attack.mitre.org/groups/G0059), resulting in reporting that may not distinguish between the two groups' activities.(Citation: ClearSky Charming Kitten Dec 2017)", - "aliases": [ - "Charming Kitten" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90.json deleted file mode 100644 index 168828d94..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "id": "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "name": "BRONZE BUTLER", - "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)", - "aliases": [ - "BRONZE BUTLER", - "REDBALDKNIGHT", - "Tick" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json deleted file mode 100644 index 32eb6a437..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "id": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "name": "TEMP.Veles", - "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TEMP.Veles JSON April 2019)", - "aliases": [ - "TEMP.Veles", - "XENOTIME" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--96e239be-ad99-49eb-b127-3007b8c1bec9.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--96e239be-ad99-49eb-b127-3007b8c1bec9.json deleted file mode 100644 index 2474ed874..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--96e239be-ad99-49eb-b127-3007b8c1bec9.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--96e239be-ad99-49eb-b127-3007b8c1bec9", - "name": "Equation", - "description": "[Equation](https://attack.mitre.org/groups/G0020) is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives. (Citation: Kaspersky Equation QA)", - "aliases": [ - "Equation" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383.json deleted file mode 100644 index 4fe0b9a69..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383", - "name": "Darkhotel", - "description": "[Darkhotel](https://attack.mitre.org/groups/G0012) is a threat group that has been active since at least 2004. The group has conducted activity on hotel and business center Wi\u2011Fi and physical connections as well as peer-to-peer and file sharing networks. The actors have also conducted spearphishing. (Citation: Kaspersky Darkhotel)", - "aliases": [ - "Darkhotel" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--a0cb9370-e39b-44d5-9f50-ef78e412b973.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--a0cb9370-e39b-44d5-9f50-ef78e412b973.json deleted file mode 100644 index 6ea5d5cb3..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--a0cb9370-e39b-44d5-9f50-ef78e412b973.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "id": "intrusion-set--a0cb9370-e39b-44d5-9f50-ef78e412b973", - "name": "Axiom", - "description": "[Axiom](https://attack.mitre.org/groups/G0001) is a cyber espionage group suspected to be associated with the Chinese government. It is responsible for the Operation SMN campaign. (Citation: Novetta-Axiom) Though both this group and [Winnti Group](https://attack.mitre.org/groups/G0044) use the malware [Winnti for Windows](https://attack.mitre.org/software/S0141), the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015)", - "aliases": [ - "Axiom", - "Group 72" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064.json deleted file mode 100644 index 9948698bf..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "id": "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064", - "name": "Deep Panda", - "description": "[Deep Panda](https://attack.mitre.org/groups/G0009) is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. (Citation: Alperovitch 2014) The intrusion into healthcare company Anthem has been attributed to [Deep Panda](https://attack.mitre.org/groups/G0009). (Citation: ThreatConnect Anthem) This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. (Citation: RSA Shell Crew) [Deep Panda](https://attack.mitre.org/groups/G0009) also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. (Citation: Symantec Black Vine) Some analysts track [Deep Panda](https://attack.mitre.org/groups/G0009) and [APT19](https://attack.mitre.org/groups/G0073) as the same group, but it is unclear from open source information if the groups are the same. (Citation: ICIT China's Espionage Jul 2016)", - "aliases": [ - "Deep Panda", - "Shell Crew", - "WebMasters", - "KungFu Kittens", - "PinkPanther", - "Black Vine" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--ae41895a-243f-4a65-b99b-d85022326c31.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--ae41895a-243f-4a65-b99b-d85022326c31.json deleted file mode 100644 index 3ead74459..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--ae41895a-243f-4a65-b99b-d85022326c31.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--ae41895a-243f-4a65-b99b-d85022326c31", - "name": "Dust Storm", - "description": "[Dust Storm](https://attack.mitre.org/groups/G0031) is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. (Citation: Cylance Dust Storm)", - "aliases": [ - "Dust Storm" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1.json deleted file mode 100644 index 08c8262a7..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "id": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", - "name": "Windshift", - "description": "[Windshift](https://attack.mitre.org/groups/G0112) is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)", - "aliases": [ - "Windshift", - "Bahamut" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--b74f909f-8e52-4b69-b770-162bf59a1b4e.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--b74f909f-8e52-4b69-b770-162bf59a1b4e.json deleted file mode 100644 index b40240355..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--b74f909f-8e52-4b69-b770-162bf59a1b4e.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--b74f909f-8e52-4b69-b770-162bf59a1b4e", - "name": "Whitefly", - "description": "[Whitefly](https://attack.mitre.org/groups/G0107) is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore\u2019s largest public health organization, SingHealth.(Citation: Symantec Whitefly March 2019)", - "aliases": [ - "Whitefly" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c.json deleted file mode 100644 index 36619bebc..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "id": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", - "name": "APT28", - "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. [APT28](https://attack.mitre.org/groups/G0007) has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019)", - "aliases": [ - "APT28", - "SNAKEMACKEREL", - "Swallowtail", - "Group 74", - "Sednit", - "Sofacy", - "Pawn Storm", - "Fancy Bear", - "STRONTIUM", - "Tsar Team", - "Threat Group-4127", - "TG-4127" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--c416b28c-103b-4df1-909e-78089a7e0e5f.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--c416b28c-103b-4df1-909e-78089a7e0e5f.json deleted file mode 100644 index 98ae0f813..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--c416b28c-103b-4df1-909e-78089a7e0e5f.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--c416b28c-103b-4df1-909e-78089a7e0e5f", - "name": "RTM", - "description": "[RTM](https://attack.mitre.org/groups/G0048) is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name ([RTM](https://attack.mitre.org/software/S0148)). (Citation: ESET RTM Feb 2017)", - "aliases": [ - "RTM" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--c47f937f-1022-4f42-8525-e7a4779a14cb.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--c47f937f-1022-4f42-8525-e7a4779a14cb.json deleted file mode 100644 index 57c72122c..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--c47f937f-1022-4f42-8525-e7a4779a14cb.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "id": "intrusion-set--c47f937f-1022-4f42-8525-e7a4779a14cb", - "name": "APT12", - "description": "[APT12](https://attack.mitre.org/groups/G0005) is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.(Citation: Meyers Numbered Panda)", - "aliases": [ - "APT12", - "IXESHE", - "DynCalc", - "Numbered Panda", - "DNSCALC" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842.json deleted file mode 100644 index 25bc7da40..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "id": "intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842", - "name": "APT-C-36", - "description": "[APT-C-36](https://attack.mitre.org/groups/G0099) is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing.(Citation: QiAnXin APT-C-36 Feb2019)", - "aliases": [ - "APT-C-36", - "Blind Eagle" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--c5574ca0-d5a4-490a-b207-e4658e5fd1d7.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--c5574ca0-d5a4-490a-b207-e4658e5fd1d7.json deleted file mode 100644 index 454a51cb7..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--c5574ca0-d5a4-490a-b207-e4658e5fd1d7.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--c5574ca0-d5a4-490a-b207-e4658e5fd1d7", - "name": "Scarlet Mimic", - "description": "[Scarlet Mimic](https://attack.mitre.org/groups/G0029) is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029) and [Putter Panda](https://attack.mitre.org/groups/G0024), it has not been concluded that the groups are the same. (Citation: Scarlet Mimic Jan 2016)", - "aliases": [ - "Scarlet Mimic" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--c5947e1c-1cbc-434c-94b8-27c7e3be0fff.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--c5947e1c-1cbc-434c-94b8-27c7e3be0fff.json deleted file mode 100644 index 6458d4e10..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--c5947e1c-1cbc-434c-94b8-27c7e3be0fff.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "id": "intrusion-set--c5947e1c-1cbc-434c-94b8-27c7e3be0fff", - "name": "Winnti Group", - "description": "[Winnti Group](https://attack.mitre.org/groups/G0044) is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015) Some reporting suggests a number of other groups, including [Axiom](https://attack.mitre.org/groups/G0001), [APT17](https://attack.mitre.org/groups/G0025), and [Ke3chang](https://attack.mitre.org/groups/G0004), are closely linked to [Winnti Group](https://attack.mitre.org/groups/G0044). (Citation: 401 TRG Winnti Umbrella May 2018)", - "aliases": [ - "Winnti Group", - "Blackfly" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a.json deleted file mode 100644 index 4316c7311..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "id": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "name": "Lazarus Group", - "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) is a threat group that has been attributed to the North Korean government.(Citation: US-CERT HIDDEN COBRA June 2017) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster) In late 2017, [Lazarus Group](https://attack.mitre.org/groups/G0032) used KillDisk, a disk-wiping tool, in an attack against an online casino based in Central America. (Citation: Lazarus KillDisk)\n\nNorth Korean group definitions are known to have significant overlap, and the name [Lazarus Group](https://attack.mitre.org/groups/G0032) is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.(Citation: US-CERT HIDDEN COBRA June 2017) Some organizations track North Korean clusters or groups such as Bluenoroff,(Citation: Kaspersky Lazarus Under The Hood Blog 2017) [APT37](https://attack.mitre.org/groups/G0067), and [APT38](https://attack.mitre.org/groups/G0082) separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.", - "aliases": [ - "Lazarus Group", - "HIDDEN COBRA", - "Guardians of Peace", - "ZINC", - "NICKEL ACADEMY" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--d0b3393b-3bec-4ba3-bda9-199d30db47b6.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--d0b3393b-3bec-4ba3-bda9-199d30db47b6.json deleted file mode 100644 index 029b7a8d1..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--d0b3393b-3bec-4ba3-bda9-199d30db47b6.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--d0b3393b-3bec-4ba3-bda9-199d30db47b6", - "name": "FIN4", - "description": "[FIN4](https://attack.mitre.org/groups/G0085) is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye FIN4 Stealing Insider NOV 2014) [FIN4](https://attack.mitre.org/groups/G0085) is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)", - "aliases": [ - "FIN4" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321.json deleted file mode 100644 index 04640610e..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321", - "name": "Silence", - "description": "[Silence](https://attack.mitre.org/groups/G0091) is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017) ", - "aliases": [ - "Silence" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--d1acfbb3-647b-4723-9154-800ec119006e.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--d1acfbb3-647b-4723-9154-800ec119006e.json deleted file mode 100644 index e76c308c5..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--d1acfbb3-647b-4723-9154-800ec119006e.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--d1acfbb3-647b-4723-9154-800ec119006e", - "name": "Sowbug", - "description": "[Sowbug](https://attack.mitre.org/groups/G0054) is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. (Citation: Symantec Sowbug Nov 2017)", - "aliases": [ - "Sowbug" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--d519164e-f5fa-4b8c-a1fb-cf0172ad0983.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--d519164e-f5fa-4b8c-a1fb-cf0172ad0983.json deleted file mode 100644 index ef7c9cca7..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--d519164e-f5fa-4b8c-a1fb-cf0172ad0983.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "id": "intrusion-set--d519164e-f5fa-4b8c-a1fb-cf0172ad0983", - "name": "Threat Group-1314", - "description": "[Threat Group-1314](https://attack.mitre.org/groups/G0028) is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. (Citation: Dell TG-1314)", - "aliases": [ - "Threat Group-1314", - "TG-1314" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--d69e568e-9ac8-4c08-b32c-d93b43ba9172.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--d69e568e-9ac8-4c08-b32c-d93b43ba9172.json deleted file mode 100644 index 65d2b3076..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--d69e568e-9ac8-4c08-b32c-d93b43ba9172.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--d69e568e-9ac8-4c08-b32c-d93b43ba9172", - "name": "Thrip", - "description": "[Thrip](https://attack.mitre.org/groups/G0076) is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as \"living off the land\" techniques. (Citation: Symantec Thrip June 2018)", - "aliases": [ - "Thrip" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--d6e88e18-81e8-4709-82d8-973095da1e70.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--d6e88e18-81e8-4709-82d8-973095da1e70.json deleted file mode 100644 index 8991254d7..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--d6e88e18-81e8-4709-82d8-973095da1e70.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--d6e88e18-81e8-4709-82d8-973095da1e70", - "name": "APT16", - "description": "[APT16](https://attack.mitre.org/groups/G0023) is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. (Citation: FireEye EPS Awakens Part 2)", - "aliases": [ - "APT16" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--da49b9f1-ca99-443f-9728-0a074db66850.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--da49b9f1-ca99-443f-9728-0a074db66850.json deleted file mode 100644 index a4b7d60b8..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--da49b9f1-ca99-443f-9728-0a074db66850.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--da49b9f1-ca99-443f-9728-0a074db66850", - "name": "BlackOasis", - "description": "[BlackOasis](https://attack.mitre.org/groups/G0063) is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. (Citation: Securelist BlackOasis Oct 2017) (Citation: Securelist APT Trends Q2 2017) A group known by Microsoft as [NEODYMIUM](https://attack.mitre.org/groups/G0055) is reportedly associated closely with [BlackOasis](https://attack.mitre.org/groups/G0063) operations, but evidence that the group names are aliases has not been identified. (Citation: CyberScoop BlackOasis Oct 2017)", - "aliases": [ - "BlackOasis" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a.json deleted file mode 100644 index 77469c6dd..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "id": "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", - "name": "Cobalt Group", - "description": "[Cobalt Group](https://attack.mitre.org/groups/G0080) is a financially motivated threat group that has primarily targeted financial institutions. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. [Cobalt Group](https://attack.mitre.org/groups/G0080) has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims. (Citation: Talos Cobalt Group July 2018) (Citation: PTSecurity Cobalt Group Aug 2017) (Citation: PTSecurity Cobalt Dec 2016) (Citation: Group IB Cobalt Aug 2017) (Citation: Proofpoint Cobalt June 2017) (Citation: RiskIQ Cobalt Nov 2017) (Citation: RiskIQ Cobalt Jan 2018) Reporting indicates there may be links between [Cobalt Group](https://attack.mitre.org/groups/G0080) and both the malware [Carbanak](https://attack.mitre.org/software/S0030) and the group [Carbanak](https://attack.mitre.org/groups/G0008). (Citation: Europol Cobalt Mar 2018)", - "aliases": [ - "Cobalt Group", - "Cobalt Gang", - "Cobalt Spider" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a.json deleted file mode 100644 index 3f7eb6cb0..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", - "name": "CopyKittens", - "description": "[CopyKittens](https://attack.mitre.org/groups/G0052) is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip. (Citation: ClearSky CopyKittens March 2017) (Citation: ClearSky Wilted Tulip July 2017) (Citation: CopyKittens Nov 2015)", - "aliases": [ - "CopyKittens" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7.json deleted file mode 100644 index 0f4aa3e1f..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "id": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "name": "Wizard Spider", - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is financially motivated group that has been conducting ransomware campaigns since at least August 2018, primarily targeting large organizations. (Citation: CrowdStrike Ryuk January 2019)", - "aliases": [ - "Wizard Spider", - "TEMP.MixMaster", - "Grim Spider" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411.json deleted file mode 100644 index 7e80fdfab..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "id": "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411", - "name": "Molerats", - "description": "[Molerats](https://attack.mitre.org/groups/G0021) is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States. (Citation: DustySky) (Citation: DustySky2)(Citation: Kaspersky MoleRATs April 2019)", - "aliases": [ - "Molerats", - "Operation Molerats", - "Gaza Cybergang" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd.json deleted file mode 100644 index 55446c951..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "id": "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd", - "name": "Inception", - "description": "[Inception](https://attack.mitre.org/groups/G0100) is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.(Citation: Unit 42 Inception November 2018)(Citation: Symantec Inception Framework March 2018)(Citation: Kaspersky Cloud Atlas December 2014)", - "aliases": [ - "Inception", - "Inception Framework", - "Cloud Atlas" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87.json deleted file mode 100644 index 09b7d4d5f..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", - "name": "Honeybee", - "description": "[Honeybee](https://attack.mitre.org/groups/G0072) is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japans, Indonesia, and Canada. It has been an active operation since August of 2017 and as recently as February 2018. (Citation: McAfee Honeybee)", - "aliases": [ - "Honeybee" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c.json deleted file mode 100644 index e91532e87..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c", - "name": "PROMETHIUM", - "description": "[PROMETHIUM](https://attack.mitre.org/groups/G0056) is an activity group that has been active since at least 2012. The group conducted a campaign in May 2016 and has heavily targeted Turkish victims. [PROMETHIUM](https://attack.mitre.org/groups/G0056) has demonstrated similarity to another activity group called [NEODYMIUM](https://attack.mitre.org/groups/G0055) due to overlapping victim and campaign characteristics. (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)", - "aliases": [ - "PROMETHIUM" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--f047ee18-7985-4946-8bfb-4ed754d3a0dd.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--f047ee18-7985-4946-8bfb-4ed754d3a0dd.json deleted file mode 100644 index edf77b2b0..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--f047ee18-7985-4946-8bfb-4ed754d3a0dd.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--f047ee18-7985-4946-8bfb-4ed754d3a0dd", - "name": "APT30", - "description": "[APT30](https://attack.mitre.org/groups/G0013) is a threat group suspected to be associated with the Chinese government. (Citation: FireEye APT30) While [Naikon](https://attack.mitre.org/groups/G0019) shares some characteristics with [APT30](https://attack.mitre.org/groups/G0013), the two groups do not appear to be exact matches. (Citation: Baumgartner Golovkin Naikon 2015)", - "aliases": [ - "APT30" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a.json deleted file mode 100644 index f9b51af1d..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a", - "name": "DragonOK", - "description": "[DragonOK](https://attack.mitre.org/groups/G0017) is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, [DragonOK](https://attack.mitre.org/groups/G0017) is thought to have a direct or indirect relationship with the threat group [Moafee](https://attack.mitre.org/groups/G0002). (Citation: Operation Quantum Entanglement) It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. (Citation: New DragonOK)", - "aliases": [ - "DragonOK" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--f40eb8ce-2a74-4e56-89a1-227021410142.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--f40eb8ce-2a74-4e56-89a1-227021410142.json deleted file mode 100644 index 280b91b4d..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--f40eb8ce-2a74-4e56-89a1-227021410142.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--f40eb8ce-2a74-4e56-89a1-227021410142", - "name": "Rancor", - "description": "[Rancor](https://attack.mitre.org/groups/G0075) is a threat group that has led targeted campaigns against the South East Asia region. [Rancor](https://attack.mitre.org/groups/G0075) uses politically-motivated lures to entice victims to open malicious documents. (Citation: Rancor Unit42 June 2018)", - "aliases": [ - "Rancor" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1.json deleted file mode 100644 index 00d5ff4c2..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1", - "name": "WIRTE", - "description": "[WIRTE](https://attack.mitre.org/groups/G0090) is a threat group that has been active since at least August 2018. The group focuses on targeting Middle East defense and diplomats.(Citation: Lab52 WIRTE Apr 2019)", - "aliases": [ - "WIRTE" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--f9c06633-dcff-48a1-8588-759e7cec5694.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--f9c06633-dcff-48a1-8588-759e7cec5694.json deleted file mode 100644 index 695654fa3..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--f9c06633-dcff-48a1-8588-759e7cec5694.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--f9c06633-dcff-48a1-8588-759e7cec5694", - "name": "PLATINUM", - "description": "[PLATINUM](https://attack.mitre.org/groups/G0068) is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia. (Citation: Microsoft PLATINUM April 2016)", - "aliases": [ - "PLATINUM" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13.json deleted file mode 100644 index 64d385d7f..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "id": "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", - "name": "Magic Hound", - "description": "[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive operations to collect intelligence, dating back as early as 2014. The group typically targets U.S. and the Middle Eastern military, as well as other organizations with government personnel, via complex social engineering campaigns.(Citation: FireEye APT35 2018)", - "aliases": [ - "Magic Hound", - "Cobalt Gypsy", - "Operation Woolen-Goldfish", - "Ajax Security Team", - "Operation Saffron Rose", - "Rocket Kitten", - "Phosphorus", - "Newscaster", - "APT35" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c.json deleted file mode 100644 index e6afafcad..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "id": "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", - "name": "Threat Group-3390", - "description": "[Threat Group-3390](https://attack.mitre.org/groups/G0027) is a Chinese threat group that has extensively used strategic Web compromises to target victims. (Citation: Dell TG-3390) The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sectors. (Citation: SecureWorks BRONZE UNION June 2017) (Citation: Securelist LuckyMouse June 2018)", - "aliases": [ - "Threat Group-3390", - "TG-3390", - "Emissary Panda", - "BRONZE UNION", - "APT27", - "Iron Tiger", - "LuckyMouse" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f.json deleted file mode 100644 index da2f052e5..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "id": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "name": "APT33", - "description": "[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)", - "aliases": [ - "APT33", - "HOLMIUM", - "Elfin" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--fbe9387f-34e6-4828-ac28-3080020c597b.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--fbe9387f-34e6-4828-ac28-3080020c597b.json deleted file mode 100644 index 4189a63d6..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--fbe9387f-34e6-4828-ac28-3080020c597b.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--fbe9387f-34e6-4828-ac28-3080020c597b", - "name": "FIN10", - "description": "[FIN10](https://attack.mitre.org/groups/G0051) is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. (Citation: FireEye FIN10 June 2017)", - "aliases": [ - "FIN10" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "Unknown", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826.json deleted file mode 100644 index f4aff5749..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "id": "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", - "name": "FIN8", - "description": "[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Fin8 May 2016)", - "aliases": [ - "FIN8" - ], - "sophistication": "innovator", - "actor_type": "", - "sectors": [ - "hospitality-leisure", - "retail" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "steal financial information", - "steal PII" - ], - "attribution": "Unknown", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6.json deleted file mode 100644 index a50911ab4..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "id": "intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6", - "name": "APT19", - "description": "[APT19](https://attack.mitre.org/groups/G0073) is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. (Citation: FireEye APT19) Some analysts track [APT19](https://attack.mitre.org/groups/G0073) and [Deep Panda](https://attack.mitre.org/groups/G0009) as the same group, but it is unclear from open source information if the groups are the same. (Citation: ICIT China's Espionage Jul 2016) (Citation: FireEye APT Groups) (Citation: Unit 42 C0d0so0 Jan 2016)", - "aliases": [ - "APT19", - "Codoso", - "C0d0so0", - "Codoso Team", - "Sunshop Group" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "China", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/threat-actors/intrusion-set--fe98767f-9df8-42b9-83c9-004b1dec8647.json b/cdas/assets/mitre_cti/threat-actors/intrusion-set--fe98767f-9df8-42b9-83c9-004b1dec8647.json deleted file mode 100644 index 6b0284451..000000000 --- a/cdas/assets/mitre_cti/threat-actors/intrusion-set--fe98767f-9df8-42b9-83c9-004b1dec8647.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "intrusion-set--fe98767f-9df8-42b9-83c9-004b1dec8647", - "name": "PittyTiger", - "description": "[PittyTiger](https://attack.mitre.org/groups/G0011) is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control. (Citation: Bizeul 2014) (Citation: Villeneuve 2014)", - "aliases": [ - "PittyTiger" - ], - "sophistication": "", - "actor_type": "", - "sectors": [ - "" - ], - "primary_motivation": "financial gain", - "secondary_motivations": [], - "goals": [ - "" - ], - "attribution": "China", - "first_seen": "" -} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/tools/tool--975737f1-b10d-476f-8bda-3ec26ea57172.json b/cdas/assets/mitre_cti/tools/tool--975737f1-b10d-476f-8bda-3ec26ea57172.json new file mode 100644 index 000000000..9aca5446c --- /dev/null +++ b/cdas/assets/mitre_cti/tools/tool--975737f1-b10d-476f-8bda-3ec26ea57172.json @@ -0,0 +1,23 @@ +{ + "id": "tool--975737f1-b10d-476f-8bda-3ec26ea57172", + "name": "MCMD", + "description": "[MCMD](https://attack.mitre.org/software/S0500) is a remote access tool that provides remote command shell capability used by [Dragonfly 2.0](https://attack.mitre.org/groups/G0074).(Citation: Secureworks MCMD July 2019)", + "references": [ + { + "external_id": "S0500", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0500" + }, + { + "source_name": "Secureworks MCMD July 2019", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020." + } + ], + "aliases": [ + "MCMD" + ], + "platforms": [ + "Windows" + ] +} \ No newline at end of file diff --git a/cdas/assets/mitre_cti/tools/tool--9de2308e-7bed-43a3-8e58-f194b3586700.json b/cdas/assets/mitre_cti/tools/tool--9de2308e-7bed-43a3-8e58-f194b3586700.json index 8c04fe443..f9564f388 100644 --- a/cdas/assets/mitre_cti/tools/tool--9de2308e-7bed-43a3-8e58-f194b3586700.json +++ b/cdas/assets/mitre_cti/tools/tool--9de2308e-7bed-43a3-8e58-f194b3586700.json @@ -10,7 +10,7 @@ }, { "source_name": "Wikipedia pwdump", - "description": "Wikipedia. (1985, June 22). pwdump. Retrieved June 22, 2016.", + "description": "Wikipedia. (2007, August 9). pwdump. Retrieved June 22, 2016.", "url": "https://en.wikipedia.org/wiki/Pwdump" } ], diff --git a/cdas/assets/mitre_cti/tools/tool--c4810609-7da6-48ec-8057-1b70a7814db0.json b/cdas/assets/mitre_cti/tools/tool--c4810609-7da6-48ec-8057-1b70a7814db0.json new file mode 100644 index 000000000..27cdb7c0f --- /dev/null +++ b/cdas/assets/mitre_cti/tools/tool--c4810609-7da6-48ec-8057-1b70a7814db0.json @@ -0,0 +1,23 @@ +{ + "id": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "name": "CrackMapExec", + "description": "[CrackMapExec](https://attack.mitre.org/software/S0488), or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. [CrackMapExec](https://attack.mitre.org/software/S0488) collects Active Directory information to conduct lateral movement through targeted networks.(Citation: CME Github September 2018)", + "references": [ + { + "external_id": "S0488", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0488" + }, + { + "source_name": "CME Github September 2018", + "url": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference", + "description": "byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020." + } + ], + "aliases": [ + "CrackMapExec" + ], + "platforms": [ + "Windows" + ] +} \ No newline at end of file diff --git a/cdas/assets/stix_vocab.json b/cdas/assets/stix_vocab.json index 86528c439..c92d76b73 100644 --- a/cdas/assets/stix_vocab.json +++ b/cdas/assets/stix_vocab.json @@ -11,8 +11,7 @@ "infrastructure-operator", "sponsor" ], "threat-actor-sophistication": [ - "minimal", "intermediate", "advanced", "expert", "innovator", - "strategic" + "strategic", "innovator", "expert", "advanced", "intermediate", "minimal" ], "threat-actor-type": { "activist":0.1, diff --git a/cdas/context.py b/cdas/context.py index 31166c98b..61caad9f5 100644 --- a/cdas/context.py +++ b/cdas/context.py @@ -37,11 +37,13 @@ ''' import drawSvg as draw +import inspect import json import numpy as np import pkg_resources import reportlab.platypus as platy from reportlab.lib.styles import getSampleStyleSheet +from cyberdem import base, structures import weakref @@ -964,3 +966,27 @@ def _serialize(self): for key, value in self.__dict__.items(): serialized[key] = str(value) return serialized + + +def random_network(fs, scale, netblocks=None): + """Generates a random network of nodes and links. + + Uses the cyberdem package to generate nodes, relationships, configurations, + and personnnas. Saves to the given directory. + + Args: + fs (cyberdem FileSystem): directory for the network components + scale (int): number of nodes in the desired network + netblocks (list of IP blocks, optional): For nodes that have IP + addresses, choose them only from the given list. Defaults to None. + """ + + for i in range(1,scale+1): + fs.save(base.Device( + name="Device " + str(i), + description="Main access point", + role=np.random.choice( + ['user', 'administrative', 'service'], p=[.7, .2, .1]), + is_virtual=bool(np.random.choice([False, True])), + network_interfaces=[["eth0", "10.10.30.40"], ["eth1", "192.168.10.2"]])) + # TODO: add links and relationships for networks in Context.py") \ No newline at end of file diff --git a/cdas/filestore.py b/cdas/filestore.py index 5728aed9e..8cd5c3e27 100644 --- a/cdas/filestore.py +++ b/cdas/filestore.py @@ -130,31 +130,27 @@ def __init__(self, path, data_type, write=False): def get(self, ids): """ - Instantiates an object(s) from a .json file(s) + Instantiates an object from a .json file Args: - ids (str or list of strings): list of filenames (with or without - .json extension) + ids (str): filename (with or without .json extension) Returns: - found_objects (list): list of instances of the requested item + found_object: instance of the requested item """ - if not isinstance(ids, list): - ids = [ids] # if only one id is given, convert to list + if not isinstance(ids, str): + raise Exception(f'ids should be string not {type(ids)}') - found_objects = [] # read in each file and instantiate the object from the json - for i in ids: - filename = os.path.join(self.path, i) - if not filename.endswith('.json'): - filename += '.json' - with open(filename) as j_file: - obj = json.load(j_file) - j_file.close() - found_objects.append(self._type(**obj)) - - return found_objects + filename = os.path.join(self.path, ids) + if not filename.endswith('.json'): + filename += '.json' + with open(filename) as j_file: + obj = json.load(j_file) + j_file.close() + + return self._type(**obj) def list_files(self): """Return all filenames in the FileStore""" diff --git a/cdas/simulator.py b/cdas/simulator.py index 764d3b6a2..4c4e8a7fb 100644 --- a/cdas/simulator.py +++ b/cdas/simulator.py @@ -36,6 +36,7 @@ DM20-0573 ''' +import logging import json import numpy as np import uuid @@ -43,6 +44,7 @@ from datetime import datetime, timedelta import reportlab.platypus as platy from reportlab.lib.styles import getSampleStyleSheet +from cyberdem import filesystem from . import context @@ -79,23 +81,52 @@ def random_indicator(itype): f"{itype} is not an available type for random_indicator") return indicator -def simulate(actors, defender, tools, malwares, events_fs, relationships): - - t = 0 # Set the time step - - for agent in actors: - # Pick a random target @TODO - make this more logical later - target = np.random.choice(orgs) - - r_num = str( - start_date).replace('-', '').replace(' ', '_').replace(':', '') - events_fs.save(context.Event( - id='event--'+str(uuid.uuid4()), - name=f"Report #{r_num[:15]}", - description=description, - first_seen=start_date, - sighting_of_ref=agent.id)) - start_date += timedelta(td) - -def attack(): +def simulate(actors, defenders, defend, events_fs, relationships, soph_levels): + + t = 0 # Set the time + some_end_state = 10 # @TODO - make this less arbitrary + + while t < some_end_state: + logging.info(f'Round: {t}') + for actor in actors: + # Decide if the actor can attack during this round. The more + # sophisticated the actor, the more often they can attack. For the + # purpose of calculations, the strongest actor is level 1, the + # levels go up as the actors get weaker. + strength = soph_levels.index(actor.sophistication) + 1 + if t%strength == 0: + # Actor picks a target + # @TODO - currently a random target make this more logical later + target = np.random.choice(defenders) + logging.debug(f'\t{actor.name} attacking {target.name}...') + # @TODO - load target's network + for r in relationships: + if r[0] == target.id and r[1] == 'owns': + network = r[2] + break + event = attack(actor, target, network) + event.name = t + event.date = t + events_fs.save(event) + t += 1 + +def attack(actor, target, network): + # @TODO - add some tools, ttps, malware, etc + indicators = [random_indicator(np.random.choice(['IPv4 address','domain name']))] + + # @TODO - this probably shouldn't be random... + success = np.random.choice([True, False]) + + description = target.name + + event = context.Event( + id='event--'+str(uuid.uuid4()), + description=description, + target=target.id, + indicators=indicators, + attack_successful=success, + threat_actor=actor.id) + return event + +def defend(): pass \ No newline at end of file diff --git a/setup.py b/setup.py index 1aa070510..0bd75b5d3 100644 --- a/setup.py +++ b/setup.py @@ -4,18 +4,24 @@ HERE = pathlib.Path(__file__).parent README = (HERE / "README.md").read_text(encoding="utf8") LICENSE = (HERE / "LICENSE.md").read_text(encoding="utf8") +DESCRIPTION = ("Cybersecurity Decision Analysis Simulator (CDAS) details " + "available on GitHub (https://github.com/cmu-sei/CDAS)") setup( name="cdas", - version="0.0.2", - description="Cybersecurity Decision Analysis Simulator", - long_description=README, - long_description_content_type="text/markdown", + version="0.0.5", + description="Cybersecurity Decision Analysis Simulator (CDAS)", + long_description=DESCRIPTION, + #long_description_content_type="text/markdown", + author="Carnegie Mellon University", + url="https://github.com/cmu-sei/CDAS", license=LICENSE, + platforms=['any'], classifiers=[ "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.7", "Programming Language :: Python :: 3.8", + "Programming Language :: Python :: 3.9" ], packages=["cdas"], include_package_data=True, @@ -33,7 +39,11 @@ 'assets/mitre_cti/tools/*' ] }, - install_requires=["numpy", "reportlab", "drawSVG"], + install_requires=[ + "numpy", + "reportlab", + "drawSVG==1.6.0", + "cyberdem"], entry_points={ "console_scripts": [ "cdas=cdas.__main__:main",