From 2698e76043e86969582718c066cb9417e2277bc1 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 22 May 2024 05:30:08 -0700 Subject: [PATCH 1/9] [threat-actors] Add Alpha Spider --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a2ba1b3..7970ccc 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15981,6 +15981,19 @@ }, "uuid": "53ac2695-35ba-4ab2-a5cd-48ca533f1b72", "value": "Void Manticore" + }, + { + "description": "ALPHA SPIDER is a threat actor known for developing and operating the Alphv ransomware as a service. They have been observed using novel offensive techniques, such as exploiting software vulnerabilities and leveraging legitimate administration tools for malicious activities. ALPHA SPIDER affiliates have demonstrated persistence in exfiltrating data and have shown the ability to bypass security measures like DNS-based filtering and multifactor authentication. Despite lacking specific operational security measures, defenders have opportunities to detect and respond to ALPHA SPIDER's operations effectively.", + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/" + ], + "synonyms": [ + "ALPHV Ransomware Group" + ] + }, + "uuid": "6149f3b6-510d-4e45-bf88-cd25c7193702", + "value": "Alpha Spider" } ], "version": 309 From a4afac9a9775775ab846c5235921c0cf997ba055 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Mon, 27 May 2024 21:57:08 +0200 Subject: [PATCH 2/9] new: [d3fend] initial conversion script for MITRE D3FEND #975 --- tools/gen_mitre_d3fend.py | 211 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 211 insertions(+) create mode 100755 tools/gen_mitre_d3fend.py diff --git a/tools/gen_mitre_d3fend.py b/tools/gen_mitre_d3fend.py new file mode 100755 index 0000000..3bb0160 --- /dev/null +++ b/tools/gen_mitre_d3fend.py @@ -0,0 +1,211 @@ +#!/usr/bin/env python3 +import json +import os +import requests +import uuid + +d3fend_url = 'https://d3fend.mitre.org/ontologies/d3fend.json' +d3fend_full_mappings_url = 'https://d3fend.mitre.org/api/ontology/inference/d3fend-full-mappings.json' + + +try: + with open('d3fend.json', 'r') as f: + d3fend_json = json.load(f) +except Exception: + r = requests.get(d3fend_url) + with open('d3fend.json', 'w') as f: + f.write(r.text) + d3fend_json = r.json() + +uuid_seed = '35527064-12b4-4b73-952b-6d76b9f1b1e3' + +tactics = {} # key = tactic, value = phases +phases_ids = [] +techniques_ids = [] +techniques = [] + + +def get_as_list(item): + if isinstance(item, dict): + return item.values() + elif isinstance(item, list): + result = [] + for i in item: + if isinstance(i, dict): + result += i.values() + if isinstance(i, str): + result.append(i) + return result + elif isinstance(item, str): + return [item] + else: + raise ValueError(f'Unexpected type: {type(item)}') + + +def is_val_in_element(val, element): + result = False + if isinstance(element, dict): # only one entry + if val == element['@id']: + return True + elif isinstance(element, list): # multiple entries + for e in element: + if val == e['@id']: + return True + elif not element: + pass + else: + raise ValueError(f'Unexpected type: {type(element)}') + return result + + +def is_element_in_list(element, lst): + if isinstance(element, dict): # only one entry + if element['@id'] in lst: + return True + + elif isinstance(element, list): # multiple entries + for e in element: + if e['@id'] in lst: + return True + else: + raise ValueError(f'Unexpected type: {type(element)}') + + +def id_to_label(id): + return data[id]['rdfs:label'] + + +def get_parent(item): + # value of subClassOf starts with d3f + if 'rdfs:subClassOf' in item: + # if 'd3f:enables' in item: + # parent_classes = get_as_list(item['d3f:enables']) + # else: + parent_classes = get_as_list(item['rdfs:subClassOf']) + for parent_class in parent_classes: + if parent_class.startswith('d3f'): + return parent_class + return None + + +def find_kill_chain_of(original_item): + # find if back in the kill chain_tactics list we built before + parent_classes = get_as_list(original_item['rdfs:subClassOf']) + for parent_class in parent_classes: + if parent_class.startswith('d3f'): + parent_class_name = id_to_label(parent_class).replace(' ', '-') + for tactic, phases in kill_chain_tactics.items(): + if parent_class_name in phases: + return f"{tactic}:{parent_class_name}" + # child with one more parent in between + for parent_class in parent_classes: + if parent_class.startswith('d3f'): + return find_kill_chain_of(data[parent_class]) + + +# first convert as dict with key = @id +data = {} +for item in d3fend_json['@graph']: + data[item['@id']] = item + +# tactic +for item in d3fend_json['@graph']: + if is_val_in_element('d3f:DefensiveTactic', item.get('rdfs:subClassOf')): + tactics[item['rdfs:label']] = { + 'order': item['d3f:display-order'], + 'phases': [] + } + print(f"Tactic: {item['rdfs:label']}") + +# phases +for item in d3fend_json['@graph']: + if 'rdfs:subClassOf' in item: + if is_val_in_element('d3f:DefensiveTechnique', item['rdfs:subClassOf']): + phases_ids.append(item['@id']) + parent = id_to_label(item['d3f:enables']['@id']) + tactics[parent]['phases'].append(item['rdfs:label'].replace(' ', '-')) + # print(f"Tactic: {parent} \tPhase: {item['rdfs:label']}") + +# sort the tactics based on the order +tactics = dict(sorted(tactics.items(), key=lambda item: item[1]['order'])) +# sort the values +kill_chain_tactics = {} +for tactic, value in tactics.items(): + kill_chain_tactics[tactic] = sorted(value['phases']) + + +# extract all parent, child and ... techniques +seen_new = True +while seen_new: + seen_new = False + for item in d3fend_json['@graph']: + if 'rdfs:subClassOf' in item: + element = item['rdfs:subClassOf'] + if is_element_in_list(element, phases_ids) or is_element_in_list(element, techniques_ids): + if item['@id'] in techniques_ids: + continue + seen_new = True + techniques_ids.append(item['@id']) + if 'Memory Boundary Tracking' in item['rdfs:label']: + print(f"Technique: {item['rdfs:label']}") + kill_chain = find_kill_chain_of(item) + technique = { + 'value': item['rdfs:label'], + 'description': item['d3f:definition'], + 'uuid': str(uuid.uuid5(uuid.UUID(uuid_seed), item['d3f:d3fend-id'])), + 'meta': { + 'kill_chain': [kill_chain], + 'refs': [f"https://d3fend.mitre.org/technique/{item['@id']}"], + 'external_id': item['d3f:d3fend-id'] + } + } + # synonyms + if 'd3f:synonym' in item: + technique['meta']['synonyms'] = get_as_list(item['d3f:synonym']) + # TODO relations + + techniques.append(technique) + print(f"Technique: {item['rdfs:label']} - {item['d3f:d3fend-id']}") + + +galaxy_fname = 'mitre-d3fend.json' +galaxy_type = "mitre-d3fend" +galaxy_name = "MITRE D3FEND" +galaxy_description = 'A knowledge graph of cybersecurity countermeasures.' +galaxy_source = 'https://d3fend.mitre.org/' +json_galaxy = { + 'description': galaxy_description, + 'icon': "map", + 'kill_chain_order': kill_chain_tactics, + 'name': galaxy_name, + 'namespace': "mitre", + 'type': galaxy_type, + 'uuid': "77d1bbfa-2982-4e0a-9238-1dae4a48c5b4", + 'version': 1 +} + +json_cluster = { + 'authors': ["MITRE"], + 'category': 'd3fend', + 'name': galaxy_name, + 'description': galaxy_description, + 'source': galaxy_source, + 'type': galaxy_type, + 'uuid': "b8bd7e45-63bf-4c44-8ab1-c81c82547380", + 'values': list(techniques), + 'version': 1 +} + + +# save the Galaxy and Cluster file +with open(os.path.join('..', 'galaxies', galaxy_fname), 'w') as f: + # do not sort_keys as it would break the kill_chain_order + json.dump(json_galaxy, f, indent=2, ensure_ascii=False) + f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things + +with open(os.path.join('..', 'clusters', galaxy_fname), 'w') as f: + json.dump(json_cluster, f, indent=2, sort_keys=True, ensure_ascii=False) + f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things + +print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh.") + From 2b3d62705d33c41ea77fcd2c4520b0d90461a6ed Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Tue, 28 May 2024 07:43:11 +0200 Subject: [PATCH 3/9] new: [d3fend] added relationships to ATT&CK --- .vscode/launch.json | 9 + clusters/mitre-d3fend.json | 34192 +++++++++++++++++++++++++++++++++++ galaxies/mitre-d3fend.json | 49 + tools/gen_mitre_d3fend.py | 70 +- 4 files changed, 34309 insertions(+), 11 deletions(-) create mode 100644 clusters/mitre-d3fend.json create mode 100644 galaxies/mitre-d3fend.json diff --git a/.vscode/launch.json b/.vscode/launch.json index 1519447..d4ac7c2 100644 --- a/.vscode/launch.json +++ b/.vscode/launch.json @@ -1,6 +1,15 @@ { "version": "0.2.0", "configurations": [ + { + "name": "gen_mitre_d3fend", + "type": "debugpy", + "request": "launch", + "program": "${file}", + "console": "integratedTerminal", + "args": "", + "cwd": "${fileDirname}" + }, { "name": "gen_mitre", "type": "debugpy", diff --git a/clusters/mitre-d3fend.json b/clusters/mitre-d3fend.json new file mode 100644 index 0000000..821da25 --- /dev/null +++ b/clusters/mitre-d3fend.json @@ -0,0 +1,34192 @@ +{ + "authors": [ + "MITRE" + ], + "category": "d3fend", + "description": "A knowledge graph of cybersecurity countermeasures.", + "name": "MITRE D3FEND", + "source": "https://d3fend.mitre.org/", + "type": "mitre-d3fend", + "uuid": "b8bd7e45-63bf-4c44-8ab1-c81c82547380", + "values": [ + { + "description": "Restoring software to a host.", + "meta": { + "external_id": "D3-RS", + "kill_chain": [ + "Restore:Restore-Object" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:RestoreSoftware" + ] + }, + "related": [ + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "restores" + }, + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "type": "restores" + }, + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "type": "restores" + }, + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "type": "restores" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "restores" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "restores" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "restores" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "restores" + }, + { + "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", + "type": "restores" + }, + { + "dest-uuid": "191cc6af-1bb2-4344-ab5f-28e496638720", + "type": "restores" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "restores" + }, + { + "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", + "type": "restores" + }, + { + "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "type": "restores" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "type": "restores" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "restores" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "restores" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "restores" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "restores" + }, + { + "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", + "type": "restores" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "restores" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "restores" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "restores" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "restores" + }, + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "type": "restores" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "restores" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "restores" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "restores" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "restores" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "restores" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "restores" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "restores" + }, + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "type": "restores" + }, + { + "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", + "type": "restores" + }, + { + "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", + "type": "restores" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "restores" + }, + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "type": "restores" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "restores" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "restores" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "restores" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "restores" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "restores" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "restores" + }, + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "type": "restores" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "restores" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "restores" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "restores" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "restores" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "restores" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "restores" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "restores" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "restores" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "restores" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "restores" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "restores" + }, + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "type": "restores" + }, + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "type": "restores" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "restores" + }, + { + "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", + "type": "restores" + }, + { + "dest-uuid": "191cc6af-1bb2-4344-ab5f-28e496638720", + "type": "restores" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "restores" + }, + { + "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", + "type": "restores" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "restores" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "restores" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "restores" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "restores" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "restores" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "restores" + }, + { + "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", + "type": "restores" + }, + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "type": "restores" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "restores" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "restores" + }, + { + "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", + "type": "restores" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "type": "restores" + }, + { + "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "type": "restores" + }, + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "type": "restores" + }, + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "type": "restores" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "restores" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "restores" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "restores" + }, + { + "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", + "type": "restores" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "restores" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "restores" + } + ], + "uuid": "29d77727-12e5-5922-9d2d-70681803d686", + "value": "Restore Software" + }, + { + "description": "Encrypted encapsulation of routable network traffic.", + "meta": { + "external_id": "D3-ET", + "kill_chain": [ + "Isolate:Network-Isolation" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:EncryptedTunnels" + ] + }, + "uuid": "4f6861bc-6c0b-51b1-bd5c-5b806951e2cd", + "value": "Encrypted Tunnels" + }, + { + "description": "Restoring a previously captured disk image a hard drive.", + "meta": { + "external_id": "D3-RDI", + "kill_chain": [ + "Restore:Restore-Object" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:RestoreDiskImage" + ] + }, + "uuid": "5333dada-2a46-5f0a-b371-ca4d565e339c", + "value": "Restore Disk Image" + }, + { + "description": "Service dependency mapping determines the services on which each given service relies.", + "meta": { + "external_id": "D3-SVCDM", + "kill_chain": [ + "Model:System-Mapping" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ServiceDependencyMapping" + ], + "synonyms": [ + "Distributed Tracing" + ] + }, + "uuid": "95dd39c0-2df7-5cc0-88f1-c692cdbceea8", + "value": "Service Dependency Mapping" + }, + { + "description": "The file removal technique deletes malicious artifacts or programs from a computer system.", + "meta": { + "external_id": "D3-FR", + "kill_chain": [ + "Evict:File-Eviction" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:FileRemoval" + ], + "synonyms": [ + "File Deletion" + ] + }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "deletes" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "deletes" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "deletes" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "deletes" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "deletes" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "deletes" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "deletes" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "deletes" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "deletes" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "deletes" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "deletes" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "deletes" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "deletes" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "deletes" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "deletes" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "deletes" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "deletes" + }, + { + "dest-uuid": "3120b9fa-23b8-4500-ae73-09494f607b7d", + "type": "deletes" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "deletes" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "deletes" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "deletes" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "deletes" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "deletes" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "deletes" + }, + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "type": "deletes" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "deletes" + }, + { + "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3", + "type": "deletes" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "deletes" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "type": "deletes" + }, + { + "dest-uuid": "e5cc9e7a-e61a-46a1-b869-55fb6eab058e", + "type": "deletes" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "deletes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "deletes" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "deletes" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "deletes" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "deletes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "deletes" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "deletes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "deletes" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "deletes" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "deletes" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "deletes" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "deletes" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "deletes" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "deletes" + }, + { + "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", + "type": "deletes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "deletes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "deletes" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "deletes" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "deletes" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "deletes" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "deletes" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "deletes" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "deletes" + }, + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "type": "deletes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "deletes" + }, + { + "dest-uuid": "c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b", + "type": "deletes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "deletes" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "deletes" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "deletes" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "deletes" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "deletes" + }, + { + "dest-uuid": "a9e2cea0-c805-4bf8-9e31-f5f0513a3634", + "type": "deletes" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "type": "deletes" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "deletes" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "deletes" + }, + { + "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", + "type": "deletes" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "deletes" + }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "type": "deletes" + }, + { + "dest-uuid": "e51137a5-1cdc-499e-911a-abaedaa5ac86", + "type": "deletes" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "deletes" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "deletes" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "deletes" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "deletes" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "deletes" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "deletes" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "deletes" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "deletes" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "deletes" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "deletes" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "deletes" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "deletes" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "deletes" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "deletes" + }, + { + "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", + "type": "deletes" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "deletes" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "type": "deletes" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "deletes" + }, + { + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "type": "deletes" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "deletes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "deletes" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "type": "deletes" + }, + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "type": "deletes" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "deletes" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "deletes" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "deletes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "deletes" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "deletes" + }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "type": "deletes" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "deletes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "deletes" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "deletes" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "deletes" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "deletes" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "deletes" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "deletes" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "deletes" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "deletes" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "deletes" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "deletes" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "deletes" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "deletes" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "deletes" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "deletes" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "deletes" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "deletes" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "deletes" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "deletes" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "deletes" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "deletes" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "deletes" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "deletes" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "deletes" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "deletes" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "deletes" + }, + { + "dest-uuid": "32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490", + "type": "deletes" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "deletes" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "deletes" + }, + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "type": "deletes" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "deletes" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "type": "deletes" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "deletes" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "deletes" + }, + { + "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "type": "deletes" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "deletes" + }, + { + "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", + "type": "deletes" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "deletes" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "deletes" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "deletes" + }, + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "type": "deletes" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "deletes" + }, + { + "dest-uuid": "e5cc9e7a-e61a-46a1-b869-55fb6eab058e", + "type": "deletes" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "deletes" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "deletes" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "deletes" + }, + { + "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", + "type": "deletes" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "deletes" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "deletes" + }, + { + "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", + "type": "deletes" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "deletes" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "deletes" + }, + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "type": "deletes" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "deletes" + }, + { + "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", + "type": "deletes" + }, + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "type": "deletes" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "type": "deletes" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "deletes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "deletes" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "deletes" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "deletes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "deletes" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "deletes" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "deletes" + }, + { + "dest-uuid": "4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f", + "type": "deletes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "deletes" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "deletes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "deletes" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "deletes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "deletes" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "deletes" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "type": "deletes" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "deletes" + }, + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "type": "deletes" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "deletes" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "deletes" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "deletes" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "deletes" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "deletes" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "deletes" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "deletes" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "deletes" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "deletes" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "deletes" + }, + { + "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", + "type": "deletes" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "deletes" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "deletes" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "deletes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "deletes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "deletes" + }, + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "type": "deletes" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "type": "deletes" + }, + { + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "type": "deletes" + }, + { + "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", + "type": "deletes" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "deletes" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "deletes" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "deletes" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "deletes" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "deletes" + }, + { + "dest-uuid": "e51137a5-1cdc-499e-911a-abaedaa5ac86", + "type": "deletes" + }, + { + "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", + "type": "deletes" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "type": "deletes" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "deletes" + }, + { + "dest-uuid": "c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b", + "type": "deletes" + }, + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "type": "deletes" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "deletes" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "deletes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "deletes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "deletes" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "deletes" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "deletes" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "deletes" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "deletes" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "deletes" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "deletes" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "deletes" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "deletes" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "deletes" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "deletes" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "deletes" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "deletes" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "deletes" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "deletes" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "deletes" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "deletes" + }, + { + "dest-uuid": "4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f", + "type": "deletes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "deletes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "deletes" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "type": "deletes" + }, + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "type": "deletes" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "deletes" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "deletes" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "deletes" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "deletes" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "deletes" + }, + { + "dest-uuid": "a9e2cea0-c805-4bf8-9e31-f5f0513a3634", + "type": "deletes" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "deletes" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "deletes" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "deletes" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "deletes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "deletes" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "deletes" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "deletes" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "deletes" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "deletes" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "deletes" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "deletes" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "deletes" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "deletes" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "deletes" + }, + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "type": "deletes" + }, + { + "dest-uuid": "e5cc9e7a-e61a-46a1-b869-55fb6eab058e", + "type": "deletes" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "deletes" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "deletes" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "deletes" + }, + { + "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", + "type": "deletes" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "deletes" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "deletes" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "deletes" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "deletes" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "deletes" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "deletes" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "deletes" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "deletes" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "deletes" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "deletes" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "deletes" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "deletes" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "deletes" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "deletes" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "deletes" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "deletes" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "deletes" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "deletes" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "deletes" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "deletes" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "deletes" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "type": "deletes" + }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "type": "deletes" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "deletes" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "deletes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "deletes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "deletes" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "type": "deletes" + }, + { + "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3", + "type": "deletes" + }, + { + "dest-uuid": "3120b9fa-23b8-4500-ae73-09494f607b7d", + "type": "deletes" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "deletes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "deletes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "deletes" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "type": "deletes" + }, + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "type": "deletes" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "deletes" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "deletes" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "deletes" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "deletes" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "deletes" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "deletes" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "deletes" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "deletes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "deletes" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "deletes" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "deletes" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "deletes" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "deletes" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "deletes" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "deletes" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "deletes" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "deletes" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "deletes" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "deletes" + }, + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "type": "deletes" + }, + { + "dest-uuid": "e5cc9e7a-e61a-46a1-b869-55fb6eab058e", + "type": "deletes" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "deletes" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "deletes" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "deletes" + }, + { + "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", + "type": "deletes" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "deletes" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "deletes" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "deletes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "deletes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "deletes" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "deletes" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "deletes" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "deletes" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "deletes" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "deletes" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "deletes" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "deletes" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "deletes" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "deletes" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "deletes" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "deletes" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "deletes" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "deletes" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "deletes" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "deletes" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "deletes" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "deletes" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "deletes" + }, + { + "dest-uuid": "32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490", + "type": "deletes" + }, + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "type": "deletes" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "type": "deletes" + }, + { + "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "type": "deletes" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "deletes" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "deletes" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "deletes" + }, + { + "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", + "type": "deletes" + }, + { + "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", + "type": "deletes" + }, + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "type": "deletes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "deletes" + }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "type": "deletes" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "deletes" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "deletes" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "deletes" + } + ], + "uuid": "2fdd5180-fa37-56eb-9c0c-d0a3d3de5887", + "value": "File Removal" + }, + { + "description": "Network vulnerability assessment relates all the vulnerabilities of a network's components in the context of their configuration and interdependencies and can also include assessing risk emerging from the network's design as a whole, not just the sum of individual network node or network segment vulnerabilities.", + "meta": { + "external_id": "D3-NVA", + "kill_chain": [ + "Model:Network-Mapping" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:NetworkVulnerabilityAssessment" + ] + }, + "uuid": "189e4b3b-1405-5caa-8643-c10d768d473e", + "value": "Network Vulnerability Assessment" + }, + { + "description": "The detection of an internal host relaying traffic between the internal network and the external network.", + "meta": { + "external_id": "D3-RPA", + "kill_chain": [ + "Detect:Network-Traffic-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:RelayPatternAnalysis" + ], + "synonyms": [ + "Relay Network Detection" + ] + }, + "related": [ + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "type": "analyzes" + }, + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "analyzes" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "79a4052e-1a89-4b09-aea6-51f1d11fe19c", + "type": "analyzes" + }, + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "type": "analyzes" + }, + { + "dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2", + "type": "analyzes" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "type": "analyzes" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "analyzes" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "analyzes" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "type": "analyzes" + }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "type": "analyzes" + }, + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "type": "analyzes" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "type": "analyzes" + }, + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "type": "analyzes" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "type": "analyzes" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "type": "analyzes" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "type": "analyzes" + }, + { + "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", + "type": "analyzes" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "analyzes" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "analyzes" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "type": "analyzes" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "analyzes" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "analyzes" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "analyzes" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "analyzes" + }, + { + "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", + "type": "analyzes" + }, + { + "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", + "type": "analyzes" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "analyzes" + }, + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "type": "analyzes" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "type": "analyzes" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "analyzes" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "analyzes" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "analyzes" + }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "type": "analyzes" + }, + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "type": "analyzes" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "analyzes" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "type": "analyzes" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "analyzes" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "type": "analyzes" + }, + { + "dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2", + "type": "analyzes" + }, + { + "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "type": "analyzes" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "analyzes" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "analyzes" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "type": "analyzes" + }, + { + "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", + "type": "analyzes" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "analyzes" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "analyzes" + }, + { + "dest-uuid": "79a4052e-1a89-4b09-aea6-51f1d11fe19c", + "type": "analyzes" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "type": "analyzes" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", + "type": "analyzes" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "type": "analyzes" + }, + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "type": "analyzes" + } + ], + "uuid": "5ab35c35-f181-523e-8cb8-947d23652d9f", + "value": "Relay Pattern Analysis" + }, + { + "description": "Blocking DNS Network Traffic based on criteria such as IP address, domain name, or DNS query type.", + "meta": { + "external_id": "D3-DNSDL", + "kill_chain": [ + "Isolate:Network-Isolation" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:DNSDenylisting" + ], + "synonyms": [ + "DNS Blacklisting" + ] + }, + "related": [ + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "blocks" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "blocks" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "blocks" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "blocks" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "blocks" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "blocks" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "blocks" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "blocks" + } + ], + "uuid": "4301db4f-dde9-5376-ab2c-7654dc428e37", + "value": "DNS Denylisting" + }, + { + "description": "Asset vulnerability enumeration enriches inventory items with knowledge identifying their vulnerabilities.", + "meta": { + "external_id": "D3-AVE", + "kill_chain": [ + "Model:Asset-Inventory" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:AssetVulnerabilityEnumeration" + ] + }, + "related": [ + { + "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", + "type": "evaluates" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "evaluates" + }, + { + "dest-uuid": "191cc6af-1bb2-4344-ab5f-28e496638720", + "type": "evaluates" + }, + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "type": "evaluates" + }, + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "type": "evaluates" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "evaluates" + }, + { + "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", + "type": "evaluates" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "evaluates" + }, + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "type": "evaluates" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "evaluates" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "evaluates" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "evaluates" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "evaluates" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "evaluates" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "evaluates" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "evaluates" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "evaluates" + }, + { + "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", + "type": "evaluates" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "evaluates" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "type": "evaluates" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "evaluates" + }, + { + "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", + "type": "evaluates" + }, + { + "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "type": "evaluates" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "evaluates" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "evaluates" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "evaluates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "evaluates" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "evaluates" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "evaluates" + }, + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "type": "evaluates" + }, + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "type": "evaluates" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "evaluates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "evaluates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "evaluates" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "evaluates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "evaluates" + }, + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "type": "evaluates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "evaluates" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "evaluates" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "evaluates" + }, + { + "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", + "type": "evaluates" + }, + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "type": "evaluates" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "evaluates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "evaluates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "evaluates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "evaluates" + }, + { + "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", + "type": "evaluates" + }, + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "type": "evaluates" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "evaluates" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "evaluates" + }, + { + "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", + "type": "evaluates" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "evaluates" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "evaluates" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "evaluates" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "evaluates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "evaluates" + }, + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "type": "evaluates" + }, + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "type": "evaluates" + }, + { + "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", + "type": "evaluates" + }, + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "type": "evaluates" + }, + { + "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", + "type": "evaluates" + }, + { + "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "type": "evaluates" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "evaluates" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "evaluates" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "evaluates" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "evaluates" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "evaluates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "evaluates" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "evaluates" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "evaluates" + }, + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "type": "evaluates" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "type": "evaluates" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "evaluates" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "evaluates" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "evaluates" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "evaluates" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "evaluates" + }, + { + "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", + "type": "evaluates" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "evaluates" + }, + { + "dest-uuid": "191cc6af-1bb2-4344-ab5f-28e496638720", + "type": "evaluates" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "evaluates" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "evaluates" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "evaluates" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "evaluates" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "evaluates" + }, + { + "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "type": "evaluates" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "evaluates" + }, + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "type": "evaluates" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "evaluates" + }, + { + "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", + "type": "evaluates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "evaluates" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "type": "evaluates" + }, + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "type": "evaluates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "evaluates" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "evaluates" + }, + { + "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", + "type": "evaluates" + }, + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "type": "evaluates" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "evaluates" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "evaluates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "evaluates" + }, + { + "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", + "type": "evaluates" + }, + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "type": "evaluates" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "evaluates" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "evaluates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "evaluates" + }, + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "type": "evaluates" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "evaluates" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "evaluates" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "evaluates" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "evaluates" + }, + { + "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", + "type": "evaluates" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "evaluates" + }, + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "type": "evaluates" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "evaluates" + }, + { + "dest-uuid": "191cc6af-1bb2-4344-ab5f-28e496638720", + "type": "evaluates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "evaluates" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "evaluates" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "evaluates" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "evaluates" + }, + { + "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", + "type": "evaluates" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "evaluates" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "evaluates" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "evaluates" + } + ], + "uuid": "f33f256f-34d7-541f-96c4-8c800483b73b", + "value": "Asset Vulnerability Enumeration" + }, + { + "description": "Monitoring code is injected into firmware for integrity monitoring of firmware and firmware data.", + "meta": { + "external_id": "D3-FEMC", + "kill_chain": [ + "Detect:Platform-Monitoring" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:FirmwareEmbeddedMonitoringCode" + ] + }, + "related": [ + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "analyzes" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "analyzes" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "analyzes" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "analyzes" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "analyzes" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "analyzes" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "analyzes" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "analyzes" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "analyzes" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "analyzes" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "analyzes" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "analyzes" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "analyzes" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "analyzes" + } + ], + "uuid": "81f25868-5be1-5df4-93bf-b215f4a67144", + "value": "Firmware Embedded Monitoring Code" + }, + { + "description": "An authentication token created for the purposes of deceiving an adversary.", + "meta": { + "external_id": "D3-DST", + "kill_chain": [ + "Deceive:Decoy-Object" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:DecoySessionToken" + ] + }, + "related": [ + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "spoofs" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "spoofs" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "spoofs" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "spoofs" + }, + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "type": "spoofs" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "spoofs" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "spoofs" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "spoofs" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "spoofs" + }, + { + "dest-uuid": "768dce68-8d0d-477a-b01d-0eea98b963a1", + "type": "spoofs" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "spoofs" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "spoofs" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "spoofs" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "spoofs" + }, + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "type": "spoofs" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "spoofs" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "spoofs" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "spoofs" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "spoofs" + }, + { + "dest-uuid": "768dce68-8d0d-477a-b01d-0eea98b963a1", + "type": "spoofs" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "spoofs" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "spoofs" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "spoofs" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "spoofs" + } + ], + "uuid": "b99c9f58-af74-5661-864b-776707bd69af", + "value": "Decoy Session Token" + }, + { + "description": "Requiring a digital certificate in order to authenticate a user.", + "meta": { + "external_id": "D3-CBAN", + "kill_chain": [ + "Harden:Credential-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:Certificate-basedAuthentication" + ] + }, + "uuid": "4f6fd329-73a1-5331-8595-c2fa5c8d6cc5", + "value": "Certificate-based Authentication" + }, + { + "description": "Encrypting a file using a cryptographic key.", + "meta": { + "external_id": "D3-FE", + "kill_chain": [ + "Harden:Platform-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:FileEncryption" + ] + }, + "related": [ + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "encrypts" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "encrypts" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "encrypts" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "encrypts" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "encrypts" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "encrypts" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "encrypts" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "encrypts" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "encrypts" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "encrypts" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "encrypts" + }, + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "type": "encrypts" + }, + { + "dest-uuid": "32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490", + "type": "encrypts" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "encrypts" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "encrypts" + }, + { + "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", + "type": "encrypts" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "encrypts" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "encrypts" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "encrypts" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "encrypts" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "encrypts" + }, + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "type": "encrypts" + }, + { + "dest-uuid": "c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b", + "type": "encrypts" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "encrypts" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "type": "encrypts" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "encrypts" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "encrypts" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "encrypts" + }, + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "type": "encrypts" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "encrypts" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "encrypts" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "encrypts" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "encrypts" + }, + { + "dest-uuid": "a9e2cea0-c805-4bf8-9e31-f5f0513a3634", + "type": "encrypts" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "encrypts" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "encrypts" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "encrypts" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "encrypts" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "encrypts" + }, + { + "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "type": "encrypts" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "encrypts" + }, + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "type": "encrypts" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "encrypts" + }, + { + "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", + "type": "encrypts" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "type": "encrypts" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "encrypts" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "encrypts" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "encrypts" + }, + { + "dest-uuid": "3120b9fa-23b8-4500-ae73-09494f607b7d", + "type": "encrypts" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "encrypts" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "encrypts" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "encrypts" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "type": "encrypts" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "encrypts" + }, + { + "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", + "type": "encrypts" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "encrypts" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "encrypts" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "encrypts" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "encrypts" + }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "type": "encrypts" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "encrypts" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "encrypts" + }, + { + "dest-uuid": "e51137a5-1cdc-499e-911a-abaedaa5ac86", + "type": "encrypts" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "encrypts" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "encrypts" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "encrypts" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "encrypts" + }, + { + "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", + "type": "encrypts" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "encrypts" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "encrypts" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "encrypts" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "encrypts" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "encrypts" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "encrypts" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "encrypts" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "encrypts" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "encrypts" + }, + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "type": "encrypts" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "encrypts" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "encrypts" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "encrypts" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "encrypts" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "encrypts" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "encrypts" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "encrypts" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "encrypts" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "encrypts" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "encrypts" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "encrypts" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "encrypts" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "encrypts" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "encrypts" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "encrypts" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "encrypts" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "encrypts" + }, + { + "dest-uuid": "e5cc9e7a-e61a-46a1-b869-55fb6eab058e", + "type": "encrypts" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "encrypts" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "encrypts" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "encrypts" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "encrypts" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "encrypts" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "encrypts" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "encrypts" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "encrypts" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "encrypts" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "encrypts" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "type": "encrypts" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "encrypts" + }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "type": "encrypts" + }, + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "type": "encrypts" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "encrypts" + }, + { + "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", + "type": "encrypts" + }, + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "type": "encrypts" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "encrypts" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "encrypts" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "encrypts" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "encrypts" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "encrypts" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "encrypts" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "encrypts" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "encrypts" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "encrypts" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "encrypts" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "encrypts" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "encrypts" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "encrypts" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "encrypts" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "encrypts" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "encrypts" + }, + { + "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", + "type": "encrypts" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "encrypts" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "encrypts" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "type": "encrypts" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "encrypts" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "encrypts" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "encrypts" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "encrypts" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "encrypts" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "encrypts" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "encrypts" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "encrypts" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "encrypts" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "encrypts" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "encrypts" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "encrypts" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "encrypts" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "encrypts" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "encrypts" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "type": "encrypts" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "encrypts" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "encrypts" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "encrypts" + }, + { + "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", + "type": "encrypts" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "type": "encrypts" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "encrypts" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "encrypts" + }, + { + "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3", + "type": "encrypts" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "encrypts" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "encrypts" + }, + { + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "type": "encrypts" + }, + { + "dest-uuid": "e5cc9e7a-e61a-46a1-b869-55fb6eab058e", + "type": "encrypts" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "encrypts" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "encrypts" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "encrypts" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "encrypts" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "encrypts" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "encrypts" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "encrypts" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "encrypts" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "encrypts" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "encrypts" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "encrypts" + }, + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "type": "encrypts" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "encrypts" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "encrypts" + }, + { + "dest-uuid": "4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f", + "type": "encrypts" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "encrypts" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "encrypts" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "encrypts" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "encrypts" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "encrypts" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "encrypts" + }, + { + "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", + "type": "encrypts" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "encrypts" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "encrypts" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "encrypts" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "encrypts" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "encrypts" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "encrypts" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "encrypts" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "type": "encrypts" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "encrypts" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "encrypts" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "encrypts" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "encrypts" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "encrypts" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "encrypts" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "encrypts" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "encrypts" + }, + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "type": "encrypts" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "encrypts" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "type": "encrypts" + }, + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "type": "encrypts" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "encrypts" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "encrypts" + }, + { + "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", + "type": "encrypts" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "encrypts" + }, + { + "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", + "type": "encrypts" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "encrypts" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "encrypts" + }, + { + "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3", + "type": "encrypts" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "type": "encrypts" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "encrypts" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "encrypts" + }, + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "type": "encrypts" + }, + { + "dest-uuid": "3120b9fa-23b8-4500-ae73-09494f607b7d", + "type": "encrypts" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "type": "encrypts" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "encrypts" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "encrypts" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "encrypts" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "encrypts" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "encrypts" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "encrypts" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "encrypts" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "encrypts" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "encrypts" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "encrypts" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "encrypts" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "encrypts" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "encrypts" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "encrypts" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "encrypts" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "encrypts" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "encrypts" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "encrypts" + }, + { + "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", + "type": "encrypts" + }, + { + "dest-uuid": "4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f", + "type": "encrypts" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "encrypts" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "encrypts" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "encrypts" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "encrypts" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "encrypts" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "encrypts" + }, + { + "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "type": "encrypts" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "encrypts" + }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "type": "encrypts" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "encrypts" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "encrypts" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "encrypts" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "encrypts" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "encrypts" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "type": "encrypts" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "encrypts" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "encrypts" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "encrypts" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "encrypts" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "encrypts" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "encrypts" + }, + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "type": "encrypts" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "encrypts" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "encrypts" + }, + { + "dest-uuid": "32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490", + "type": "encrypts" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "encrypts" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "encrypts" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "encrypts" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "encrypts" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "encrypts" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "encrypts" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "encrypts" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "encrypts" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "encrypts" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "encrypts" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "encrypts" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "encrypts" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "encrypts" + }, + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "type": "encrypts" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "encrypts" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "encrypts" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "encrypts" + }, + { + "dest-uuid": "e5cc9e7a-e61a-46a1-b869-55fb6eab058e", + "type": "encrypts" + }, + { + "dest-uuid": "a9e2cea0-c805-4bf8-9e31-f5f0513a3634", + "type": "encrypts" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "encrypts" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "encrypts" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "encrypts" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "encrypts" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "encrypts" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "encrypts" + }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "type": "encrypts" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "encrypts" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "encrypts" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "encrypts" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "encrypts" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "encrypts" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "encrypts" + }, + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "type": "encrypts" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "encrypts" + }, + { + "dest-uuid": "e5cc9e7a-e61a-46a1-b869-55fb6eab058e", + "type": "encrypts" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "encrypts" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "encrypts" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "encrypts" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "encrypts" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "encrypts" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "encrypts" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "encrypts" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "encrypts" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "encrypts" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "encrypts" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "encrypts" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "encrypts" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "encrypts" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "encrypts" + }, + { + "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", + "type": "encrypts" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "encrypts" + }, + { + "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", + "type": "encrypts" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "encrypts" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "encrypts" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "encrypts" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "encrypts" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "encrypts" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "encrypts" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "encrypts" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "encrypts" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "encrypts" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "encrypts" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "encrypts" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "encrypts" + }, + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "type": "encrypts" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "encrypts" + }, + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "type": "encrypts" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "encrypts" + }, + { + "dest-uuid": "c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b", + "type": "encrypts" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "encrypts" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "encrypts" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "type": "encrypts" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "encrypts" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "encrypts" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "encrypts" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "encrypts" + }, + { + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "type": "encrypts" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "encrypts" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "encrypts" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "encrypts" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "type": "encrypts" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "encrypts" + }, + { + "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", + "type": "encrypts" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "encrypts" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "encrypts" + }, + { + "dest-uuid": "e51137a5-1cdc-499e-911a-abaedaa5ac86", + "type": "encrypts" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "encrypts" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "encrypts" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "encrypts" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "encrypts" + } + ], + "uuid": "0c9fdd66-2aef-53dd-9f13-195378c896c4", + "value": "File Encryption" + }, + { + "description": "Analyzing the behavior of embedded code in firmware and looking for anomalous behavior and suspicious activity.", + "meta": { + "external_id": "D3-FBA", + "kill_chain": [ + "Detect:Platform-Monitoring" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:FirmwareBehaviorAnalysis" + ], + "synonyms": [ + "Firmware Timing Analysis" + ] + }, + "related": [ + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "analyzes" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "analyzes" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "analyzes" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "analyzes" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "analyzes" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "analyzes" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "analyzes" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "analyzes" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "analyzes" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "analyzes" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "analyzes" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "analyzes" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "analyzes" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "analyzes" + } + ], + "uuid": "d20178ca-30de-529c-9a40-e71020922ac1", + "value": "Firmware Behavior Analysis" + }, + { + "description": "Collecting authorization events, creating a baseline user profile, and determining whether authorization events are consistent with the baseline profile.", + "meta": { + "external_id": "D3-AZET", + "kill_chain": [ + "Detect:User-Behavior-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:AuthorizationEventThresholding" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + } + ], + "uuid": "583a20a1-97f7-518f-9799-36df6fb57102", + "value": "Authorization Event Thresholding" + }, + { + "description": "System dependency mapping identifies and models the dependencies of system components on each other to carry out their function.", + "meta": { + "external_id": "D3-SYSDM", + "kill_chain": [ + "Model:System-Mapping" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:SystemDependencyMapping" + ] + }, + "uuid": "da7d9e4b-1d61-591f-890e-2346dee033be", + "value": "System Dependency Mapping" + }, + { + "description": "Modifying system configuration to increase password strength.", + "meta": { + "external_id": "D3-SPP", + "kill_chain": [ + "Harden:Credential-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:StrongPasswordPolicy" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "strengthens" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "strengthens" + }, + { + "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", + "type": "strengthens" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "strengthens" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "strengthens" + }, + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "type": "strengthens" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "strengthens" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "strengthens" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "strengthens" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "strengthens" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "strengthens" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "type": "strengthens" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "strengthens" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "strengthens" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "strengthens" + }, + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "type": "strengthens" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "strengthens" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "strengthens" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "strengthens" + }, + { + "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", + "type": "strengthens" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "strengthens" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "strengthens" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "strengthens" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "strengthens" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "strengthens" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "strengthens" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "strengthens" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "strengthens" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "strengthens" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "strengthens" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "strengthens" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "strengthens" + }, + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "type": "strengthens" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "strengthens" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "strengthens" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "strengthens" + }, + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "type": "strengthens" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "strengthens" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "strengthens" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "strengthens" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "strengthens" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "strengthens" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "strengthens" + }, + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "type": "strengthens" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "type": "strengthens" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "strengthens" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "strengthens" + }, + { + "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", + "type": "strengthens" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "strengthens" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "strengthens" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "strengthens" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "strengthens" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "strengthens" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "strengthens" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "strengthens" + }, + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "type": "strengthens" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "strengthens" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "strengthens" + }, + { + "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", + "type": "strengthens" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "strengthens" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "strengthens" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "strengthens" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "strengthens" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "strengthens" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "strengthens" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "strengthens" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "strengthens" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "strengthens" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "strengthens" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "strengthens" + } + ], + "uuid": "6b924516-5351-5b37-ab43-ea65ae2e17e8", + "value": "Strong Password Policy" + }, + { + "description": "Monitoring geolocation data of user logon attempts and comparing it to a baseline user behavior profile to identify anomalies in logon location.", + "meta": { + "external_id": "D3-UGLPA", + "kill_chain": [ + "Detect:User-Behavior-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:UserGeolocationLogonPatternAnalysis" + ] + }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "type": "analyzes" + }, + { + "dest-uuid": "5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5", + "type": "analyzes" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "analyzes" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "type": "analyzes" + }, + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "type": "analyzes" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + }, + { + "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "type": "analyzes" + }, + { + "dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6", + "type": "analyzes" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "analyzes" + }, + { + "dest-uuid": "0bda01d5-4c1d-4062-8ee2-6872334383c3", + "type": "analyzes" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", + "type": "analyzes" + }, + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "38eb0c22-6caf-46ce-8869-5964bd735858", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "36b2a1d7-e09e-49bf-b45e-477076c2ec01", + "type": "analyzes" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "analyzes" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "analyzes" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "analyzes" + }, + { + "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "analyzes" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "type": "analyzes" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "type": "analyzes" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "analyzes" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "type": "analyzes" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "analyzes" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "analyzes" + }, + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "type": "analyzes" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "analyzes" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "analyzes" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "79a4052e-1a89-4b09-aea6-51f1d11fe19c", + "type": "analyzes" + }, + { + "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", + "type": "analyzes" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "type": "analyzes" + }, + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2", + "type": "analyzes" + }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "type": "analyzes" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "type": "analyzes" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "analyzes" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "analyzes" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "type": "analyzes" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "type": "analyzes" + }, + { + "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "analyzes" + }, + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "type": "analyzes" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "type": "analyzes" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "analyzes" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "type": "analyzes" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "analyzes" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "analyzes" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "analyzes" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "type": "analyzes" + }, + { + "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "type": "analyzes" + }, + { + "dest-uuid": "0bda01d5-4c1d-4062-8ee2-6872334383c3", + "type": "analyzes" + }, + { + "dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "analyzes" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "analyzes" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "analyzes" + }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "type": "analyzes" + }, + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "type": "analyzes" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "type": "analyzes" + }, + { + "dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87", + "type": "analyzes" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "analyzes" + }, + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "type": "analyzes" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "analyzes" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "analyzes" + }, + { + "dest-uuid": "79a4052e-1a89-4b09-aea6-51f1d11fe19c", + "type": "analyzes" + }, + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "type": "analyzes" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "analyzes" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "analyzes" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "analyzes" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "analyzes" + }, + { + "dest-uuid": "5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5", + "type": "analyzes" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "type": "analyzes" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "analyzes" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "type": "analyzes" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "type": "analyzes" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "analyzes" + }, + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "type": "analyzes" + }, + { + "dest-uuid": "36b2a1d7-e09e-49bf-b45e-477076c2ec01", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "analyzes" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "analyzes" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", + "type": "analyzes" + }, + { + "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", + "type": "analyzes" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "type": "analyzes" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "analyzes" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "analyzes" + }, + { + "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", + "type": "analyzes" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "type": "analyzes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "analyzes" + }, + { + "dest-uuid": "38eb0c22-6caf-46ce-8869-5964bd735858", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "type": "analyzes" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "analyzes" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "type": "analyzes" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "type": "analyzes" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "analyzes" + }, + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "type": "analyzes" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "type": "analyzes" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "analyzes" + }, + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "type": "analyzes" + }, + { + "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + } + ], + "uuid": "9657e08e-f233-5d19-9586-5d58698cc232", + "value": "User Geolocation Logon Pattern Analysis" + }, + { + "description": "Analyzing the resources accessed by a user to identify unauthorized activity.", + "meta": { + "external_id": "D3-RAPA", + "kill_chain": [ + "Detect:User-Behavior-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ResourceAccessPatternAnalysis" + ] + }, + "related": [ + { + "dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926", + "type": "analyzes" + }, + { + "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "type": "analyzes" + }, + { + "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "type": "analyzes" + }, + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "analyzes" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926", + "type": "analyzes" + }, + { + "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "type": "analyzes" + }, + { + "dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "analyzes" + }, + { + "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "type": "analyzes" + } + ], + "uuid": "330b1db8-3ed7-52e1-a395-f1bc697a7e1a", + "value": "Resource Access Pattern Analysis" + }, + { + "description": "Taking known malicious identifiers and determining if they are present in a system.", + "meta": { + "external_id": "D3-IAA", + "kill_chain": [ + "Detect:Identifier-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:IdentifierActivityAnalysis" + ] + }, + "related": [ + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "type": "analyzes" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "analyzes" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "analyzes" + }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "type": "analyzes" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "analyzes" + } + ], + "uuid": "1b5d2cee-4dca-51dc-8a18-163762082510", + "value": "Identifier Activity Analysis" + }, + { + "description": "Analyzing Public Key Infrastructure certificates to detect if they have been misconfigured or spoofed using both network traffic, certificate fields and third-party logs.", + "meta": { + "external_id": "D3-CA", + "kill_chain": [ + "Detect:Network-Traffic-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:CertificateAnalysis" + ] + }, + "related": [ + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "analyzes" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "analyzes" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "analyzes" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "analyzes" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "analyzes" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "analyzes" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "analyzes" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "analyzes" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "analyzes" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "analyzes" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "analyzes" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "analyzes" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "analyzes" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "analyzes" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "analyzes" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "analyzes" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "analyzes" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "analyzes" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "analyzes" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "analyzes" + } + ], + "uuid": "c562e16c-4f84-5d7d-a54a-21fbb013ea23", + "value": "Certificate Analysis" + }, + { + "description": "System vulnerability assessment relates all the vulnerabilities of a system's components in the context of their configuration and internal dependencies and can also include assessing risk emerging from the system's design as a whole, not just the sum of individual component vulnerabilities.", + "meta": { + "external_id": "D3-SYSVA", + "kill_chain": [ + "Model:System-Mapping" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:SystemVulnerabilityAssessment" + ] + }, + "related": [ + { + "dest-uuid": "824add00-99a1-4b15-9a2d-6c5683b7b497", + "type": "evaluates" + }, + { + "dest-uuid": "824add00-99a1-4b15-9a2d-6c5683b7b497", + "type": "evaluates" + } + ], + "uuid": "48a55ead-bd27-5530-b060-63032ac9f849", + "value": "System Vulnerability Assessment" + }, + { + "description": "Detecting anomalies in user access patterns by comparing user access activity to behavioral profiles that categorize users by role such as job title, function, department.", + "meta": { + "external_id": "D3-JFAPA", + "kill_chain": [ + "Detect:User-Behavior-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis" + ] + }, + "related": [ + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + } + ], + "uuid": "0cce711a-81ec-53ec-8a82-ccd5a2b3f8dc", + "value": "Job Function Access Pattern Analysis" + }, + { + "description": "Analyzing the files accessed by a process to identify unauthorized activity.", + "meta": { + "external_id": "D3-FAPA", + "kill_chain": [ + "Detect:Process-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis" + ] + }, + "uuid": "0d08cf25-a816-5c0f-b3aa-5b9b51c3a5ae", + "value": "File Access Pattern Analysis" + }, + { + "description": "Encrypting a hard disk partition to prevent cleartext access to a file system.", + "meta": { + "external_id": "D3-DENCR", + "kill_chain": [ + "Harden:Platform-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:DiskEncryption" + ] + }, + "related": [ + { + "dest-uuid": "8565825b-21c8-4518-b75e-cbc4c717a156", + "type": "encrypts" + }, + { + "dest-uuid": "dfebc3b7-d19d-450b-81c7-6dafe4184c04", + "type": "encrypts" + }, + { + "dest-uuid": "8565825b-21c8-4518-b75e-cbc4c717a156", + "type": "encrypts" + }, + { + "dest-uuid": "dfebc3b7-d19d-450b-81c7-6dafe4184c04", + "type": "encrypts" + } + ], + "uuid": "cf1d31be-4a4c-504f-b5d8-c4cff1d80157", + "value": "Disk Encryption" + }, + { + "description": "Restricting access to a local file by configuring operating system functionality.", + "meta": { + "external_id": "D3-LFP", + "kill_chain": [ + "Harden:Platform-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:LocalFilePermissions" + ] + }, + "related": [ + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "restricts" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "type": "restricts" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "restricts" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restricts" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "type": "restricts" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "restricts" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "restricts" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "restricts" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "restricts" + }, + { + "dest-uuid": "c0dfe7b0-b873-4618-9ff8-53e31f70907f", + "type": "restricts" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "restricts" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "restricts" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "restricts" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "restricts" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "restricts" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "restricts" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "restricts" + }, + { + "dest-uuid": "32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490", + "type": "restricts" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "restricts" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restricts" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "restricts" + }, + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "type": "restricts" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "restricts" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "restricts" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "restricts" + }, + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "type": "restricts" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "restricts" + }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "type": "restricts" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "restricts" + }, + { + "dest-uuid": "e51137a5-1cdc-499e-911a-abaedaa5ac86", + "type": "restricts" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "restricts" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "type": "restricts" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "restricts" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "restricts" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "restricts" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "restricts" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "restricts" + }, + { + "dest-uuid": "c0dfe7b0-b873-4618-9ff8-53e31f70907f", + "type": "restricts" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "restricts" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "restricts" + }, + { + "dest-uuid": "c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b", + "type": "restricts" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "restricts" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "restricts" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "restricts" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "restricts" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "restricts" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "restricts" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restricts" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "restricts" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "restricts" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "restricts" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "restricts" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "restricts" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "restricts" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "type": "restricts" + }, + { + "dest-uuid": "a9e2cea0-c805-4bf8-9e31-f5f0513a3634", + "type": "restricts" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "restricts" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "restricts" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "restricts" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "restricts" + }, + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "type": "restricts" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "restricts" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restricts" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "restricts" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "restricts" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "type": "restricts" + }, + { + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "type": "restricts" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "restricts" + }, + { + "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", + "type": "restricts" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "restricts" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "restricts" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "restricts" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "restricts" + }, + { + "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", + "type": "restricts" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "restricts" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "restricts" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "restricts" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "restricts" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "restricts" + }, + { + "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", + "type": "restricts" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "restricts" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "restricts" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restricts" + }, + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "type": "restricts" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "restricts" + }, + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "type": "restricts" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "type": "restricts" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "restricts" + }, + { + "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", + "type": "restricts" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "restricts" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "restricts" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "restricts" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "restricts" + }, + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "type": "restricts" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "restricts" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "restricts" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restricts" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "restricts" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "restricts" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "restricts" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "restricts" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "restricts" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "restricts" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "restricts" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "restricts" + }, + { + "dest-uuid": "3120b9fa-23b8-4500-ae73-09494f607b7d", + "type": "restricts" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "type": "restricts" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "restricts" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "restricts" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "restricts" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "restricts" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "restricts" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "restricts" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "restricts" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "restricts" + }, + { + "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", + "type": "restricts" + }, + { + "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", + "type": "restricts" + }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "type": "restricts" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "restricts" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "restricts" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "restricts" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "restricts" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "restricts" + }, + { + "dest-uuid": "e5cc9e7a-e61a-46a1-b869-55fb6eab058e", + "type": "restricts" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "restricts" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "restricts" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "restricts" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "restricts" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "restricts" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "restricts" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "restricts" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "restricts" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "restricts" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "restricts" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "restricts" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "restricts" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "restricts" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "restricts" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "restricts" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "restricts" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "restricts" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "restricts" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "restricts" + }, + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "type": "restricts" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "restricts" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "restricts" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "restricts" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "restricts" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "restricts" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "restricts" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "restricts" + }, + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "type": "restricts" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "restricts" + }, + { + "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "type": "restricts" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "restricts" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "restricts" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "restricts" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "restricts" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "restricts" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "restricts" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "restricts" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "restricts" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "restricts" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "restricts" + }, + { + "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3", + "type": "restricts" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "restricts" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "restricts" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "restricts" + }, + { + "dest-uuid": "4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f", + "type": "restricts" + }, + { + "dest-uuid": "e5cc9e7a-e61a-46a1-b869-55fb6eab058e", + "type": "restricts" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "restricts" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "restricts" + }, + { + "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", + "type": "restricts" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "restricts" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "restricts" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "restricts" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "restricts" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "restricts" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "restricts" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "restricts" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "restricts" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "restricts" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "restricts" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "restricts" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "restricts" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "restricts" + }, + { + "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", + "type": "restricts" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "restricts" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "restricts" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "restricts" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "restricts" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "restricts" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "restricts" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "restricts" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "restricts" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "type": "restricts" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "restricts" + }, + { + "dest-uuid": "c0dfe7b0-b873-4618-9ff8-53e31f70907f", + "type": "restricts" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "restricts" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "restricts" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "restricts" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "restricts" + }, + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "type": "restricts" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "type": "restricts" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "restricts" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restricts" + }, + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "type": "restricts" + }, + { + "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", + "type": "restricts" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "restricts" + }, + { + "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", + "type": "restricts" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "restricts" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "restricts" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "restricts" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "restricts" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "restricts" + }, + { + "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3", + "type": "restricts" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "type": "restricts" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restricts" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "restricts" + }, + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "type": "restricts" + }, + { + "dest-uuid": "3120b9fa-23b8-4500-ae73-09494f607b7d", + "type": "restricts" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restricts" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "type": "restricts" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "restricts" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "restricts" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "restricts" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "restricts" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "restricts" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "restricts" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "restricts" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "restricts" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "restricts" + }, + { + "dest-uuid": "c0dfe7b0-b873-4618-9ff8-53e31f70907f", + "type": "restricts" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "restricts" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "restricts" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "restricts" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "restricts" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "restricts" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "restricts" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "restricts" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "restricts" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "restricts" + }, + { + "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", + "type": "restricts" + }, + { + "dest-uuid": "4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f", + "type": "restricts" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "restricts" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "restricts" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "restricts" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "restricts" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "restricts" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "restricts" + }, + { + "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "type": "restricts" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "restricts" + }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "type": "restricts" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "restricts" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "restricts" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "restricts" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "restricts" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "restricts" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "restricts" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "type": "restricts" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "restricts" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "restricts" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "restricts" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "restricts" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "restricts" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restricts" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "restricts" + }, + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "type": "restricts" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "restricts" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restricts" + }, + { + "dest-uuid": "32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490", + "type": "restricts" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "restricts" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "restricts" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "restricts" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "restricts" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "restricts" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "restricts" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "restricts" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "restricts" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "restricts" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "restricts" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "restricts" + }, + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "type": "restricts" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "restricts" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "restricts" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "restricts" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "restricts" + }, + { + "dest-uuid": "e5cc9e7a-e61a-46a1-b869-55fb6eab058e", + "type": "restricts" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "restricts" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "restricts" + }, + { + "dest-uuid": "a9e2cea0-c805-4bf8-9e31-f5f0513a3634", + "type": "restricts" + }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "type": "restricts" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "restricts" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "restricts" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "restricts" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "restricts" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "restricts" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "restricts" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "restricts" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "restricts" + }, + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "type": "restricts" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "restricts" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "restricts" + }, + { + "dest-uuid": "e5cc9e7a-e61a-46a1-b869-55fb6eab058e", + "type": "restricts" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "restricts" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "restricts" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "restricts" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "restricts" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "restricts" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restricts" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "restricts" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "restricts" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "restricts" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "restricts" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "restricts" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "restricts" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "restricts" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "restricts" + }, + { + "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", + "type": "restricts" + }, + { + "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", + "type": "restricts" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "restricts" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "restricts" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "restricts" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "restricts" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "restricts" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "restricts" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "restricts" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "restricts" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "restricts" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "restricts" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "restricts" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "restricts" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "restricts" + }, + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "type": "restricts" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "restricts" + }, + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "type": "restricts" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "restricts" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "restricts" + }, + { + "dest-uuid": "c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b", + "type": "restricts" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "restricts" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "restricts" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "type": "restricts" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "restricts" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "restricts" + }, + { + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "type": "restricts" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "restricts" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "restricts" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "restricts" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "restricts" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "restricts" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "restricts" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "type": "restricts" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "restricts" + }, + { + "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", + "type": "restricts" + }, + { + "dest-uuid": "e51137a5-1cdc-499e-911a-abaedaa5ac86", + "type": "restricts" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "restricts" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "restricts" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "restricts" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "restricts" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "restricts" + } + ], + "uuid": "96558b76-c4a8-5e9c-b4d2-fe6103717f14", + "value": "Local File Permissions" + }, + { + "description": "Network node inventorying identifies and records all the network nodes (hosts, routers, switches, firewalls, etc.) in the organization's architecture.", + "meta": { + "external_id": "D3-NNI", + "kill_chain": [ + "Model:Asset-Inventory" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:NetworkNodeInventory" + ], + "synonyms": [ + "System Discovery", + "System Inventorying" + ] + }, + "related": [ + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "inventories" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "inventories" + }, + { + "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", + "type": "inventories" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "inventories" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "inventories" + }, + { + "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", + "type": "inventories" + } + ], + "uuid": "ed4c88b9-98c8-5d87-a454-fc5bfadbe87f", + "value": "Network Node Inventory" + }, + { + "description": "Determining which credentials may have been compromised by analyzing the user logon history of a particular system.", + "meta": { + "external_id": "D3-CCSA", + "kill_chain": [ + "Detect:User-Behavior-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:CredentialCompromiseScopeAnalysis" + ] + }, + "related": [ + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "analyzes" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "analyzes" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "analyzes" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "analyzes" + }, + { + "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d", + "type": "analyzes" + }, + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "type": "analyzes" + }, + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "type": "analyzes" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "analyzes" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "analyzes" + }, + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "type": "analyzes" + }, + { + "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", + "type": "analyzes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "analyzes" + }, + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "type": "analyzes" + }, + { + "dest-uuid": "768dce68-8d0d-477a-b01d-0eea98b963a1", + "type": "analyzes" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "type": "analyzes" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "type": "analyzes" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "analyzes" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "analyzes" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "analyzes" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "type": "analyzes" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "analyzes" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "analyzes" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "analyzes" + }, + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "type": "analyzes" + }, + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "type": "analyzes" + }, + { + "dest-uuid": "768dce68-8d0d-477a-b01d-0eea98b963a1", + "type": "analyzes" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "analyzes" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "analyzes" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "analyzes" + }, + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "type": "analyzes" + }, + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "type": "analyzes" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d", + "type": "analyzes" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "analyzes" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "type": "analyzes" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "analyzes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "analyzes" + }, + { + "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", + "type": "analyzes" + } + ], + "uuid": "cfc9c8f1-ed4b-5631-9ac2-34da65615f78", + "value": "Credential Compromise Scope Analysis" + }, + { + "description": "Analyzing vendor specific branch call recording in order to detect ROP style attacks.", + "meta": { + "external_id": "D3-IBCA", + "kill_chain": [ + "Detect:Process-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:IndirectBranchCallAnalysis" + ] + }, + "uuid": "8b313d6f-7c80-5363-8df2-9eeaf7b6b2dc", + "value": "Indirect Branch Call Analysis" + }, + { + "description": "Software inventorying identifies and records the software items in the organization's architecture.", + "meta": { + "external_id": "D3-SWI", + "kill_chain": [ + "Model:Asset-Inventory" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:SoftwareInventory" + ], + "synonyms": [ + "Software Discovery", + "Software Inventorying" + ] + }, + "related": [ + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "inventories" + }, + { + "dest-uuid": "191cc6af-1bb2-4344-ab5f-28e496638720", + "type": "inventories" + }, + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "type": "inventories" + }, + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "type": "inventories" + }, + { + "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", + "type": "inventories" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "inventories" + }, + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "type": "inventories" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "inventories" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "inventories" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "inventories" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "inventories" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "inventories" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "inventories" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "inventories" + }, + { + "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", + "type": "inventories" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "inventories" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "inventories" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "type": "inventories" + }, + { + "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", + "type": "inventories" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "inventories" + }, + { + "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", + "type": "inventories" + }, + { + "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "type": "inventories" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "inventories" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "inventories" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "inventories" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "inventories" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "inventories" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "inventories" + }, + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "type": "inventories" + }, + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "type": "inventories" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "inventories" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "inventories" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "inventories" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "inventories" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "inventories" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "inventories" + }, + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "type": "inventories" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "inventories" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "inventories" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "inventories" + }, + { + "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", + "type": "inventories" + }, + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "type": "inventories" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "inventories" + }, + { + "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", + "type": "inventories" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "inventories" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "inventories" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "inventories" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "inventories" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "inventories" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "inventories" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "inventories" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "inventories" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "inventories" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "inventories" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "inventories" + }, + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "type": "inventories" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "inventories" + }, + { + "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "type": "inventories" + }, + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "type": "inventories" + }, + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "type": "inventories" + }, + { + "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", + "type": "inventories" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "inventories" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "inventories" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "inventories" + }, + { + "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", + "type": "inventories" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "type": "inventories" + }, + { + "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", + "type": "inventories" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "inventories" + }, + { + "dest-uuid": "191cc6af-1bb2-4344-ab5f-28e496638720", + "type": "inventories" + }, + { + "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", + "type": "inventories" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "inventories" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "inventories" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "inventories" + }, + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "type": "inventories" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "inventories" + }, + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "type": "inventories" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "inventories" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "inventories" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "inventories" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "inventories" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "inventories" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "inventories" + } + ], + "uuid": "e632f4db-2c4f-526a-ad4d-4b7de2704905", + "value": "Software Inventory" + }, + { + "description": "Terminating a running application process on a computer system.", + "meta": { + "external_id": "D3-PT", + "kill_chain": [ + "Evict:Process-Eviction" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ProcessTermination" + ] + }, + "related": [ + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "terminates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "terminates" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "terminates" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "terminates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "terminates" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "type": "terminates" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "terminates" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "terminates" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "terminates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "terminates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "terminates" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "terminates" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "terminates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "terminates" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "terminates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "terminates" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "terminates" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "terminates" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "terminates" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "terminates" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "terminates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "terminates" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "terminates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "terminates" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "terminates" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "terminates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "terminates" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "terminates" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "type": "terminates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "terminates" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "terminates" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "terminates" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "terminates" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "terminates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "terminates" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "terminates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "terminates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "terminates" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "terminates" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "terminates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "terminates" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "terminates" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "terminates" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "terminates" + } + ], + "uuid": "e3db4b3a-45a1-5a0e-9c84-a987f0d77552", + "value": "Process Termination" + }, + { + "description": "Analyzing failed connections in a network to detect unauthorized activity.", + "meta": { + "external_id": "D3-CAA", + "kill_chain": [ + "Detect:Network-Traffic-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis" + ], + "synonyms": [ + "Network Scan Detection" + ] + }, + "related": [ + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "analyzes" + }, + { + "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "type": "analyzes" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "type": "analyzes" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "type": "analyzes" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "analyzes" + }, + { + "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "type": "analyzes" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "type": "analyzes" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "type": "analyzes" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "type": "analyzes" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "analyzes" + }, + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "type": "analyzes" + } + ], + "uuid": "10d2827d-2b3c-5afe-9aed-be770f276bcd", + "value": "Connection Attempt Analysis" + }, + { + "description": "Encrypting a message body using a cryptographic key.", + "meta": { + "external_id": "D3-MENCR", + "kill_chain": [ + "Harden:Message-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:MessageEncryption" + ] + }, + "uuid": "87e2441e-ea28-5150-8308-df05c5efe469", + "value": "Message Encryption" + }, + { + "description": "Randomizing the base (start) address of one or more segments of memory during the initialization of a process.", + "meta": { + "external_id": "D3-SAOR", + "kill_chain": [ + "Harden:Application-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:SegmentAddressOffsetRandomization" + ], + "synonyms": [ + "ASLR", + "Address Space Layout Randomization" + ] + }, + "related": [ + { + "dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9", + "type": "obfuscates" + }, + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "type": "obfuscates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "obfuscates" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "obfuscates" + }, + { + "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", + "type": "obfuscates" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "type": "obfuscates" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "obfuscates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "obfuscates" + }, + { + "dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9", + "type": "obfuscates" + }, + { + "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", + "type": "obfuscates" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "type": "obfuscates" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "type": "obfuscates" + }, + { + "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", + "type": "obfuscates" + }, + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "type": "obfuscates" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "obfuscates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "obfuscates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "obfuscates" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "obfuscates" + }, + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "type": "obfuscates" + }, + { + "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", + "type": "obfuscates" + }, + { + "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", + "type": "obfuscates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "obfuscates" + }, + { + "dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9", + "type": "obfuscates" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "obfuscates" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "obfuscates" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "type": "obfuscates" + }, + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "type": "obfuscates" + }, + { + "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", + "type": "obfuscates" + }, + { + "dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9", + "type": "obfuscates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "obfuscates" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "type": "obfuscates" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "type": "obfuscates" + } + ], + "uuid": "16bb3607-f4a0-543e-9d1f-d5e0792b35d7", + "value": "Segment Address Offset Randomization" + }, + { + "description": "Restoring an software configuration.", + "meta": { + "external_id": "D3-RC", + "kill_chain": [ + "Restore:Restore-Object" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:RestoreConfiguration" + ] + }, + "related": [ + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "type": "restores" + }, + { + "dest-uuid": "5095a853-299c-4876-abd7-ac0050fb5462", + "type": "restores" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "restores" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "restores" + }, + { + "dest-uuid": "19bf235b-8620-4997-b5b4-94e0659ed7c3", + "type": "restores" + }, + { + "dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023", + "type": "restores" + }, + { + "dest-uuid": "98034fef-d9fb-4667-8dc4-2eab6231724c", + "type": "restores" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "restores" + }, + { + "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", + "type": "restores" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "restores" + }, + { + "dest-uuid": "ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a", + "type": "restores" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "restores" + }, + { + "dest-uuid": "98034fef-d9fb-4667-8dc4-2eab6231724c", + "type": "restores" + }, + { + "dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db", + "type": "restores" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "restores" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "restores" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "restores" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restores" + }, + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "type": "restores" + }, + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "type": "restores" + }, + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "type": "restores" + }, + { + "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", + "type": "restores" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "restores" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "restores" + }, + { + "dest-uuid": "43881e51-ac74-445b-b4c6-f9f9e9bf23fe", + "type": "restores" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restores" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "restores" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "restores" + }, + { + "dest-uuid": "543fceb5-cb92-40cb-aacf-6913d4db58bc", + "type": "restores" + }, + { + "dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023", + "type": "restores" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "restores" + }, + { + "dest-uuid": "5095a853-299c-4876-abd7-ac0050fb5462", + "type": "restores" + }, + { + "dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979", + "type": "restores" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restores" + }, + { + "dest-uuid": "0cf55441-b176-4332-89e7-2c4c7799d0ff", + "type": "restores" + }, + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "type": "restores" + }, + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "type": "restores" + }, + { + "dest-uuid": "0cf55441-b176-4332-89e7-2c4c7799d0ff", + "type": "restores" + }, + { + "dest-uuid": "c0dfe7b0-b873-4618-9ff8-53e31f70907f", + "type": "restores" + }, + { + "dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9", + "type": "restores" + }, + { + "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", + "type": "restores" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "restores" + }, + { + "dest-uuid": "7d77a07d-02fe-4e88-8bd9-e9c008c01bf0", + "type": "restores" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "restores" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restores" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "restores" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restores" + }, + { + "dest-uuid": "43881e51-ac74-445b-b4c6-f9f9e9bf23fe", + "type": "restores" + }, + { + "dest-uuid": "0cf55441-b176-4332-89e7-2c4c7799d0ff", + "type": "restores" + }, + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "type": "restores" + }, + { + "dest-uuid": "e49920b0-6c54-40c1-9571-73723653205f", + "type": "restores" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "restores" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "restores" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "restores" + }, + { + "dest-uuid": "65917ae0-b854-4139-83fe-bf2441cf0196", + "type": "restores" + }, + { + "dest-uuid": "c0dfe7b0-b873-4618-9ff8-53e31f70907f", + "type": "restores" + }, + { + "dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9", + "type": "restores" + }, + { + "dest-uuid": "b8cfed42-6a8a-4989-ad72-541af74475ec", + "type": "restores" + }, + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "type": "restores" + }, + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "type": "restores" + }, + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "type": "restores" + }, + { + "dest-uuid": "b8cfed42-6a8a-4989-ad72-541af74475ec", + "type": "restores" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "restores" + }, + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "type": "restores" + }, + { + "dest-uuid": "61afc315-860c-4364-825d-0d62b2e91edc", + "type": "restores" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restores" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "restores" + }, + { + "dest-uuid": "61afc315-860c-4364-825d-0d62b2e91edc", + "type": "restores" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "restores" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "type": "restores" + }, + { + "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", + "type": "restores" + }, + { + "dest-uuid": "28170e17-8384-415c-8486-2e6b294cb803", + "type": "restores" + }, + { + "dest-uuid": "3d1b9d7e-3921-4d25-845a-7d9f15c0da44", + "type": "restores" + }, + { + "dest-uuid": "bf147104-abf9-4221-95d1-e81585859441", + "type": "restores" + }, + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "type": "restores" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "restores" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "restores" + }, + { + "dest-uuid": "98034fef-d9fb-4667-8dc4-2eab6231724c", + "type": "restores" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "restores" + }, + { + "dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9", + "type": "restores" + }, + { + "dest-uuid": "3d1b9d7e-3921-4d25-845a-7d9f15c0da44", + "type": "restores" + }, + { + "dest-uuid": "bf147104-abf9-4221-95d1-e81585859441", + "type": "restores" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "restores" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "restores" + }, + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "type": "restores" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restores" + }, + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "type": "restores" + }, + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "type": "restores" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restores" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "restores" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "restores" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "restores" + }, + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "type": "restores" + }, + { + "dest-uuid": "28170e17-8384-415c-8486-2e6b294cb803", + "type": "restores" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "restores" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "restores" + }, + { + "dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023", + "type": "restores" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "restores" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "restores" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "restores" + }, + { + "dest-uuid": "43881e51-ac74-445b-b4c6-f9f9e9bf23fe", + "type": "restores" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "restores" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restores" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "restores" + }, + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "type": "restores" + }, + { + "dest-uuid": "19bf235b-8620-4997-b5b4-94e0659ed7c3", + "type": "restores" + }, + { + "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", + "type": "restores" + }, + { + "dest-uuid": "543fceb5-cb92-40cb-aacf-6913d4db58bc", + "type": "restores" + }, + { + "dest-uuid": "5095a853-299c-4876-abd7-ac0050fb5462", + "type": "restores" + }, + { + "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", + "type": "restores" + }, + { + "dest-uuid": "61afc315-860c-4364-825d-0d62b2e91edc", + "type": "restores" + }, + { + "dest-uuid": "b8cfed42-6a8a-4989-ad72-541af74475ec", + "type": "restores" + }, + { + "dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023", + "type": "restores" + }, + { + "dest-uuid": "65917ae0-b854-4139-83fe-bf2441cf0196", + "type": "restores" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "restores" + }, + { + "dest-uuid": "98034fef-d9fb-4667-8dc4-2eab6231724c", + "type": "restores" + }, + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "type": "restores" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "restores" + }, + { + "dest-uuid": "0cf55441-b176-4332-89e7-2c4c7799d0ff", + "type": "restores" + }, + { + "dest-uuid": "0cf55441-b176-4332-89e7-2c4c7799d0ff", + "type": "restores" + }, + { + "dest-uuid": "0cf55441-b176-4332-89e7-2c4c7799d0ff", + "type": "restores" + }, + { + "dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9", + "type": "restores" + }, + { + "dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db", + "type": "restores" + }, + { + "dest-uuid": "e49920b0-6c54-40c1-9571-73723653205f", + "type": "restores" + }, + { + "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", + "type": "restores" + }, + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "type": "restores" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restores" + }, + { + "dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979", + "type": "restores" + }, + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "type": "restores" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restores" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "type": "restores" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "restores" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "type": "restores" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "restores" + }, + { + "dest-uuid": "43881e51-ac74-445b-b4c6-f9f9e9bf23fe", + "type": "restores" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "restores" + }, + { + "dest-uuid": "c0dfe7b0-b873-4618-9ff8-53e31f70907f", + "type": "restores" + }, + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "type": "restores" + }, + { + "dest-uuid": "5095a853-299c-4876-abd7-ac0050fb5462", + "type": "restores" + }, + { + "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", + "type": "restores" + }, + { + "dest-uuid": "61afc315-860c-4364-825d-0d62b2e91edc", + "type": "restores" + }, + { + "dest-uuid": "b8cfed42-6a8a-4989-ad72-541af74475ec", + "type": "restores" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "restores" + }, + { + "dest-uuid": "c0dfe7b0-b873-4618-9ff8-53e31f70907f", + "type": "restores" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restores" + }, + { + "dest-uuid": "ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a", + "type": "restores" + }, + { + "dest-uuid": "7d77a07d-02fe-4e88-8bd9-e9c008c01bf0", + "type": "restores" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "restores" + } + ], + "uuid": "63433457-ee95-551c-ad4f-b1b22c1816eb", + "value": "Restore Configuration" + }, + { + "description": "Deploying a network resource for the purposes of deceiving an adversary.", + "meta": { + "external_id": "D3-DNR", + "kill_chain": [ + "Deceive:Decoy-Object" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:DecoyNetworkResource" + ] + }, + "related": [ + { + "dest-uuid": "0cfe31a7-81fc-472c-bc45-e2808d1066a3", + "type": "spoofs" + }, + { + "dest-uuid": "0c4b4fda-9062-47da-98b9-ceae2dcf052a", + "type": "spoofs" + }, + { + "dest-uuid": "0c4b4fda-9062-47da-98b9-ceae2dcf052a", + "type": "spoofs" + }, + { + "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "type": "spoofs" + }, + { + "dest-uuid": "7ad38ef1-381a-406d-872a-38b136eb5ecc", + "type": "spoofs" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "spoofs" + }, + { + "dest-uuid": "359b00ad-9425-420b-bba5-6de8d600cbc0", + "type": "spoofs" + }, + { + "dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c", + "type": "spoofs" + }, + { + "dest-uuid": "7ad38ef1-381a-406d-872a-38b136eb5ecc", + "type": "spoofs" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "spoofs" + }, + { + "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", + "type": "spoofs" + }, + { + "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "type": "spoofs" + }, + { + "dest-uuid": "0c4b4fda-9062-47da-98b9-ceae2dcf052a", + "type": "spoofs" + }, + { + "dest-uuid": "7ad38ef1-381a-406d-872a-38b136eb5ecc", + "type": "spoofs" + }, + { + "dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c", + "type": "spoofs" + }, + { + "dest-uuid": "0cfe31a7-81fc-472c-bc45-e2808d1066a3", + "type": "spoofs" + }, + { + "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", + "type": "spoofs" + }, + { + "dest-uuid": "359b00ad-9425-420b-bba5-6de8d600cbc0", + "type": "spoofs" + }, + { + "dest-uuid": "0c4b4fda-9062-47da-98b9-ceae2dcf052a", + "type": "spoofs" + }, + { + "dest-uuid": "7ad38ef1-381a-406d-872a-38b136eb5ecc", + "type": "spoofs" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "spoofs" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "spoofs" + } + ], + "uuid": "d7c54f92-9914-5025-a5bd-0c69426f2004", + "value": "Decoy Network Resource" + }, + { + "description": "Replacing old software on a computer system component.", + "meta": { + "external_id": "D3-SU", + "kill_chain": [ + "Harden:Platform-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:SoftwareUpdate" + ] + }, + "related": [ + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "updates" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "updates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "updates" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "updates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "updates" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "updates" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "updates" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "updates" + }, + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "type": "updates" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "updates" + }, + { + "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", + "type": "updates" + }, + { + "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", + "type": "updates" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "updates" + }, + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "type": "updates" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "type": "updates" + }, + { + "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", + "type": "updates" + }, + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "type": "updates" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "updates" + }, + { + "dest-uuid": "191cc6af-1bb2-4344-ab5f-28e496638720", + "type": "updates" + }, + { + "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "type": "updates" + }, + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "type": "updates" + }, + { + "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", + "type": "updates" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "updates" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "updates" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "updates" + }, + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "type": "updates" + }, + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "type": "updates" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "updates" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "updates" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "updates" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "updates" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "updates" + }, + { + "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", + "type": "updates" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "updates" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "updates" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "updates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "updates" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "updates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "updates" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "updates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "updates" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "updates" + }, + { + "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "type": "updates" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "updates" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "updates" + }, + { + "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", + "type": "updates" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "updates" + }, + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "type": "updates" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "updates" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "updates" + }, + { + "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", + "type": "updates" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "updates" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "updates" + }, + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "type": "updates" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "updates" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "updates" + }, + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "type": "updates" + }, + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "type": "updates" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "updates" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "updates" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "updates" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "updates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "updates" + }, + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "type": "updates" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "updates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "updates" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "updates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "updates" + }, + { + "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", + "type": "updates" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "updates" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "updates" + }, + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "type": "updates" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "updates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "updates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "updates" + }, + { + "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", + "type": "updates" + }, + { + "dest-uuid": "191cc6af-1bb2-4344-ab5f-28e496638720", + "type": "updates" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "updates" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "updates" + }, + { + "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", + "type": "updates" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "type": "updates" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "updates" + } + ], + "uuid": "8499c7a5-99f4-5867-82ad-d021026d7abb", + "value": "Software Update" + }, + { + "description": "A file created for the purposes of deceiving an adversary.", + "meta": { + "external_id": "D3-DF", + "kill_chain": [ + "Deceive:Decoy-Object" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:DecoyFile" + ] + }, + "related": [ + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "spoofs" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "spoofs" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "spoofs" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "spoofs" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "spoofs" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "spoofs" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "spoofs" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "spoofs" + }, + { + "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", + "type": "spoofs" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "spoofs" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "spoofs" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "spoofs" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "spoofs" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "spoofs" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "spoofs" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "spoofs" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "spoofs" + }, + { + "dest-uuid": "c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b", + "type": "spoofs" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "spoofs" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "type": "spoofs" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "spoofs" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "spoofs" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "spoofs" + }, + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "type": "spoofs" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "spoofs" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "spoofs" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "spoofs" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "spoofs" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "spoofs" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "spoofs" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "spoofs" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "spoofs" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "spoofs" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "spoofs" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "spoofs" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "spoofs" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "spoofs" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "spoofs" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "spoofs" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "spoofs" + }, + { + "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", + "type": "spoofs" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "spoofs" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "spoofs" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "spoofs" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "spoofs" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "spoofs" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "spoofs" + }, + { + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "type": "spoofs" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "spoofs" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "spoofs" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "spoofs" + }, + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "type": "spoofs" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "spoofs" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "spoofs" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "spoofs" + }, + { + "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", + "type": "spoofs" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "spoofs" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "spoofs" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "spoofs" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "spoofs" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "spoofs" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "spoofs" + }, + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "type": "spoofs" + }, + { + "dest-uuid": "3120b9fa-23b8-4500-ae73-09494f607b7d", + "type": "spoofs" + }, + { + "dest-uuid": "a9e2cea0-c805-4bf8-9e31-f5f0513a3634", + "type": "spoofs" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "spoofs" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "spoofs" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "spoofs" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "spoofs" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "spoofs" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "spoofs" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "spoofs" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "spoofs" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "spoofs" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "spoofs" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "spoofs" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "spoofs" + }, + { + "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3", + "type": "spoofs" + }, + { + "dest-uuid": "e51137a5-1cdc-499e-911a-abaedaa5ac86", + "type": "spoofs" + }, + { + "dest-uuid": "32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490", + "type": "spoofs" + }, + { + "dest-uuid": "e5cc9e7a-e61a-46a1-b869-55fb6eab058e", + "type": "spoofs" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "spoofs" + }, + { + "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", + "type": "spoofs" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "spoofs" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "type": "spoofs" + }, + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "type": "spoofs" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "spoofs" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "spoofs" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "type": "spoofs" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "spoofs" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "spoofs" + }, + { + "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", + "type": "spoofs" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "spoofs" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "spoofs" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "spoofs" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "spoofs" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "spoofs" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "spoofs" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "spoofs" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "type": "spoofs" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "type": "spoofs" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "spoofs" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "spoofs" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "spoofs" + }, + { + "dest-uuid": "4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f", + "type": "spoofs" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "spoofs" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "spoofs" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "spoofs" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "spoofs" + }, + { + "dest-uuid": "e5cc9e7a-e61a-46a1-b869-55fb6eab058e", + "type": "spoofs" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "spoofs" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "spoofs" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "spoofs" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "spoofs" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "spoofs" + }, + { + "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", + "type": "spoofs" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "spoofs" + }, + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "type": "spoofs" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "spoofs" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "spoofs" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "spoofs" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "type": "spoofs" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "spoofs" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "spoofs" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "spoofs" + }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "type": "spoofs" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "spoofs" + }, + { + "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", + "type": "spoofs" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "spoofs" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "spoofs" + }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "type": "spoofs" + }, + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "type": "spoofs" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "spoofs" + }, + { + "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "type": "spoofs" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "spoofs" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "spoofs" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "spoofs" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "spoofs" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "spoofs" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "spoofs" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "spoofs" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "spoofs" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "spoofs" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "spoofs" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "spoofs" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "spoofs" + }, + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "type": "spoofs" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "spoofs" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "spoofs" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "spoofs" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "spoofs" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "spoofs" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "spoofs" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "spoofs" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "spoofs" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "type": "spoofs" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "spoofs" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "spoofs" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "spoofs" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "spoofs" + }, + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "type": "spoofs" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "spoofs" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "spoofs" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "spoofs" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "spoofs" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "spoofs" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "spoofs" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "spoofs" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "spoofs" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "spoofs" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "spoofs" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "spoofs" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "spoofs" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "spoofs" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "spoofs" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "spoofs" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "spoofs" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "spoofs" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "spoofs" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "spoofs" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "spoofs" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "spoofs" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "spoofs" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "spoofs" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "spoofs" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "spoofs" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "spoofs" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "spoofs" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "spoofs" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "spoofs" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "spoofs" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "spoofs" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "spoofs" + }, + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "type": "spoofs" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "spoofs" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "spoofs" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "type": "spoofs" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "spoofs" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "spoofs" + }, + { + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "type": "spoofs" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "spoofs" + }, + { + "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", + "type": "spoofs" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "type": "spoofs" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "spoofs" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "spoofs" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "spoofs" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "spoofs" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "spoofs" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "spoofs" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "spoofs" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "spoofs" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "spoofs" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "spoofs" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "spoofs" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "spoofs" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "spoofs" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "spoofs" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "spoofs" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "spoofs" + }, + { + "dest-uuid": "e51137a5-1cdc-499e-911a-abaedaa5ac86", + "type": "spoofs" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "spoofs" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "spoofs" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "spoofs" + }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "type": "spoofs" + }, + { + "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", + "type": "spoofs" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "spoofs" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "spoofs" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "spoofs" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "type": "spoofs" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "spoofs" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "spoofs" + }, + { + "dest-uuid": "a9e2cea0-c805-4bf8-9e31-f5f0513a3634", + "type": "spoofs" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "spoofs" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "spoofs" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "spoofs" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "spoofs" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "spoofs" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "spoofs" + }, + { + "dest-uuid": "c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b", + "type": "spoofs" + }, + { + "dest-uuid": "32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490", + "type": "spoofs" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "spoofs" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "spoofs" + }, + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "type": "spoofs" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "spoofs" + }, + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "type": "spoofs" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "spoofs" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "spoofs" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "spoofs" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "spoofs" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "spoofs" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "type": "spoofs" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "spoofs" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "spoofs" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "spoofs" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "spoofs" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "spoofs" + }, + { + "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", + "type": "spoofs" + }, + { + "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "type": "spoofs" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "spoofs" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "spoofs" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "spoofs" + }, + { + "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", + "type": "spoofs" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "spoofs" + }, + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "type": "spoofs" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "spoofs" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "spoofs" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "spoofs" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "spoofs" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "spoofs" + }, + { + "dest-uuid": "e5cc9e7a-e61a-46a1-b869-55fb6eab058e", + "type": "spoofs" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "spoofs" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "spoofs" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "spoofs" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "spoofs" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "spoofs" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "spoofs" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "spoofs" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "spoofs" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "spoofs" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "spoofs" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "type": "spoofs" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "spoofs" + }, + { + "dest-uuid": "e5cc9e7a-e61a-46a1-b869-55fb6eab058e", + "type": "spoofs" + }, + { + "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", + "type": "spoofs" + }, + { + "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3", + "type": "spoofs" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "spoofs" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "spoofs" + }, + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "type": "spoofs" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "spoofs" + }, + { + "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", + "type": "spoofs" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "spoofs" + }, + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "type": "spoofs" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "spoofs" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "spoofs" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "spoofs" + }, + { + "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", + "type": "spoofs" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "spoofs" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "spoofs" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "spoofs" + }, + { + "dest-uuid": "3120b9fa-23b8-4500-ae73-09494f607b7d", + "type": "spoofs" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "spoofs" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "spoofs" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "spoofs" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "spoofs" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "spoofs" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "spoofs" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "spoofs" + }, + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "type": "spoofs" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "spoofs" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "spoofs" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "spoofs" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "spoofs" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "spoofs" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "spoofs" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "spoofs" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "spoofs" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "type": "spoofs" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "spoofs" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "spoofs" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "spoofs" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "spoofs" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "spoofs" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "spoofs" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "spoofs" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "spoofs" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "spoofs" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "spoofs" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "spoofs" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "spoofs" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "spoofs" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "spoofs" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "spoofs" + }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "type": "spoofs" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "spoofs" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "spoofs" + }, + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "type": "spoofs" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "spoofs" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "spoofs" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "spoofs" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "spoofs" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "spoofs" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "type": "spoofs" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "spoofs" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "spoofs" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "spoofs" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "spoofs" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "spoofs" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "spoofs" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "spoofs" + }, + { + "dest-uuid": "4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f", + "type": "spoofs" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "spoofs" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "spoofs" + } + ], + "uuid": "b859f04e-f52d-5208-8643-d3faff214e13", + "value": "Decoy File" + }, + { + "description": "Analysis of domain name metadata, including name and DNS records, to determine whether the domain is likely to resolve to an undesirable host.", + "meta": { + "external_id": "D3-DNSTA", + "kill_chain": [ + "Detect:Network-Traffic-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:DNSTrafficAnalysis" + ], + "synonyms": [ + "Domain Name Analysis" + ] + }, + "related": [ + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "type": "may-contain" + }, + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "type": "may-contain" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "analyzes" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "analyzes" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "analyzes" + }, + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "type": "may-contain" + }, + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "type": "may-contain" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "analyzes" + } + ], + "uuid": "cbe6cd4b-e6fb-595a-84b4-72956ac048f5", + "value": "DNS Traffic Analysis" + }, + { + "description": "Operational dependency mapping identifies and models the dependencies of the organization's activities on each other and on the organization's performers (people, systems, and services.) This may include modeling the higher- and lower-level activities of an organization forming a hierarchy, or layering, of the dependencies in an organization's activities.", + "meta": { + "external_id": "D3-ODM", + "kill_chain": [ + "Model:Operational-Activity-Mapping" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:OperationalDependencyMapping" + ] + }, + "uuid": "8410a1a0-659b-5c22-b15b-1773e7271c70", + "value": "Operational Dependency Mapping" + }, + { + "description": "Logical link mapping creates a model of existing or previous node-to-node connections using network-layer data or metadata.", + "meta": { + "external_id": "D3-LLM", + "kill_chain": [ + "Model:Network-Mapping" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:LogicalLinkMapping" + ] + }, + "related": [ + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "maps" + }, + { + "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", + "type": "maps" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "maps" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "maps" + }, + { + "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", + "type": "maps" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "maps" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "maps" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "maps" + }, + { + "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", + "type": "maps" + }, + { + "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", + "type": "maps" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "maps" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "maps" + } + ], + "uuid": "9c757a9f-b2b1-5cb1-8131-0db345bac7da", + "value": "Logical Link Mapping" + }, + { + "description": "Monitoring changes in user web session behavior by comparing current web session activity to a baseline behavior profile or a catalog of predetermined malicious behavior.", + "meta": { + "external_id": "D3-WSAA", + "kill_chain": [ + "Detect:User-Behavior-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:WebSessionActivityAnalysis" + ] + }, + "uuid": "3b7c5a04-c523-5600-9ac5-8dfb2765f428", + "value": "Web Session Activity Analysis" + }, + { + "description": "Physical link mapping identifies and models the link connectivity of the network devices within a physical network.", + "meta": { + "external_id": "D3-PLM", + "kill_chain": [ + "Model:Network-Mapping" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:PhysicalLinkMapping" + ], + "synonyms": [ + "Layer 1 Mapping" + ] + }, + "related": [ + { + "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", + "type": "maps" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "maps" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "maps" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "maps" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "maps" + }, + { + "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", + "type": "maps" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "maps" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "maps" + }, + { + "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", + "type": "maps" + }, + { + "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", + "type": "maps" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "maps" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "maps" + } + ], + "uuid": "60e93778-5f3b-5b2d-9ab3-a9e8e2f332ef", + "value": "Physical Link Mapping" + }, + { + "description": "Collecting authentication events, creating a baseline user profile, and determining whether authentication events are consistent with the baseline profile.", + "meta": { + "external_id": "D3-ANET", + "kill_chain": [ + "Detect:User-Behavior-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:AuthenticationEventThresholding" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "type": "analyzes" + }, + { + "dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926", + "type": "analyzes" + }, + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926", + "type": "analyzes" + }, + { + "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "type": "analyzes" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "type": "analyzes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "type": "analyzes" + }, + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926", + "type": "analyzes" + }, + { + "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "type": "analyzes" + }, + { + "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "analyzes" + }, + { + "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "type": "analyzes" + } + ], + "uuid": "621e2d87-e082-5a7b-87b7-bfe28d1a3374", + "value": "Authentication Event Thresholding" + }, + { + "description": "The operating system software, for D3FEND's purposes, includes the kernel and its process management functions, hardware drivers, initialization or boot logic. It also includes and other key system daemons and their configuration. The monitoring or analysis of these components for unauthorized activity constitute **Operating System Monitoring**.", + "meta": { + "external_id": "D3-OSM", + "kill_chain": [ + "Detect:Platform-Monitoring" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:OperatingSystemMonitoring" + ] + }, + "uuid": "78797100-f740-524c-ab93-1e988a209cef", + "value": "Operating System Monitoring" + }, + { + "description": "Blocking a lookup based on the query's domain name value.", + "meta": { + "external_id": "D3-FRDDL", + "kill_chain": [ + "Isolate:Network-Isolation" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ForwardResolutionDomainDenylisting" + ], + "synonyms": [ + "Forward Resolution Domain Blacklisting" + ] + }, + "related": [ + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "blocks" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "blocks" + } + ], + "uuid": "687690f0-e34e-51be-96aa-5be557feef43", + "value": "Forward Resolution Domain Denylisting" + }, + { + "description": "Detecting anomalies that indicate malicious activity by comparing the amount of data downloaded versus data uploaded by a host.", + "meta": { + "external_id": "D3-PHDURA", + "kill_chain": [ + "Detect:Network-Traffic-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:PerHostDownload-UploadRatioAnalysis" + ] + }, + "related": [ + { + "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", + "type": "analyzes" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "type": "analyzes" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "type": "analyzes" + }, + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "type": "analyzes" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "analyzes" + }, + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87", + "type": "analyzes" + }, + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "type": "analyzes" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "type": "analyzes" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "type": "analyzes" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "analyzes" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "analyzes" + }, + { + "dest-uuid": "79a4052e-1a89-4b09-aea6-51f1d11fe19c", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "analyzes" + }, + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + }, + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "type": "analyzes" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "analyzes" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "type": "analyzes" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "analyzes" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "analyzes" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6", + "type": "analyzes" + }, + { + "dest-uuid": "0bda01d5-4c1d-4062-8ee2-6872334383c3", + "type": "analyzes" + }, + { + "dest-uuid": "38eb0c22-6caf-46ce-8869-5964bd735858", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "36b2a1d7-e09e-49bf-b45e-477076c2ec01", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "type": "analyzes" + }, + { + "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "type": "analyzes" + }, + { + "dest-uuid": "5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5", + "type": "analyzes" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "type": "analyzes" + }, + { + "dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2", + "type": "analyzes" + }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "type": "analyzes" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "type": "analyzes" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "analyzes" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "analyzes" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "type": "analyzes" + }, + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "type": "analyzes" + }, + { + "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", + "type": "analyzes" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "type": "analyzes" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "analyzes" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "type": "analyzes" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "type": "analyzes" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "type": "analyzes" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "analyzes" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "analyzes" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "type": "analyzes" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "type": "analyzes" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "analyzes" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "analyzes" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "analyzes" + }, + { + "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", + "type": "analyzes" + }, + { + "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "analyzes" + }, + { + "dest-uuid": "0bda01d5-4c1d-4062-8ee2-6872334383c3", + "type": "analyzes" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "type": "analyzes" + }, + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "type": "analyzes" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "type": "analyzes" + }, + { + "dest-uuid": "5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5", + "type": "analyzes" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "analyzes" + }, + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "type": "analyzes" + }, + { + "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "analyzes" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "type": "analyzes" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "type": "analyzes" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "type": "analyzes" + }, + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "type": "analyzes" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6", + "type": "analyzes" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "analyzes" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "analyzes" + }, + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "type": "analyzes" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "analyzes" + }, + { + "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", + "type": "analyzes" + }, + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "type": "analyzes" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "type": "analyzes" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "type": "analyzes" + }, + { + "dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87", + "type": "analyzes" + }, + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "type": "analyzes" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "analyzes" + }, + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "type": "analyzes" + }, + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "type": "analyzes" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "analyzes" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "38eb0c22-6caf-46ce-8869-5964bd735858", + "type": "analyzes" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + }, + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "type": "analyzes" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "analyzes" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "analyzes" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "type": "analyzes" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "analyzes" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "analyzes" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "type": "analyzes" + }, + { + "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", + "type": "analyzes" + }, + { + "dest-uuid": "79a4052e-1a89-4b09-aea6-51f1d11fe19c", + "type": "analyzes" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "analyzes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "analyzes" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "type": "analyzes" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "analyzes" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "type": "analyzes" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "analyzes" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "type": "analyzes" + }, + { + "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "analyzes" + }, + { + "dest-uuid": "36b2a1d7-e09e-49bf-b45e-477076c2ec01", + "type": "analyzes" + } + ], + "uuid": "7f468f98-b47e-5232-9f63-5d5c1f1e5d58", + "value": "Per Host Download-Upload Ratio Analysis" + }, + { + "description": "Analyzing standard inter process communication (IPC) protocols to detect deviations from normal protocol activity.", + "meta": { + "external_id": "D3-IPCTA", + "kill_chain": [ + "Detect:Network-Traffic-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:IPCTrafficAnalysis" + ], + "synonyms": [ + "IPC Analysis" + ] + }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + } + ], + "uuid": "e1a49302-a7ef-5c03-b73f-4be00608e957", + "value": "IPC Traffic Analysis" + }, + { + "description": "Modifying an application's configuration to reduce its attack surface.", + "meta": { + "external_id": "D3-ACH", + "kill_chain": [ + "Harden:Application-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ApplicationConfigurationHardening" + ] + }, + "related": [ + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "hardens" + }, + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "type": "hardens" + }, + { + "dest-uuid": "0cf55441-b176-4332-89e7-2c4c7799d0ff", + "type": "hardens" + }, + { + "dest-uuid": "0cf55441-b176-4332-89e7-2c4c7799d0ff", + "type": "hardens" + }, + { + "dest-uuid": "0cf55441-b176-4332-89e7-2c4c7799d0ff", + "type": "hardens" + }, + { + "dest-uuid": "7d77a07d-02fe-4e88-8bd9-e9c008c01bf0", + "type": "hardens" + }, + { + "dest-uuid": "7d77a07d-02fe-4e88-8bd9-e9c008c01bf0", + "type": "hardens" + }, + { + "dest-uuid": "0cf55441-b176-4332-89e7-2c4c7799d0ff", + "type": "hardens" + }, + { + "dest-uuid": "0cf55441-b176-4332-89e7-2c4c7799d0ff", + "type": "hardens" + }, + { + "dest-uuid": "0cf55441-b176-4332-89e7-2c4c7799d0ff", + "type": "hardens" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "hardens" + }, + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "type": "hardens" + } + ], + "uuid": "8d4904ef-667f-50e4-bb55-7d20738e3155", + "value": "Application Configuration Hardening" + }, + { + "description": "Establishing baseline communities of network hosts and identifying statistically divergent inter-community communication.", + "meta": { + "external_id": "D3-NTCD", + "kill_chain": [ + "Detect:Network-Traffic-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:NetworkTrafficCommunityDeviation" + ] + }, + "related": [ + { + "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", + "type": "analyzes" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "type": "analyzes" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "type": "analyzes" + }, + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "type": "analyzes" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "analyzes" + }, + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87", + "type": "analyzes" + }, + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "type": "analyzes" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "type": "analyzes" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "type": "analyzes" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "analyzes" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "analyzes" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "analyzes" + }, + { + "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "type": "analyzes" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "analyzes" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "type": "analyzes" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "analyzes" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "analyzes" + }, + { + "dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6", + "type": "analyzes" + }, + { + "dest-uuid": "0bda01d5-4c1d-4062-8ee2-6872334383c3", + "type": "analyzes" + }, + { + "dest-uuid": "38eb0c22-6caf-46ce-8869-5964bd735858", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "36b2a1d7-e09e-49bf-b45e-477076c2ec01", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "type": "analyzes" + }, + { + "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "type": "analyzes" + }, + { + "dest-uuid": "79a4052e-1a89-4b09-aea6-51f1d11fe19c", + "type": "analyzes" + }, + { + "dest-uuid": "5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5", + "type": "analyzes" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "analyzes" + }, + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "type": "analyzes" + }, + { + "dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2", + "type": "analyzes" + }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "type": "analyzes" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "type": "analyzes" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "analyzes" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "analyzes" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "type": "analyzes" + }, + { + "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", + "type": "analyzes" + }, + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "type": "analyzes" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "type": "analyzes" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "type": "analyzes" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "type": "analyzes" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "type": "analyzes" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "type": "analyzes" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "analyzes" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "analyzes" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "analyzes" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "analyzes" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "analyzes" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "analyzes" + }, + { + "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", + "type": "analyzes" + }, + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "analyzes" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "type": "analyzes" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "type": "analyzes" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "36b2a1d7-e09e-49bf-b45e-477076c2ec01", + "type": "analyzes" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "analyzes" + }, + { + "dest-uuid": "0bda01d5-4c1d-4062-8ee2-6872334383c3", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "type": "analyzes" + }, + { + "dest-uuid": "5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5", + "type": "analyzes" + }, + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "analyzes" + }, + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "type": "analyzes" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "analyzes" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "type": "analyzes" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "type": "analyzes" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "analyzes" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "type": "analyzes" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "analyzes" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "analyzes" + }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "type": "analyzes" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "analyzes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "analyzes" + }, + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "analyzes" + }, + { + "dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2", + "type": "analyzes" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "analyzes" + }, + { + "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", + "type": "analyzes" + }, + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "type": "analyzes" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "type": "analyzes" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "type": "analyzes" + }, + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "type": "analyzes" + }, + { + "dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "79a4052e-1a89-4b09-aea6-51f1d11fe19c", + "type": "analyzes" + }, + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "type": "analyzes" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "type": "analyzes" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "type": "analyzes" + }, + { + "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", + "type": "analyzes" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "analyzes" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "type": "analyzes" + }, + { + "dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6", + "type": "analyzes" + }, + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "type": "analyzes" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "analyzes" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "38eb0c22-6caf-46ce-8869-5964bd735858", + "type": "analyzes" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "type": "analyzes" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "analyzes" + }, + { + "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "analyzes" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "analyzes" + } + ], + "uuid": "d6d1ec4f-3928-5656-a04a-6e80c97b74c0", + "value": "Network Traffic Community Deviation" + }, + { + "description": "Analyzing inbound network session or connection attempt volume.", + "meta": { + "external_id": "D3-ISVA", + "kill_chain": [ + "Detect:Network-Traffic-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:InboundSessionVolumeAnalysis" + ] + }, + "related": [ + { + "dest-uuid": "36b2a1d7-e09e-49bf-b45e-477076c2ec01", + "type": "analyzes" + }, + { + "dest-uuid": "38eb0c22-6caf-46ce-8869-5964bd735858", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "0bda01d5-4c1d-4062-8ee2-6872334383c3", + "type": "analyzes" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "analyzes" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "analyzes" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "analyzes" + }, + { + "dest-uuid": "0bda01d5-4c1d-4062-8ee2-6872334383c3", + "type": "analyzes" + }, + { + "dest-uuid": "38eb0c22-6caf-46ce-8869-5964bd735858", + "type": "analyzes" + }, + { + "dest-uuid": "36b2a1d7-e09e-49bf-b45e-477076c2ec01", + "type": "analyzes" + } + ], + "uuid": "b1f4eab1-8302-547b-9e22-54d9eea625d2", + "value": "Inbound Session Volume Analysis" + }, + { + "description": "Using kernel-level capabilities to isolate processes.", + "meta": { + "external_id": "D3-KBPI", + "kill_chain": [ + "Isolate:Execution-Isolation" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:Kernel-basedProcessIsolation" + ] + }, + "uuid": "bbf4fdc8-1b03-5654-b092-d8bd180d49fd", + "value": "Kernel-based Process Isolation" + }, + { + "description": "Monitoring the activity of remote procedure calls in communication traffic to establish standard protocol operations and potential attacker activities.", + "meta": { + "external_id": "D3-RTA", + "kill_chain": [ + "Detect:Network-Traffic-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:RPCTrafficAnalysis" + ], + "synonyms": [ + "RPC Protocol Analysis" + ] + }, + "related": [ + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "type": "analyzes" + }, + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "type": "analyzes" + } + ], + "uuid": "57d0c22d-7fc8-545d-a6da-fb32a3ff2106", + "value": "RPC Traffic Analysis" + }, + { + "description": "Restoring the data in a database.", + "meta": { + "external_id": "D3-RD", + "kill_chain": [ + "Restore:Restore-Object" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:RestoreDatabase" + ] + }, + "related": [ + { + "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", + "type": "restores" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "restores" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "type": "restores" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "restores" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "restores" + }, + { + "dest-uuid": "6d4a7fb3-5a24-42be-ae61-6728a2b581f6", + "type": "restores" + }, + { + "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", + "type": "restores" + }, + { + "dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3", + "type": "restores" + }, + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "type": "restores" + }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "type": "restores" + }, + { + "dest-uuid": "1a80d097-54df-41d8-9d33-34e755ec5e72", + "type": "restores" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "restores" + }, + { + "dest-uuid": "1eaebf46-e361-4437-bc23-d5d65a3b92e3", + "type": "restores" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "restores" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "type": "restores" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "restores" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "type": "restores" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "type": "restores" + }, + { + "dest-uuid": "b84903f0-c7d5-435d-a69e-de47cc3578c0", + "type": "restores" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "restores" + }, + { + "dest-uuid": "6d4a7fb3-5a24-42be-ae61-6728a2b581f6", + "type": "restores" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "restores" + }, + { + "dest-uuid": "dfebc3b7-d19d-450b-81c7-6dafe4184c04", + "type": "restores" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "type": "restores" + }, + { + "dest-uuid": "b84903f0-c7d5-435d-a69e-de47cc3578c0", + "type": "restores" + }, + { + "dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3", + "type": "restores" + }, + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "type": "restores" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "type": "restores" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "restores" + }, + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "type": "restores" + }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "type": "restores" + }, + { + "dest-uuid": "b84903f0-c7d5-435d-a69e-de47cc3578c0", + "type": "restores" + }, + { + "dest-uuid": "6d4a7fb3-5a24-42be-ae61-6728a2b581f6", + "type": "restores" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "restores" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "type": "restores" + }, + { + "dest-uuid": "1a80d097-54df-41d8-9d33-34e755ec5e72", + "type": "restores" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "restores" + }, + { + "dest-uuid": "1eaebf46-e361-4437-bc23-d5d65a3b92e3", + "type": "restores" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "restores" + }, + { + "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", + "type": "restores" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "restores" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "type": "restores" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "type": "restores" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "type": "restores" + }, + { + "dest-uuid": "dfebc3b7-d19d-450b-81c7-6dafe4184c04", + "type": "restores" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "restores" + }, + { + "dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3", + "type": "restores" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "restores" + }, + { + "dest-uuid": "6d4a7fb3-5a24-42be-ae61-6728a2b581f6", + "type": "restores" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "type": "restores" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "type": "restores" + }, + { + "dest-uuid": "b84903f0-c7d5-435d-a69e-de47cc3578c0", + "type": "restores" + }, + { + "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", + "type": "restores" + }, + { + "dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3", + "type": "restores" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "restores" + }, + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "type": "restores" + } + ], + "uuid": "435fcc7a-b288-59f2-bd73-0165120d6d13", + "value": "Restore Database" + }, + { + "description": "Establishing a fake online identity to misdirect, deceive, and or interact with adversaries.", + "meta": { + "external_id": "D3-DP", + "kill_chain": [ + "Deceive:Decoy-Object" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:DecoyPersona" + ] + }, + "uuid": "a6478818-65c0-5991-859c-4bced927b96b", + "value": "Decoy Persona" + }, + { + "description": "Comparing a value stored in a stack frame with a known good value in order to prevent or detect a memory segment overwrite.", + "meta": { + "external_id": "D3-SFCV", + "kill_chain": [ + "Harden:Application-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:StackFrameCanaryValidation" + ] + }, + "related": [ + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "validates" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "type": "validates" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "type": "validates" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "type": "validates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "validates" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "type": "validates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "validates" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "type": "validates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "validates" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "type": "validates" + } + ], + "uuid": "3c89698e-452a-55bd-b231-2b8a9121560c", + "value": "Stack Frame Canary Validation" + }, + { + "description": "Hardware component inventorying identifies and records the hardware items in the organization's architecture.", + "meta": { + "external_id": "D3-HCI", + "kill_chain": [ + "Model:Asset-Inventory" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:HardwareComponentInventory" + ], + "synonyms": [ + "Hardware Component Discovery", + "Hardware Component Inventorying" + ] + }, + "related": [ + { + "dest-uuid": "39131305-9282-45e4-ac3b-591d2d4fc3ef", + "type": "inventories" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "type": "inventories" + }, + { + "dest-uuid": "a3e1e6c5-9c74-4fc0-a16c-a9d228c17829", + "type": "inventories" + }, + { + "dest-uuid": "d40239b3-05ff-46d8-9bdd-b46d13463ef9", + "type": "inventories" + }, + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "type": "inventories" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "type": "inventories" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "type": "inventories" + }, + { + "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", + "type": "inventories" + }, + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "type": "inventories" + }, + { + "dest-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49", + "type": "inventories" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "type": "inventories" + }, + { + "dest-uuid": "8565825b-21c8-4518-b75e-cbc4c717a156", + "type": "inventories" + }, + { + "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", + "type": "inventories" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "type": "inventories" + }, + { + "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", + "type": "inventories" + }, + { + "dest-uuid": "8565825b-21c8-4518-b75e-cbc4c717a156", + "type": "inventories" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "type": "inventories" + }, + { + "dest-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49", + "type": "inventories" + }, + { + "dest-uuid": "d40239b3-05ff-46d8-9bdd-b46d13463ef9", + "type": "inventories" + }, + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "type": "inventories" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "type": "inventories" + }, + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "type": "inventories" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "type": "inventories" + }, + { + "dest-uuid": "39131305-9282-45e4-ac3b-591d2d4fc3ef", + "type": "inventories" + }, + { + "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", + "type": "inventories" + }, + { + "dest-uuid": "a3e1e6c5-9c74-4fc0-a16c-a9d228c17829", + "type": "inventories" + } + ], + "uuid": "980ecd8a-c1ac-5641-9fa9-d569dc659f88", + "value": "Hardware Component Inventory" + }, + { + "description": "Data inventorying identifies and records the schemas, formats, volumes, and locations of data stored and used on the organization's architecture.", + "meta": { + "external_id": "D3-DI", + "kill_chain": [ + "Model:Asset-Inventory" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:DataInventory" + ], + "synonyms": [ + "Data Discovery", + "Data Inventorying" + ] + }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "type": "inventories" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "inventories" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "inventories" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "inventories" + }, + { + "dest-uuid": "6d4a7fb3-5a24-42be-ae61-6728a2b581f6", + "type": "inventories" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "inventories" + }, + { + "dest-uuid": "b84903f0-c7d5-435d-a69e-de47cc3578c0", + "type": "inventories" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "type": "inventories" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "inventories" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "inventories" + }, + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "type": "inventories" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "inventories" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "type": "inventories" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "inventories" + }, + { + "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", + "type": "inventories" + }, + { + "dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3", + "type": "inventories" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "inventories" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "inventories" + }, + { + "dest-uuid": "1eaebf46-e361-4437-bc23-d5d65a3b92e3", + "type": "inventories" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "inventories" + }, + { + "dest-uuid": "1a80d097-54df-41d8-9d33-34e755ec5e72", + "type": "inventories" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "type": "inventories" + }, + { + "dest-uuid": "c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b", + "type": "inventories" + }, + { + "dest-uuid": "a9e2cea0-c805-4bf8-9e31-f5f0513a3634", + "type": "inventories" + }, + { + "dest-uuid": "dfebc3b7-d19d-450b-81c7-6dafe4184c04", + "type": "inventories" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "type": "inventories" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "inventories" + }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "type": "inventories" + }, + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "type": "inventories" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "type": "inventories" + }, + { + "dest-uuid": "b84903f0-c7d5-435d-a69e-de47cc3578c0", + "type": "inventories" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "inventories" + }, + { + "dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3", + "type": "inventories" + }, + { + "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", + "type": "inventories" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "inventories" + }, + { + "dest-uuid": "6d4a7fb3-5a24-42be-ae61-6728a2b581f6", + "type": "inventories" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "inventories" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "inventories" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "inventories" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "inventories" + }, + { + "dest-uuid": "6d4a7fb3-5a24-42be-ae61-6728a2b581f6", + "type": "inventories" + }, + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "type": "inventories" + }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "type": "inventories" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "inventories" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "inventories" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "type": "inventories" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "type": "inventories" + }, + { + "dest-uuid": "1a80d097-54df-41d8-9d33-34e755ec5e72", + "type": "inventories" + }, + { + "dest-uuid": "dfebc3b7-d19d-450b-81c7-6dafe4184c04", + "type": "inventories" + }, + { + "dest-uuid": "a9e2cea0-c805-4bf8-9e31-f5f0513a3634", + "type": "inventories" + }, + { + "dest-uuid": "6d4a7fb3-5a24-42be-ae61-6728a2b581f6", + "type": "inventories" + }, + { + "dest-uuid": "1eaebf46-e361-4437-bc23-d5d65a3b92e3", + "type": "inventories" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "inventories" + }, + { + "dest-uuid": "c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b", + "type": "inventories" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "inventories" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "type": "inventories" + }, + { + "dest-uuid": "b84903f0-c7d5-435d-a69e-de47cc3578c0", + "type": "inventories" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "type": "inventories" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "inventories" + }, + { + "dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3", + "type": "inventories" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "inventories" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "inventories" + }, + { + "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", + "type": "inventories" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "type": "inventories" + }, + { + "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", + "type": "inventories" + }, + { + "dest-uuid": "b84903f0-c7d5-435d-a69e-de47cc3578c0", + "type": "inventories" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "type": "inventories" + }, + { + "dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3", + "type": "inventories" + }, + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "type": "inventories" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "inventories" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "inventories" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "inventories" + } + ], + "uuid": "9a661e49-0ad0-59ce-a2fe-0248b0bc04cd", + "value": "Data Inventory" + }, + { + "description": "Analyzing the execution of a script to detect unauthorized user activity.", + "meta": { + "external_id": "D3-SEA", + "kill_chain": [ + "Detect:Process-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ScriptExecutionAnalysis" + ] + }, + "uuid": "fd255e90-f94a-5739-96e0-53f15ce9a235", + "value": "Script Execution Analysis" + }, + { + "description": "Assuring the integrity of a platform by demonstrating that the boot process starts from a trusted combination of hardware and software and continues until the operating system has fully booted and applications are running. Sometimes called Static Root of Trust Measurement (STRM).", + "meta": { + "external_id": "D3-TBI", + "kill_chain": [ + "Harden:Platform-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:TPMBootIntegrity" + ], + "synonyms": [ + "STRM", + "Static Root of Trust Measurement" + ] + }, + "uuid": "8a6c78e5-9271-5d2a-9310-2bbf0e32ca33", + "value": "TPM Boot Integrity" + }, + { + "description": "Analyzing local user accounts to detect unauthorized activity.", + "meta": { + "external_id": "D3-LAM", + "kill_chain": [ + "Detect:User-Behavior-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:LocalAccountMonitoring" + ] + }, + "related": [ + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "analyzes" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "analyzes" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "analyzes" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "analyzes" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "analyzes" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "analyzes" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "analyzes" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "analyzes" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "analyzes" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "analyzes" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "analyzes" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "analyzes" + } + ], + "uuid": "973b66cc-2e20-5d00-b721-989b5907f6d1", + "value": "Local Account Monitoring" + }, + { + "description": "Limiting access to computer input/output (IO) ports to restrict unauthorized devices.", + "meta": { + "external_id": "D3-IOPR", + "kill_chain": [ + "Isolate:Execution-Isolation" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:IOPortRestriction" + ] + }, + "related": [ + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "type": "filters" + }, + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "type": "filters" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "type": "filters" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "type": "filters" + }, + { + "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", + "type": "filters" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "type": "filters" + }, + { + "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", + "type": "filters" + }, + { + "dest-uuid": "a3e1e6c5-9c74-4fc0-a16c-a9d228c17829", + "type": "filters" + }, + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "type": "filters" + }, + { + "dest-uuid": "a3e1e6c5-9c74-4fc0-a16c-a9d228c17829", + "type": "filters" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "type": "filters" + }, + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "type": "filters" + }, + { + "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", + "type": "filters" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "type": "filters" + }, + { + "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", + "type": "filters" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "type": "filters" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "type": "filters" + }, + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "type": "filters" + } + ], + "uuid": "8b28f8d0-4bb0-5c7f-a30e-6fee1748b4d8", + "value": "IO Port Restriction" + }, + { + "description": "The email removal technique deletes email files from system storage.", + "meta": { + "external_id": "D3-ER", + "kill_chain": [ + "Evict:File-Eviction" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:EmailRemoval" + ], + "synonyms": [ + "Email Deletion" + ] + }, + "related": [ + { + "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", + "type": "may-access" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "may-access" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "deletes" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "deletes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "deletes" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "deletes" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "may-access" + }, + { + "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", + "type": "may-access" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "may-access" + }, + { + "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", + "type": "may-access" + } + ], + "uuid": "90dd8e5b-d458-5c1f-ae56-0401e5cfc6b8", + "value": "Email Removal" + }, + { + "description": "Executing or opening a file in a synthetic \"sandbox\" environment to determine if the file is a malicious program or if the file exploits another program such as a document reader.", + "meta": { + "external_id": "D3-DA", + "kill_chain": [ + "Detect:File-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:DynamicAnalysis" + ], + "synonyms": [ + "Malware Detonation", + "Malware Sandbox" + ] + }, + "related": [ + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "analyzes" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "analyzes" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "analyzes" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "analyzes" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "analyzes" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "analyzes" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "analyzes" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "analyzes" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "analyzes" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "analyzes" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "analyzes" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "analyzes" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "analyzes" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "analyzes" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "analyzes" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "analyzes" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "analyzes" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "analyzes" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "analyzes" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "analyzes" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "analyzes" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "analyzes" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "analyzes" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "analyzes" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "analyzes" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "analyzes" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "analyzes" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "analyzes" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "analyzes" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "analyzes" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "analyzes" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "analyzes" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "analyzes" + }, + { + "dest-uuid": "32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490", + "type": "analyzes" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "analyzes" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "analyzes" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "analyzes" + }, + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "type": "analyzes" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "type": "analyzes" + }, + { + "dest-uuid": "c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b", + "type": "analyzes" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "analyzes" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "analyzes" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "analyzes" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "analyzes" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "analyzes" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "analyzes" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "analyzes" + }, + { + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "type": "analyzes" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "analyzes" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "analyzes" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "analyzes" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "analyzes" + }, + { + "dest-uuid": "a9e2cea0-c805-4bf8-9e31-f5f0513a3634", + "type": "analyzes" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "analyzes" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "analyzes" + }, + { + "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "analyzes" + } + ], + "uuid": "d7f78817-ede1-5f97-94db-2d484ccc5f00", + "value": "Dynamic Analysis" + }, + { + "description": "Analyzing a call stack for return addresses which point to unexpected memory locations.", + "meta": { + "external_id": "D3-MBT", + "kill_chain": [ + "Detect:Platform-Monitoring" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:MemoryBoundaryTracking" + ] + }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "analyzes" + }, + { + "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", + "type": "analyzes" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "type": "analyzes" + }, + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "type": "analyzes" + }, + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "type": "analyzes" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "type": "analyzes" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "type": "analyzes" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "analyzes" + }, + { + "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", + "type": "analyzes" + }, + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "type": "analyzes" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "type": "analyzes" + }, + { + "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", + "type": "analyzes" + }, + { + "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", + "type": "analyzes" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "analyzes" + }, + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "type": "analyzes" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "analyzes" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "type": "analyzes" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "type": "analyzes" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "analyzes" + }, + { + "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", + "type": "analyzes" + }, + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "type": "analyzes" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "type": "analyzes" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "type": "analyzes" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "analyzes" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "type": "analyzes" + }, + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "type": "analyzes" + }, + { + "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", + "type": "analyzes" + } + ], + "uuid": "aa139b8e-02a6-530a-8b44-902ad7d8cca0", + "value": "Memory Boundary Tracking" + }, + { + "description": "Analyzing database queries to detect [SQL Injection](https://capec.mitre.org/data/definitions/66.html).", + "meta": { + "external_id": "D3-DQSA", + "kill_chain": [ + "Detect:Process-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:DatabaseQueryStringAnalysis" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "analyzes" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "analyzes" + } + ], + "uuid": "ed06408b-9f66-5944-b55c-460fcfd390ea", + "value": "Database Query String Analysis" + }, + { + "description": "Employing a pattern matching algorithm to statically analyze the content of files.", + "meta": { + "external_id": "D3-FCOA", + "kill_chain": [ + "Detect:File-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:FileContentAnalysis" + ] + }, + "uuid": "ee4e12e9-895b-56e6-b396-2c8076653d5c", + "value": "File Content Analysis" + }, + { + "description": "Configuration inventory identifies and records the configuration of software and hardware and their components throughout the organization.", + "meta": { + "external_id": "D3-CI", + "kill_chain": [ + "Model:Asset-Inventory" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ConfigurationInventory" + ] + }, + "related": [ + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "inventories" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "inventories" + }, + { + "dest-uuid": "28170e17-8384-415c-8486-2e6b294cb803", + "type": "inventories" + }, + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "type": "inventories" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "inventories" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "inventories" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "inventories" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "inventories" + }, + { + "dest-uuid": "c0dfe7b0-b873-4618-9ff8-53e31f70907f", + "type": "inventories" + }, + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "type": "inventories" + }, + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "type": "inventories" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "inventories" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "inventories" + }, + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "type": "inventories" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "inventories" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "inventories" + }, + { + "dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9", + "type": "inventories" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "inventories" + }, + { + "dest-uuid": "c0dfe7b0-b873-4618-9ff8-53e31f70907f", + "type": "inventories" + }, + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "type": "inventories" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "inventories" + }, + { + "dest-uuid": "98034fef-d9fb-4667-8dc4-2eab6231724c", + "type": "inventories" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "inventories" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "inventories" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "inventories" + }, + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "type": "inventories" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "inventories" + }, + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "type": "inventories" + }, + { + "dest-uuid": "43881e51-ac74-445b-b4c6-f9f9e9bf23fe", + "type": "inventories" + }, + { + "dest-uuid": "65917ae0-b854-4139-83fe-bf2441cf0196", + "type": "inventories" + }, + { + "dest-uuid": "b8cfed42-6a8a-4989-ad72-541af74475ec", + "type": "inventories" + }, + { + "dest-uuid": "61afc315-860c-4364-825d-0d62b2e91edc", + "type": "inventories" + }, + { + "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", + "type": "inventories" + }, + { + "dest-uuid": "5095a853-299c-4876-abd7-ac0050fb5462", + "type": "inventories" + }, + { + "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", + "type": "inventories" + }, + { + "dest-uuid": "19bf235b-8620-4997-b5b4-94e0659ed7c3", + "type": "inventories" + }, + { + "dest-uuid": "7d77a07d-02fe-4e88-8bd9-e9c008c01bf0", + "type": "inventories" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "inventories" + }, + { + "dest-uuid": "5095a853-299c-4876-abd7-ac0050fb5462", + "type": "inventories" + }, + { + "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", + "type": "inventories" + }, + { + "dest-uuid": "61afc315-860c-4364-825d-0d62b2e91edc", + "type": "inventories" + }, + { + "dest-uuid": "b8cfed42-6a8a-4989-ad72-541af74475ec", + "type": "inventories" + }, + { + "dest-uuid": "43881e51-ac74-445b-b4c6-f9f9e9bf23fe", + "type": "inventories" + }, + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "type": "inventories" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "inventories" + }, + { + "dest-uuid": "0cf55441-b176-4332-89e7-2c4c7799d0ff", + "type": "inventories" + }, + { + "dest-uuid": "0cf55441-b176-4332-89e7-2c4c7799d0ff", + "type": "inventories" + }, + { + "dest-uuid": "0cf55441-b176-4332-89e7-2c4c7799d0ff", + "type": "inventories" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "inventories" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "inventories" + }, + { + "dest-uuid": "bf147104-abf9-4221-95d1-e81585859441", + "type": "inventories" + }, + { + "dest-uuid": "3d1b9d7e-3921-4d25-845a-7d9f15c0da44", + "type": "inventories" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "inventories" + }, + { + "dest-uuid": "ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a", + "type": "inventories" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "inventories" + }, + { + "dest-uuid": "98034fef-d9fb-4667-8dc4-2eab6231724c", + "type": "inventories" + }, + { + "dest-uuid": "543fceb5-cb92-40cb-aacf-6913d4db58bc", + "type": "inventories" + }, + { + "dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9", + "type": "inventories" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "inventories" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "inventories" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "type": "inventories" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "type": "inventories" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "inventories" + }, + { + "dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979", + "type": "inventories" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "inventories" + }, + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "type": "inventories" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "inventories" + }, + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "type": "inventories" + }, + { + "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", + "type": "inventories" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "inventories" + }, + { + "dest-uuid": "e49920b0-6c54-40c1-9571-73723653205f", + "type": "inventories" + }, + { + "dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db", + "type": "inventories" + }, + { + "dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023", + "type": "inventories" + }, + { + "dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023", + "type": "inventories" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "inventories" + }, + { + "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", + "type": "inventories" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "type": "inventories" + }, + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "type": "inventories" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "inventories" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "inventories" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "inventories" + }, + { + "dest-uuid": "0cf55441-b176-4332-89e7-2c4c7799d0ff", + "type": "inventories" + }, + { + "dest-uuid": "c0dfe7b0-b873-4618-9ff8-53e31f70907f", + "type": "inventories" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "inventories" + }, + { + "dest-uuid": "28170e17-8384-415c-8486-2e6b294cb803", + "type": "inventories" + }, + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "type": "inventories" + }, + { + "dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023", + "type": "inventories" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "inventories" + }, + { + "dest-uuid": "0cf55441-b176-4332-89e7-2c4c7799d0ff", + "type": "inventories" + }, + { + "dest-uuid": "7d77a07d-02fe-4e88-8bd9-e9c008c01bf0", + "type": "inventories" + }, + { + "dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9", + "type": "inventories" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "inventories" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "inventories" + }, + { + "dest-uuid": "98034fef-d9fb-4667-8dc4-2eab6231724c", + "type": "inventories" + }, + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "type": "inventories" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "inventories" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "inventories" + }, + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "type": "inventories" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "inventories" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "inventories" + }, + { + "dest-uuid": "65917ae0-b854-4139-83fe-bf2441cf0196", + "type": "inventories" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "inventories" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "type": "inventories" + }, + { + "dest-uuid": "43881e51-ac74-445b-b4c6-f9f9e9bf23fe", + "type": "inventories" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "inventories" + }, + { + "dest-uuid": "b8cfed42-6a8a-4989-ad72-541af74475ec", + "type": "inventories" + }, + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "type": "inventories" + }, + { + "dest-uuid": "61afc315-860c-4364-825d-0d62b2e91edc", + "type": "inventories" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "inventories" + }, + { + "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", + "type": "inventories" + }, + { + "dest-uuid": "c0dfe7b0-b873-4618-9ff8-53e31f70907f", + "type": "inventories" + }, + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "type": "inventories" + }, + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "type": "inventories" + }, + { + "dest-uuid": "5095a853-299c-4876-abd7-ac0050fb5462", + "type": "inventories" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "inventories" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "inventories" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "inventories" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "inventories" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "inventories" + }, + { + "dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979", + "type": "inventories" + }, + { + "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", + "type": "inventories" + }, + { + "dest-uuid": "e49920b0-6c54-40c1-9571-73723653205f", + "type": "inventories" + }, + { + "dest-uuid": "3d1b9d7e-3921-4d25-845a-7d9f15c0da44", + "type": "inventories" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "inventories" + }, + { + "dest-uuid": "ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a", + "type": "inventories" + }, + { + "dest-uuid": "bf147104-abf9-4221-95d1-e81585859441", + "type": "inventories" + }, + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "type": "inventories" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "inventories" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "inventories" + }, + { + "dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023", + "type": "inventories" + }, + { + "dest-uuid": "43881e51-ac74-445b-b4c6-f9f9e9bf23fe", + "type": "inventories" + }, + { + "dest-uuid": "19bf235b-8620-4997-b5b4-94e0659ed7c3", + "type": "inventories" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "inventories" + }, + { + "dest-uuid": "b8cfed42-6a8a-4989-ad72-541af74475ec", + "type": "inventories" + }, + { + "dest-uuid": "61afc315-860c-4364-825d-0d62b2e91edc", + "type": "inventories" + }, + { + "dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db", + "type": "inventories" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "inventories" + }, + { + "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", + "type": "inventories" + }, + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "type": "inventories" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "inventories" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "inventories" + }, + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "type": "inventories" + }, + { + "dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9", + "type": "inventories" + }, + { + "dest-uuid": "5095a853-299c-4876-abd7-ac0050fb5462", + "type": "inventories" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "inventories" + }, + { + "dest-uuid": "543fceb5-cb92-40cb-aacf-6913d4db58bc", + "type": "inventories" + }, + { + "dest-uuid": "98034fef-d9fb-4667-8dc4-2eab6231724c", + "type": "inventories" + }, + { + "dest-uuid": "0cf55441-b176-4332-89e7-2c4c7799d0ff", + "type": "inventories" + } + ], + "uuid": "ad7ad696-4506-533e-815b-bf592e6bda72", + "value": "Configuration Inventory" + }, + { + "description": "Monitoring the security status of an endpoint by sending periodic messages with health status, where absence of a response may indicate that the endpoint has been compromised.", + "meta": { + "external_id": "D3-EHB", + "kill_chain": [ + "Detect:Platform-Monitoring" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:EndpointHealthBeacon" + ], + "synonyms": [ + "Endpoint Health Telemetry" + ] + }, + "related": [ + { + "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", + "type": "monitors" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "monitors" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "monitors" + }, + { + "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", + "type": "monitors" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "monitors" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "monitors" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "monitors" + }, + { + "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", + "type": "monitors" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "monitors" + } + ], + "uuid": "294dc5cb-1390-5a0d-bd6a-b151a390afcd", + "value": "Endpoint Health Beacon" + }, + { + "description": "Ascertaining sender reputation based on information associated with a message (e.g. email/instant messaging).", + "meta": { + "external_id": "D3-SRA", + "kill_chain": [ + "Detect:Message-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:SenderReputationAnalysis" + ] + }, + "related": [ + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "analyzes" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "analyzes" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "analyzes" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "analyzes" + } + ], + "uuid": "0f7337cb-443c-5a18-8254-9a90406c7df0", + "value": "Sender Reputation Analysis" + }, + { + "description": "Restoring a entity's access to a computer network.", + "meta": { + "external_id": "D3-RNA", + "kill_chain": [ + "Restore:Restore-Access" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:RestoreNetworkAccess" + ] + }, + "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "restores" + }, + { + "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", + "type": "restores" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "restores" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "restores" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "restores" + }, + { + "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", + "type": "restores" + } + ], + "uuid": "5fb3b47e-583b-5631-8934-50a116492d77", + "value": "Restore Network Access" + }, + { + "description": "An environment created for the purpose of attracting attackers and eliciting their behaviors that is not connected to any production enterprise systems.", + "meta": { + "external_id": "D3-SHN", + "kill_chain": [ + "Deceive:Decoy-Environment" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:StandaloneHoneynet" + ] + }, + "uuid": "e32ffe48-419f-563e-be1b-95ca18aa3a75", + "value": "Standalone Honeynet" + }, + { + "description": "Blocking the resolution of any subdomain of a specified domain name.", + "meta": { + "external_id": "D3-HDDL", + "kill_chain": [ + "Isolate:Network-Isolation" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:HierarchicalDomainDenylisting" + ], + "synonyms": [ + "Hierarchical Domain Blacklisting" + ] + }, + "uuid": "273a6f4c-6b85-5926-a967-093b16dcf7f9", + "value": "Hierarchical Domain Denylisting" + }, + { + "description": "Analyzing the duration of user sessions in order to detect unauthorized activity.", + "meta": { + "external_id": "D3-SDA", + "kill_chain": [ + "Detect:User-Behavior-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:SessionDurationAnalysis" + ] + }, + "related": [ + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "type": "analyzes" + }, + { + "dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926", + "type": "analyzes" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "type": "analyzes" + }, + { + "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "type": "analyzes" + }, + { + "dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926", + "type": "analyzes" + }, + { + "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "analyzes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "analyzes" + }, + { + "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "type": "analyzes" + } + ], + "uuid": "64eaa3c5-ded3-5fc3-9ed5-606c93500f31", + "value": "Session Duration Analysis" + }, + { + "description": "Analysis of source files, processes, destination files, or destination servers associated with a scheduled job to detect unauthorized use of job scheduling.", + "meta": { + "external_id": "D3-SJA", + "kill_chain": [ + "Detect:Platform-Monitoring" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ScheduledJobAnalysis" + ], + "synonyms": [ + "Scheduled Job Execution" + ] + }, + "related": [ + { + "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + } + ], + "uuid": "effd6eb2-42cd-53ca-8fda-b75df23a32e5", + "value": "Scheduled Job Analysis" + }, + { + "description": "Operational risk assessment identifies and models the vulnerabilities of, and risks to, an organization's activities individually and as a whole.", + "meta": { + "external_id": "D3-ORA", + "kill_chain": [ + "Model:Operational-Activity-Mapping" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:OperationalRiskAssessment" + ], + "synonyms": [ + "Mission Risk Assessment" + ] + }, + "uuid": "d39f626b-6f4f-51fa-a5fc-f2026bd3f330", + "value": "Operational Risk Assessment" + }, + { + "description": "Expiring an existing set of credentials and reissuing a new valid set", + "meta": { + "external_id": "D3-CRO", + "kill_chain": [ + "Harden:Credential-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:CredentialRotation" + ] + }, + "related": [ + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "regenerates" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "regenerates" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "regenerates" + }, + { + "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d", + "type": "regenerates" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "regenerates" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "type": "regenerates" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "regenerates" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "type": "regenerates" + }, + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "type": "regenerates" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "regenerates" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "regenerates" + }, + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "type": "regenerates" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "regenerates" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "regenerates" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "regenerates" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "regenerates" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "regenerates" + }, + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "type": "regenerates" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "regenerates" + }, + { + "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", + "type": "regenerates" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "regenerates" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "regenerates" + }, + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "type": "regenerates" + }, + { + "dest-uuid": "768dce68-8d0d-477a-b01d-0eea98b963a1", + "type": "regenerates" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "regenerates" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "regenerates" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "regenerates" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "type": "regenerates" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "regenerates" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "regenerates" + }, + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "type": "regenerates" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "regenerates" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "regenerates" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "regenerates" + }, + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "type": "regenerates" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "regenerates" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "regenerates" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "regenerates" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "regenerates" + }, + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "type": "regenerates" + }, + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "type": "regenerates" + }, + { + "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d", + "type": "regenerates" + }, + { + "dest-uuid": "768dce68-8d0d-477a-b01d-0eea98b963a1", + "type": "regenerates" + }, + { + "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", + "type": "regenerates" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "type": "regenerates" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "regenerates" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "regenerates" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "regenerates" + } + ], + "uuid": "9aeb6253-9380-5adb-92cb-9ace6d888cea", + "value": "Credential Rotation" + }, + { + "description": "Monitoring system files such as authentication databases, configuration files, system logs, and system executables for modification or tampering.", + "meta": { + "external_id": "D3-SFA", + "kill_chain": [ + "Detect:Platform-Monitoring" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis" + ] + }, + "related": [ + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "analyzes" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "analyzes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "analyzes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "analyzes" + }, + { + "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", + "type": "analyzes" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "analyzes" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "analyzes" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "analyzes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "analyzes" + }, + { + "dest-uuid": "3120b9fa-23b8-4500-ae73-09494f607b7d", + "type": "analyzes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "analyzes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "analyzes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "analyzes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "analyzes" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "analyzes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "analyzes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "analyzes" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "analyzes" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "analyzes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "analyzes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "analyzes" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "analyzes" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "analyzes" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "analyzes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "analyzes" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "analyzes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "analyzes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "analyzes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "analyzes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "analyzes" + }, + { + "dest-uuid": "3120b9fa-23b8-4500-ae73-09494f607b7d", + "type": "analyzes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "analyzes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "analyzes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "analyzes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "analyzes" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "analyzes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "analyzes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "analyzes" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "analyzes" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "analyzes" + }, + { + "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", + "type": "analyzes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "analyzes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "analyzes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "analyzes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "analyzes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "analyzes" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "analyzes" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "analyzes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "analyzes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "analyzes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "analyzes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "analyzes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "analyzes" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "analyzes" + }, + { + "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", + "type": "analyzes" + }, + { + "dest-uuid": "3120b9fa-23b8-4500-ae73-09494f607b7d", + "type": "analyzes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "analyzes" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "analyzes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "analyzes" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "analyzes" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "analyzes" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "analyzes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "analyzes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "analyzes" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "analyzes" + }, + { + "dest-uuid": "3120b9fa-23b8-4500-ae73-09494f607b7d", + "type": "analyzes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "analyzes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "analyzes" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "analyzes" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "analyzes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "analyzes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "analyzes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "analyzes" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "analyzes" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "analyzes" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "analyzes" + }, + { + "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", + "type": "analyzes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "analyzes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "analyzes" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "analyzes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "analyzes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "analyzes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "analyzes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "analyzes" + } + ], + "uuid": "9ad8e124-512b-5c6f-b66b-69c71cc604b5", + "value": "System File Analysis" + }, + { + "description": "Removing tokens or credentials from an authentication cache to prevent further user associated account accesses.", + "meta": { + "external_id": "D3-ANCI", + "kill_chain": [ + "Evict:Credential-Eviction" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:AuthenticationCacheInvalidation" + ] + }, + "related": [ + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "deletes" + }, + { + "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", + "type": "deletes" + }, + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "type": "deletes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "deletes" + }, + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "type": "deletes" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "deletes" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "deletes" + }, + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "type": "deletes" + }, + { + "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d", + "type": "deletes" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "deletes" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "deletes" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "deletes" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "deletes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "deletes" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "type": "deletes" + }, + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "type": "deletes" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "deletes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "deletes" + }, + { + "dest-uuid": "768dce68-8d0d-477a-b01d-0eea98b963a1", + "type": "deletes" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "deletes" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "deletes" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "deletes" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "type": "deletes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "deletes" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "deletes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "deletes" + }, + { + "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d", + "type": "deletes" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "type": "deletes" + }, + { + "dest-uuid": "768dce68-8d0d-477a-b01d-0eea98b963a1", + "type": "deletes" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "type": "deletes" + }, + { + "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", + "type": "deletes" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "deletes" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "deletes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "deletes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "deletes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "deletes" + }, + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "type": "deletes" + }, + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "type": "deletes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "deletes" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "deletes" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "deletes" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "deletes" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "deletes" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "deletes" + }, + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "type": "deletes" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "deletes" + }, + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "type": "deletes" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "deletes" + } + ], + "uuid": "164fdf79-38bb-56fc-844f-c7c8abbfd7a2", + "value": "Authentication Cache Invalidation" + }, + { + "description": "Comparing client-server request and response payloads to a baseline profile to identify outliers.", + "meta": { + "external_id": "D3-CSPP", + "kill_chain": [ + "Detect:Network-Traffic-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling" + ] + }, + "related": [ + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "analyzes" + }, + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "type": "analyzes" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "type": "analyzes" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "type": "analyzes" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "type": "analyzes" + }, + { + "dest-uuid": "79a4052e-1a89-4b09-aea6-51f1d11fe19c", + "type": "analyzes" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "analyzes" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "type": "analyzes" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "analyzes" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "type": "analyzes" + }, + { + "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "type": "analyzes" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "analyzes" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "analyzes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "analyzes" + }, + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "type": "analyzes" + }, + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6", + "type": "analyzes" + }, + { + "dest-uuid": "0bda01d5-4c1d-4062-8ee2-6872334383c3", + "type": "analyzes" + }, + { + "dest-uuid": "38eb0c22-6caf-46ce-8869-5964bd735858", + "type": "analyzes" + }, + { + "dest-uuid": "36b2a1d7-e09e-49bf-b45e-477076c2ec01", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "type": "analyzes" + }, + { + "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", + "type": "analyzes" + }, + { + "dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "type": "analyzes" + }, + { + "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "analyzes" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", + "type": "analyzes" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "analyzes" + }, + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "type": "analyzes" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "analyzes" + }, + { + "dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2", + "type": "analyzes" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "analyzes" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "type": "analyzes" + }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "type": "analyzes" + }, + { + "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "type": "analyzes" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "type": "analyzes" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "analyzes" + }, + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "analyzes" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "type": "analyzes" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5", + "type": "analyzes" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "analyzes" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "analyzes" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "type": "analyzes" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "analyzes" + }, + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "analyzes" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "type": "analyzes" + }, + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "type": "analyzes" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "analyzes" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "type": "analyzes" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "type": "analyzes" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "analyzes" + }, + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + }, + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87", + "type": "analyzes" + }, + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "type": "analyzes" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "type": "analyzes" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "type": "analyzes" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "analyzes" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "type": "analyzes" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "analyzes" + }, + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "type": "analyzes" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "type": "analyzes" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "analyzes" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "analyzes" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "analyzes" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "79a4052e-1a89-4b09-aea6-51f1d11fe19c", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "analyzes" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6", + "type": "analyzes" + }, + { + "dest-uuid": "0bda01d5-4c1d-4062-8ee2-6872334383c3", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "38eb0c22-6caf-46ce-8869-5964bd735858", + "type": "analyzes" + }, + { + "dest-uuid": "36b2a1d7-e09e-49bf-b45e-477076c2ec01", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "type": "analyzes" + }, + { + "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "type": "analyzes" + }, + { + "dest-uuid": "5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5", + "type": "analyzes" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "analyzes" + }, + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "type": "analyzes" + }, + { + "dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2", + "type": "analyzes" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "type": "analyzes" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "analyzes" + }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "type": "analyzes" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "analyzes" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "type": "analyzes" + }, + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "type": "analyzes" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "type": "analyzes" + }, + { + "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", + "type": "analyzes" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "type": "analyzes" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "type": "analyzes" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "type": "analyzes" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "analyzes" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "analyzes" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "analyzes" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "analyzes" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "analyzes" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "analyzes" + }, + { + "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", + "type": "analyzes" + }, + { + "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", + "type": "analyzes" + } + ], + "uuid": "7887aa4f-b724-5df5-a07b-9eb89706d7c7", + "value": "Client-server Payload Profiling" + }, + { + "description": "Analyzing sequences of bytes and determining if they likely represent malicious shellcode.", + "meta": { + "external_id": "D3-BSE", + "kill_chain": [ + "Detect:Network-Traffic-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ByteSequenceEmulation" + ], + "synonyms": [ + "Shellcode Transmission Detection" + ] + }, + "uuid": "cd8e283c-bc7d-55de-a6c5-88b480316485", + "value": "Byte Sequence Emulation" + }, + { + "description": "Comparing a call stack in system memory with a shadow call stack maintained by the processor to determine unauthorized shellcode activity.", + "meta": { + "external_id": "D3-SSC", + "kill_chain": [ + "Detect:Process-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ShadowStackComparisons" + ] + }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "analyzes" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "analyzes" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "type": "analyzes" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "type": "analyzes" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "type": "analyzes" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "type": "analyzes" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "type": "analyzes" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "analyzes" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "type": "analyzes" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "analyzes" + } + ], + "uuid": "856204a9-0a3e-59e8-8858-f75f1ed09aea", + "value": "Shadow Stack Comparisons" + }, + { + "description": "Analyzing the reputation of an identifier.", + "meta": { + "external_id": "D3-IRA", + "kill_chain": [ + "Detect:Identifier-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:IdentifierReputationAnalysis" + ] + }, + "uuid": "ca03c9c0-09ac-51c5-85f5-4992bc29e5ef", + "value": "Identifier Reputation Analysis" + }, + { + "description": "Restoring a file for an entity to access.", + "meta": { + "external_id": "D3-RF", + "kill_chain": [ + "Restore:Restore-Object" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:RestoreFile" + ] + }, + "related": [ + { + "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", + "type": "restores" + }, + { + "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", + "type": "restores" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "restores" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "restores" + }, + { + "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", + "type": "restores" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "restores" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "restores" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "restores" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "restores" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "restores" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "restores" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "restores" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "restores" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "restores" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "restores" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "restores" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "restores" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "restores" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "restores" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "restores" + }, + { + "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", + "type": "restores" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "restores" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "restores" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "restores" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "restores" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "restores" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "restores" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "restores" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "restores" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "restores" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "restores" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "restores" + }, + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "type": "restores" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "type": "restores" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "restores" + }, + { + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "type": "restores" + }, + { + "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", + "type": "restores" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "restores" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "restores" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "restores" + }, + { + "dest-uuid": "e5cc9e7a-e61a-46a1-b869-55fb6eab058e", + "type": "restores" + }, + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "type": "restores" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "restores" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "restores" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "restores" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "restores" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "restores" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "restores" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "restores" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "restores" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "restores" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "restores" + }, + { + "dest-uuid": "e51137a5-1cdc-499e-911a-abaedaa5ac86", + "type": "restores" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "restores" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "restores" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "type": "restores" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "restores" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "restores" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "restores" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "restores" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "restores" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "restores" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "restores" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "restores" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "restores" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "restores" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "restores" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "restores" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "restores" + }, + { + "dest-uuid": "c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b", + "type": "restores" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "restores" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "restores" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "restores" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "restores" + }, + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "type": "restores" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "restores" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "restores" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "restores" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "restores" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "restores" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restores" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "restores" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "restores" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "restores" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "restores" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restores" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "restores" + }, + { + "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", + "type": "restores" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "restores" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "restores" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "restores" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "type": "restores" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "restores" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "restores" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "restores" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "restores" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restores" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "restores" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "restores" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "restores" + }, + { + "dest-uuid": "e5cc9e7a-e61a-46a1-b869-55fb6eab058e", + "type": "restores" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "restores" + }, + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "type": "restores" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "restores" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "restores" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "restores" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "restores" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "restores" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "restores" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "restores" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "restores" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "restores" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "restores" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "restores" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "restores" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "restores" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "restores" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "restores" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "restores" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "restores" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "restores" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "restores" + }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "type": "restores" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "restores" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "restores" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "restores" + }, + { + "dest-uuid": "a9e2cea0-c805-4bf8-9e31-f5f0513a3634", + "type": "restores" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "restores" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "restores" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "restores" + }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "type": "restores" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restores" + }, + { + "dest-uuid": "32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490", + "type": "restores" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "restores" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restores" + }, + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "type": "restores" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "restores" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "restores" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "type": "restores" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "restores" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "restores" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "restores" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "restores" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "restores" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "restores" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "restores" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "restores" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "restores" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "type": "restores" + }, + { + "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3", + "type": "restores" + }, + { + "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "type": "restores" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "restores" + }, + { + "dest-uuid": "4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f", + "type": "restores" + }, + { + "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", + "type": "restores" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "restores" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "restores" + }, + { + "dest-uuid": "3120b9fa-23b8-4500-ae73-09494f607b7d", + "type": "restores" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "restores" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "restores" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "restores" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "restores" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "restores" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "restores" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "restores" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "restores" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "restores" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restores" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "restores" + }, + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "type": "restores" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "restores" + }, + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "type": "restores" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "type": "restores" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "type": "restores" + }, + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "type": "restores" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "restores" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "restores" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "restores" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "type": "restores" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "restores" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "restores" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "restores" + }, + { + "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", + "type": "restores" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "restores" + }, + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "type": "restores" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "restores" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "restores" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "restores" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "restores" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "restores" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "restores" + }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "type": "restores" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "restores" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "restores" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "restores" + }, + { + "dest-uuid": "a9e2cea0-c805-4bf8-9e31-f5f0513a3634", + "type": "restores" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "restores" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "restores" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "restores" + }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "type": "restores" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "restores" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restores" + }, + { + "dest-uuid": "32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490", + "type": "restores" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "restores" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restores" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restores" + }, + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "type": "restores" + }, + { + "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", + "type": "restores" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "restores" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "restores" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "restores" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "type": "restores" + }, + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "type": "restores" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "restores" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "restores" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "restores" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "restores" + }, + { + "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", + "type": "restores" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "restores" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "restores" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "restores" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "restores" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "restores" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "restores" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "restores" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "restores" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "restores" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "restores" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "restores" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "restores" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "restores" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "restores" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "restores" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "restores" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "restores" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "restores" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "restores" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "restores" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "restores" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "restores" + }, + { + "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", + "type": "restores" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "restores" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "restores" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "restores" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "restores" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "restores" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "restores" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "restores" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "restores" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "restores" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "restores" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "restores" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "restores" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "restores" + }, + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "type": "restores" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "type": "restores" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "restores" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "restores" + }, + { + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "type": "restores" + }, + { + "dest-uuid": "e5cc9e7a-e61a-46a1-b869-55fb6eab058e", + "type": "restores" + }, + { + "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", + "type": "restores" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "restores" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "restores" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "type": "restores" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "restores" + }, + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "type": "restores" + }, + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "type": "restores" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "restores" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "restores" + }, + { + "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3", + "type": "restores" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "restores" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "restores" + }, + { + "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "type": "restores" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "restores" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "restores" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "restores" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "restores" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "restores" + }, + { + "dest-uuid": "e51137a5-1cdc-499e-911a-abaedaa5ac86", + "type": "restores" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "restores" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "type": "restores" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "restores" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "restores" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "restores" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "restores" + }, + { + "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", + "type": "restores" + }, + { + "dest-uuid": "4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f", + "type": "restores" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "restores" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "restores" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "restores" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "restores" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "restores" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "restores" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "restores" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "restores" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "restores" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "restores" + }, + { + "dest-uuid": "c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b", + "type": "restores" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "restores" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "restores" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "restores" + }, + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "type": "restores" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "restores" + }, + { + "dest-uuid": "3120b9fa-23b8-4500-ae73-09494f607b7d", + "type": "restores" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "restores" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "restores" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "restores" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "restores" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restores" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "restores" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "restores" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "restores" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restores" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "restores" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "restores" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "restores" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "restores" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "restores" + }, + { + "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", + "type": "restores" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "restores" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "restores" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "restores" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "type": "restores" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "restores" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "restores" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "restores" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "restores" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "type": "restores" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "restores" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restores" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "restores" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "restores" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "restores" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "restores" + }, + { + "dest-uuid": "e5cc9e7a-e61a-46a1-b869-55fb6eab058e", + "type": "restores" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "restores" + }, + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "type": "restores" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "restores" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "restores" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "restores" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "restores" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "restores" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "restores" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "restores" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "restores" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "restores" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "restores" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "restores" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "restores" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "restores" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "restores" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "restores" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "restores" + } + ], + "uuid": "dbda8fde-6305-5d3e-abe9-44ec7923332d", + "value": "Restore File" + }, + { + "description": "Organization mapping identifies and models the people, roles, and groups with an organization and the relations between them.", + "meta": { + "external_id": "D3-OM", + "kill_chain": [ + "Model:Operational-Activity-Mapping" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:OrganizationMapping" + ] + }, + "uuid": "3098eddc-8716-535c-a459-21372b3d3ec1", + "value": "Organization Mapping" + }, + { + "description": "The process of temporarily disabling user accounts on a system or domain.", + "meta": { + "external_id": "D3-AL", + "kill_chain": [ + "Evict:Credential-Eviction" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:AccountLocking" + ] + }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "disables" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "disables" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "disables" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "disables" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "disables" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "disables" + }, + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "type": "disables" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "disables" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "disables" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "disables" + }, + { + "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", + "type": "disables" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "disables" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "disables" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "disables" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "disables" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "disables" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "disables" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "disables" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "disables" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "disables" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "disables" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "disables" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "disables" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "disables" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "type": "disables" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "disables" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "disables" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "disables" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "disables" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "disables" + }, + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "type": "disables" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "disables" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "disables" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "disables" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "disables" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "disables" + }, + { + "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", + "type": "disables" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "disables" + }, + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "type": "disables" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "disables" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "disables" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "disables" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "disables" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "disables" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "disables" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "disables" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "disables" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "disables" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "disables" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "disables" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "disables" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "disables" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "disables" + }, + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "type": "disables" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "disables" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "disables" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "disables" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "disables" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "disables" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "disables" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "disables" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "disables" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "type": "disables" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "disables" + } + ], + "uuid": "4052a304-6e0c-5e59-b5f2-844d5a4e556d", + "value": "Account Locking" + }, + { + "description": "Configuring a kernel to use an allow or deny list to filter kernel api calls.", + "meta": { + "external_id": "D3-SCF", + "kill_chain": [ + "Isolate:Execution-Isolation" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:SystemCallFiltering" + ] + }, + "related": [ + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "filters" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "type": "filters" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "filters" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "filters" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "filters" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "filters" + }, + { + "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "type": "filters" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "type": "filters" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "filters" + }, + { + "dest-uuid": "b84903f0-c7d5-435d-a69e-de47cc3578c0", + "type": "filters" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "filters" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "filters" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "filters" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "filters" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "filters" + }, + { + "dest-uuid": "ea016b56-ae0e-47fe-967a-cc0ad51af67f", + "type": "filters" + }, + { + "dest-uuid": "e49ee9d2-0d98-44ef-85e5-5d3100065744", + "type": "filters" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "filters" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "filters" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "filters" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "filters" + }, + { + "dest-uuid": "e49ee9d2-0d98-44ef-85e5-5d3100065744", + "type": "filters" + }, + { + "dest-uuid": "ea016b56-ae0e-47fe-967a-cc0ad51af67f", + "type": "filters" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "filters" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "filters" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "filters" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "filters" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "filters" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "filters" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "filters" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "filters" + }, + { + "dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9", + "type": "filters" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "filters" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "filters" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "filters" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "filters" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "filters" + }, + { + "dest-uuid": "b84903f0-c7d5-435d-a69e-de47cc3578c0", + "type": "filters" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "filters" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "filters" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "type": "filters" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "filters" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "type": "filters" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "type": "filters" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "type": "filters" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "filters" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "filters" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "filters" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "filters" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "filters" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "filters" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "filters" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "filters" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "filters" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "filters" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "filters" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "filters" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "type": "filters" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "filters" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "filters" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "type": "filters" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "type": "filters" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "type": "filters" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "filters" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "filters" + }, + { + "dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9", + "type": "filters" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "filters" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "filters" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "filters" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "filters" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "filters" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "filters" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "type": "filters" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "filters" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "filters" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "filters" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "filters" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "filters" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "filters" + }, + { + "dest-uuid": "ea016b56-ae0e-47fe-967a-cc0ad51af67f", + "type": "filters" + }, + { + "dest-uuid": "e49ee9d2-0d98-44ef-85e5-5d3100065744", + "type": "filters" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "filters" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "filters" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "filters" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "filters" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "filters" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "filters" + }, + { + "dest-uuid": "e49ee9d2-0d98-44ef-85e5-5d3100065744", + "type": "filters" + }, + { + "dest-uuid": "ea016b56-ae0e-47fe-967a-cc0ad51af67f", + "type": "filters" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "filters" + }, + { + "dest-uuid": "b84903f0-c7d5-435d-a69e-de47cc3578c0", + "type": "filters" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "filters" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "filters" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "filters" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "filters" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "filters" + }, + { + "dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9", + "type": "filters" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "filters" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "filters" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "type": "filters" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "type": "filters" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "filters" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "filters" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "type": "filters" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "filters" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "filters" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "filters" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "filters" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "filters" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "filters" + }, + { + "dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9", + "type": "filters" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "filters" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "filters" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "type": "filters" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "filters" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "filters" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "type": "filters" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "filters" + }, + { + "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "type": "filters" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "type": "filters" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "filters" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "filters" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "filters" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "filters" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "filters" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "filters" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "filters" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "filters" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "filters" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "filters" + }, + { + "dest-uuid": "b84903f0-c7d5-435d-a69e-de47cc3578c0", + "type": "filters" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "filters" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "filters" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "filters" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "filters" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "type": "filters" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "type": "filters" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "type": "filters" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "filters" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "filters" + }, + { + "dest-uuid": "b84903f0-c7d5-435d-a69e-de47cc3578c0", + "type": "filters" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "filters" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "filters" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "filters" + }, + { + "dest-uuid": "ea016b56-ae0e-47fe-967a-cc0ad51af67f", + "type": "filters" + }, + { + "dest-uuid": "e49ee9d2-0d98-44ef-85e5-5d3100065744", + "type": "filters" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "filters" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "filters" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "filters" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "filters" + }, + { + "dest-uuid": "b84903f0-c7d5-435d-a69e-de47cc3578c0", + "type": "filters" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "filters" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "filters" + }, + { + "dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9", + "type": "filters" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "filters" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "filters" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "filters" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "filters" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "filters" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "filters" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "filters" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "filters" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "filters" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "filters" + }, + { + "dest-uuid": "e49ee9d2-0d98-44ef-85e5-5d3100065744", + "type": "filters" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "filters" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "filters" + }, + { + "dest-uuid": "ea016b56-ae0e-47fe-967a-cc0ad51af67f", + "type": "filters" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "filters" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "type": "filters" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "filters" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "filters" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "type": "filters" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "filters" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "type": "filters" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "filters" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "filters" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "filters" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "filters" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "filters" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "type": "filters" + }, + { + "dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9", + "type": "filters" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "type": "filters" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "filters" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "filters" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "filters" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "filters" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "filters" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "filters" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "type": "filters" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "filters" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "filters" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "filters" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "filters" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "filters" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "filters" + }, + { + "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "type": "filters" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "type": "filters" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "type": "filters" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "type": "filters" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "filters" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "filters" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "filters" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "filters" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "filters" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "filters" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "filters" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "filters" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "type": "filters" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "filters" + } + ], + "uuid": "54c5144f-e0da-5e35-bae8-0f25190fe9fb", + "value": "System Call Filtering" + }, + { + "description": "Employing file hash comparisons to detect known malware.", + "meta": { + "external_id": "D3-FH", + "kill_chain": [ + "Detect:File-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:FileHashing" + ] + }, + "uuid": "44eeb025-a766-5466-99c5-3d7b35da7cef", + "value": "File Hashing" + }, + { + "description": "Characterizing the reputation of mail transfer agents (MTA) to determine the security risk in emails.", + "meta": { + "external_id": "D3-SMRA", + "kill_chain": [ + "Detect:Message-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:SenderMTAReputationAnalysis" + ] + }, + "related": [ + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "analyzes" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "analyzes" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "analyzes" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "analyzes" + } + ], + "uuid": "2ba221f7-36e5-56b6-a8bf-474393f2d17d", + "value": "Sender MTA Reputation Analysis" + }, + { + "description": "Cryptographically verifying firmware integrity.", + "meta": { + "external_id": "D3-FV", + "kill_chain": [ + "Detect:Platform-Monitoring" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:FirmwareVerification" + ] + }, + "related": [ + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "verifies" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "verifies" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "verifies" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "verifies" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "verifies" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "verifies" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "verifies" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "verifies" + }, + { + "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", + "type": "verifies" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "verifies" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "verifies" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "verifies" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "verifies" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "verifies" + } + ], + "uuid": "50cb8ffe-e413-5009-89a3-85ed3c23f98b", + "value": "Firmware Verification" + }, + { + "description": "Validates that a referenced exception handler pointer is a valid exception handler.", + "meta": { + "external_id": "D3-EHPV", + "kill_chain": [ + "Harden:Application-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ExceptionHandlerPointerValidation" + ], + "synonyms": [ + "Exception Handler Validation" + ] + }, + "uuid": "cca03b22-4c86-5f27-af13-d98a62989fce", + "value": "Exception Handler Pointer Validation" + }, + { + "description": "Detection of an unauthorized remote live terminal console session by examining network traffic to a network host.", + "meta": { + "external_id": "D3-RTSD", + "kill_chain": [ + "Detect:Network-Traffic-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:RemoteTerminalSessionDetection" + ] + }, + "related": [ + { + "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", + "type": "analyzes" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "analyzes" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "type": "analyzes" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "type": "analyzes" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "analyzes" + }, + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "type": "analyzes" + }, + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87", + "type": "analyzes" + }, + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "type": "analyzes" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "type": "analyzes" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "analyzes" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "type": "analyzes" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "analyzes" + }, + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "type": "analyzes" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "type": "analyzes" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "analyzes" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "analyzes" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "analyzes" + }, + { + "dest-uuid": "79a4052e-1a89-4b09-aea6-51f1d11fe19c", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "analyzes" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6", + "type": "analyzes" + }, + { + "dest-uuid": "0bda01d5-4c1d-4062-8ee2-6872334383c3", + "type": "analyzes" + }, + { + "dest-uuid": "38eb0c22-6caf-46ce-8869-5964bd735858", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "36b2a1d7-e09e-49bf-b45e-477076c2ec01", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "type": "analyzes" + }, + { + "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "type": "analyzes" + }, + { + "dest-uuid": "5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5", + "type": "analyzes" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "type": "analyzes" + }, + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "type": "analyzes" + }, + { + "dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2", + "type": "analyzes" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "type": "analyzes" + }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "type": "analyzes" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "analyzes" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "analyzes" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "type": "analyzes" + }, + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "type": "analyzes" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", + "type": "analyzes" + }, + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "type": "analyzes" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "type": "analyzes" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "type": "analyzes" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "type": "analyzes" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "analyzes" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "analyzes" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "analyzes" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "analyzes" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "analyzes" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "analyzes" + }, + { + "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "analyzes" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5", + "type": "analyzes" + }, + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "type": "analyzes" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "analyzes" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "analyzes" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "type": "analyzes" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "analyzes" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "type": "analyzes" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "analyzes" + }, + { + "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", + "type": "analyzes" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "type": "analyzes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "type": "analyzes" + }, + { + "dest-uuid": "36b2a1d7-e09e-49bf-b45e-477076c2ec01", + "type": "analyzes" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "analyzes" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "analyzes" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "38eb0c22-6caf-46ce-8869-5964bd735858", + "type": "analyzes" + }, + { + "dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2", + "type": "analyzes" + }, + { + "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", + "type": "analyzes" + }, + { + "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "type": "analyzes" + }, + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "type": "analyzes" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "analyzes" + }, + { + "dest-uuid": "0bda01d5-4c1d-4062-8ee2-6872334383c3", + "type": "analyzes" + }, + { + "dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6", + "type": "analyzes" + }, + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "analyzes" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "analyzes" + }, + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87", + "type": "analyzes" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "type": "analyzes" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "type": "analyzes" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "type": "analyzes" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "analyzes" + }, + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "type": "analyzes" + }, + { + "dest-uuid": "79a4052e-1a89-4b09-aea6-51f1d11fe19c", + "type": "analyzes" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "type": "analyzes" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "analyzes" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "analyzes" + }, + { + "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", + "type": "analyzes" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "analyzes" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "analyzes" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "analyzes" + }, + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "type": "analyzes" + }, + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "type": "analyzes" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "analyzes" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "analyzes" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "analyzes" + }, + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "analyzes" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + } + ], + "uuid": "3e3e2630-f8e8-5ed2-b93e-97dacb8dec2f", + "value": "Remote Terminal Session Detection" + }, + { + "description": "Analyzing the amount of data transferred by a user.", + "meta": { + "external_id": "D3-UDTA", + "kill_chain": [ + "Detect:User-Behavior-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:UserDataTransferAnalysis" + ] + }, + "uuid": "d0b7e3f9-64a6-566d-8a60-343c37365c14", + "value": "User Data Transfer Analysis" + }, + { + "description": "Collecting host certificates from network traffic or other passive sources like a certificate transparency log and analyzing them for unauthorized activity.", + "meta": { + "external_id": "D3-PCA", + "kill_chain": [ + "Detect:Network-Traffic-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:PassiveCertificateAnalysis" + ] + }, + "uuid": "eb910451-3782-57e7-a944-c9c3f0ea20e7", + "value": "Passive Certificate Analysis" + }, + { + "description": "Preventing execution of any address in a memory region other than the code segment.", + "meta": { + "external_id": "D3-PSEP", + "kill_chain": [ + "Harden:Application-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ProcessSegmentExecutionPrevention" + ], + "synonyms": [ + "Execute Disable", + "No Execute" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "neutralizes" + }, + { + "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", + "type": "neutralizes" + }, + { + "dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9", + "type": "neutralizes" + }, + { + "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", + "type": "neutralizes" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "neutralizes" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "type": "neutralizes" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "neutralizes" + }, + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "type": "neutralizes" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "neutralizes" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "neutralizes" + }, + { + "dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9", + "type": "neutralizes" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "neutralizes" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "type": "neutralizes" + }, + { + "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", + "type": "neutralizes" + }, + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "type": "neutralizes" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "type": "neutralizes" + }, + { + "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", + "type": "neutralizes" + }, + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "type": "neutralizes" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "neutralizes" + }, + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "type": "neutralizes" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "neutralizes" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "neutralizes" + }, + { + "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", + "type": "neutralizes" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "neutralizes" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "neutralizes" + }, + { + "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", + "type": "neutralizes" + }, + { + "dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9", + "type": "neutralizes" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "type": "neutralizes" + }, + { + "dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9", + "type": "neutralizes" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "neutralizes" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "type": "neutralizes" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "type": "neutralizes" + } + ], + "uuid": "c4ed798d-87da-5ad6-9473-bfca807cf7af", + "value": "Process Segment Execution Prevention" + }, + { + "description": "Deleting a set of credentials permanently to prevent them from being used to authenticate.", + "meta": { + "external_id": "D3-CR", + "kill_chain": [ + "Evict:Credential-Eviction" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:CredentialRevoking" + ] + }, + "related": [ + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "deletes" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "deletes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "deletes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "deletes" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "deletes" + }, + { + "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d", + "type": "deletes" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "type": "deletes" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "type": "deletes" + }, + { + "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", + "type": "deletes" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "deletes" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "deletes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "deletes" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "deletes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "deletes" + }, + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "type": "deletes" + }, + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "type": "deletes" + }, + { + "dest-uuid": "768dce68-8d0d-477a-b01d-0eea98b963a1", + "type": "deletes" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "deletes" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "deletes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "deletes" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "deletes" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "deletes" + }, + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "type": "deletes" + }, + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "type": "deletes" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "deletes" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "deletes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "deletes" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "type": "deletes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "deletes" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "deletes" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "deletes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "deletes" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "deletes" + }, + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "type": "deletes" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "deletes" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "deletes" + }, + { + "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", + "type": "deletes" + }, + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "type": "deletes" + }, + { + "dest-uuid": "768dce68-8d0d-477a-b01d-0eea98b963a1", + "type": "deletes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "deletes" + }, + { + "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d", + "type": "deletes" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "deletes" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "deletes" + }, + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "type": "deletes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "deletes" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "deletes" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "type": "deletes" + }, + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "type": "deletes" + } + ], + "uuid": "1cb26037-3ff3-5121-bf6b-2905ecb69baa", + "value": "Credential Revoking" + }, + { + "description": "Access modeling identifies and records the access permissions granted to administrators, users, groups, and systems.", + "meta": { + "external_id": "D3-AM", + "kill_chain": [ + "Model:Operational-Activity-Mapping" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:AccessModeling" + ] + }, + "related": [ + { + "dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023", + "type": "maps" + }, + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "type": "maps" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "maps" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "maps" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "maps" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "maps" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "maps" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "maps" + }, + { + "dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023", + "type": "maps" + }, + { + "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", + "type": "maps" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "maps" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "maps" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "maps" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "maps" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "maps" + }, + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "type": "maps" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "maps" + }, + { + "dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9", + "type": "maps" + }, + { + "dest-uuid": "65917ae0-b854-4139-83fe-bf2441cf0196", + "type": "maps" + }, + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "type": "maps" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "maps" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "maps" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "maps" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "maps" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "maps" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "maps" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "maps" + }, + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "type": "maps" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "maps" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "type": "maps" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "maps" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "maps" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "maps" + }, + { + "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", + "type": "maps" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "maps" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "maps" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "maps" + }, + { + "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", + "type": "maps" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "maps" + }, + { + "dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9", + "type": "maps" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "maps" + }, + { + "dest-uuid": "65917ae0-b854-4139-83fe-bf2441cf0196", + "type": "maps" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "maps" + }, + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "type": "maps" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "maps" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "maps" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "maps" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "maps" + }, + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "type": "maps" + }, + { + "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", + "type": "maps" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "maps" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "maps" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "maps" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "maps" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "maps" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "maps" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "maps" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "maps" + }, + { + "dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9", + "type": "maps" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "maps" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "maps" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "maps" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "maps" + }, + { + "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", + "type": "maps" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "maps" + }, + { + "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", + "type": "maps" + }, + { + "dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023", + "type": "maps" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "maps" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "maps" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "maps" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "maps" + }, + { + "dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9", + "type": "maps" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "maps" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "maps" + }, + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "type": "maps" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "type": "maps" + }, + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "type": "maps" + }, + { + "dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023", + "type": "maps" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "maps" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "maps" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "maps" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "maps" + } + ], + "uuid": "b595da0c-45da-5901-bb78-00fc6d977045", + "value": "Access Modeling" + }, + { + "description": "Ensuring the integrity of drivers loaded during initialization of the operating system.", + "meta": { + "external_id": "D3-DLIC", + "kill_chain": [ + "Harden:Platform-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:DriverLoadIntegrityChecking" + ] + }, + "uuid": "07b40f59-fbd5-52ba-b0e2-f9411659dabe", + "value": "Driver Load Integrity Checking" + }, + { + "description": "Analyzing the reputation of a domain name.", + "meta": { + "external_id": "D3-DNRA", + "kill_chain": [ + "Detect:Identifier-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:DomainNameReputationAnalysis" + ] + }, + "uuid": "03dfb88e-364e-5c21-9d7d-59029e54c9c5", + "value": "Domain Name Reputation Analysis" + }, + { + "description": "Restricting system configuration modifications to a specific user or group of users.", + "meta": { + "external_id": "D3-SCP", + "kill_chain": [ + "Harden:Platform-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:SystemConfigurationPermissions" + ] + }, + "related": [ + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "type": "restricts" + }, + { + "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", + "type": "restricts" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "type": "restricts" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "type": "restricts" + }, + { + "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", + "type": "restricts" + }, + { + "dest-uuid": "b84903f0-c7d5-435d-a69e-de47cc3578c0", + "type": "restricts" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "type": "restricts" + }, + { + "dest-uuid": "6d4a7fb3-5a24-42be-ae61-6728a2b581f6", + "type": "restricts" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "restricts" + }, + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "type": "restricts" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "restricts" + }, + { + "dest-uuid": "6d4a7fb3-5a24-42be-ae61-6728a2b581f6", + "type": "restricts" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "type": "restricts" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "restricts" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "restricts" + }, + { + "dest-uuid": "b84903f0-c7d5-435d-a69e-de47cc3578c0", + "type": "restricts" + }, + { + "dest-uuid": "dfebc3b7-d19d-450b-81c7-6dafe4184c04", + "type": "restricts" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "type": "restricts" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "restricts" + }, + { + "dest-uuid": "dfebc3b7-d19d-450b-81c7-6dafe4184c04", + "type": "restricts" + }, + { + "dest-uuid": "6d4a7fb3-5a24-42be-ae61-6728a2b581f6", + "type": "restricts" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "type": "restricts" + }, + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "type": "restricts" + }, + { + "dest-uuid": "6d4a7fb3-5a24-42be-ae61-6728a2b581f6", + "type": "restricts" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "type": "restricts" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "restricts" + }, + { + "dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "type": "restricts" + }, + { + "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", + "type": "restricts" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "type": "restricts" + }, + { + "dest-uuid": "b84903f0-c7d5-435d-a69e-de47cc3578c0", + "type": "restricts" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "restricts" + }, + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "type": "restricts" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "type": "restricts" + }, + { + "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", + "type": "restricts" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "type": "restricts" + }, + { + "dest-uuid": "b84903f0-c7d5-435d-a69e-de47cc3578c0", + "type": "restricts" + } + ], + "uuid": "ac54cd72-5a21-5025-95fb-39b096f0ee0f", + "value": "System Configuration Permissions" + }, + { + "description": "Detecting any suspicious changes to files in a computer system.", + "meta": { + "external_id": "D3-FIM", + "kill_chain": [ + "Detect:Platform-Monitoring" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:FileIntegrityMonitoring" + ] + }, + "related": [ + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "type": "analyzes" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "analyzes" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "analyzes" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "analyzes" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "analyzes" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "analyzes" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "analyzes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "analyzes" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "analyzes" + }, + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "type": "analyzes" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "analyzes" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "analyzes" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "analyzes" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "analyzes" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "type": "analyzes" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "analyzes" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "analyzes" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "analyzes" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "analyzes" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "analyzes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "analyzes" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "analyzes" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "analyzes" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "analyzes" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "analyzes" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "analyzes" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "analyzes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "analyzes" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "analyzes" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "analyzes" + }, + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "type": "analyzes" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "analyzes" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "analyzes" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "type": "analyzes" + }, + { + "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "type": "analyzes" + }, + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "type": "analyzes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "analyzes" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "analyzes" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "type": "analyzes" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "analyzes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "analyzes" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "analyzes" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "analyzes" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "analyzes" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "analyzes" + }, + { + "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "analyzes" + }, + { + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "type": "analyzes" + }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "type": "analyzes" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "analyzes" + }, + { + "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", + "type": "analyzes" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "analyzes" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "analyzes" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "analyzes" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "analyzes" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "type": "analyzes" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "analyzes" + }, + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "type": "analyzes" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "analyzes" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "analyzes" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "analyzes" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "analyzes" + }, + { + "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", + "type": "analyzes" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "analyzes" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "analyzes" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "analyzes" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "analyzes" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "analyzes" + }, + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "type": "analyzes" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "analyzes" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "analyzes" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "analyzes" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "analyzes" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "analyzes" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "analyzes" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "analyzes" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "analyzes" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "analyzes" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "analyzes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "analyzes" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "analyzes" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "analyzes" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "analyzes" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "analyzes" + }, + { + "dest-uuid": "e5cc9e7a-e61a-46a1-b869-55fb6eab058e", + "type": "analyzes" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "analyzes" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "analyzes" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "analyzes" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "analyzes" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "analyzes" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "analyzes" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "analyzes" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "analyzes" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "analyzes" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "analyzes" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "analyzes" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "analyzes" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "analyzes" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "analyzes" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "analyzes" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "analyzes" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "analyzes" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "analyzes" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "analyzes" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "analyzes" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "analyzes" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "analyzes" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "analyzes" + }, + { + "dest-uuid": "3120b9fa-23b8-4500-ae73-09494f607b7d", + "type": "analyzes" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "analyzes" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "analyzes" + }, + { + "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", + "type": "analyzes" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "analyzes" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "analyzes" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "analyzes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "analyzes" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "analyzes" + }, + { + "dest-uuid": "e51137a5-1cdc-499e-911a-abaedaa5ac86", + "type": "analyzes" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "analyzes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "analyzes" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "analyzes" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "analyzes" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "analyzes" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "analyzes" + }, + { + "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", + "type": "analyzes" + }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "type": "analyzes" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "analyzes" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "analyzes" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "analyzes" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "analyzes" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "type": "analyzes" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "analyzes" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "analyzes" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "analyzes" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "analyzes" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "type": "analyzes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "analyzes" + }, + { + "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", + "type": "analyzes" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "analyzes" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "analyzes" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "analyzes" + }, + { + "dest-uuid": "a9e2cea0-c805-4bf8-9e31-f5f0513a3634", + "type": "analyzes" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "analyzes" + }, + { + "dest-uuid": "32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490", + "type": "analyzes" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "analyzes" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "analyzes" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "analyzes" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "analyzes" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "analyzes" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "analyzes" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "analyzes" + }, + { + "dest-uuid": "e5cc9e7a-e61a-46a1-b869-55fb6eab058e", + "type": "analyzes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "analyzes" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "analyzes" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "type": "analyzes" + }, + { + "dest-uuid": "c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b", + "type": "analyzes" + }, + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "type": "analyzes" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "analyzes" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "analyzes" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "analyzes" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "analyzes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "analyzes" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "analyzes" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "analyzes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "analyzes" + }, + { + "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", + "type": "analyzes" + }, + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "type": "analyzes" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "analyzes" + }, + { + "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3", + "type": "analyzes" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "analyzes" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "analyzes" + }, + { + "dest-uuid": "4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f", + "type": "analyzes" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "analyzes" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "analyzes" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "analyzes" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "type": "analyzes" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "analyzes" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "analyzes" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "analyzes" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "analyzes" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "analyzes" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "analyzes" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "analyzes" + }, + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "type": "analyzes" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "analyzes" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "analyzes" + }, + { + "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3", + "type": "analyzes" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "analyzes" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "analyzes" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "analyzes" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "analyzes" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "analyzes" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "analyzes" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "analyzes" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "analyzes" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "analyzes" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "analyzes" + }, + { + "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "type": "analyzes" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "analyzes" + }, + { + "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", + "type": "analyzes" + }, + { + "dest-uuid": "e51137a5-1cdc-499e-911a-abaedaa5ac86", + "type": "analyzes" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "analyzes" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "analyzes" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "analyzes" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "analyzes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "analyzes" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "analyzes" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "analyzes" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "analyzes" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "analyzes" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "analyzes" + }, + { + "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", + "type": "analyzes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "analyzes" + }, + { + "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", + "type": "analyzes" + }, + { + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "type": "analyzes" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "analyzes" + }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "type": "analyzes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "analyzes" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "analyzes" + }, + { + "dest-uuid": "4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f", + "type": "analyzes" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "analyzes" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "analyzes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "analyzes" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "analyzes" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "analyzes" + }, + { + "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", + "type": "analyzes" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "analyzes" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "analyzes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "analyzes" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "analyzes" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "analyzes" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "analyzes" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "analyzes" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "type": "analyzes" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "analyzes" + }, + { + "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", + "type": "analyzes" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "analyzes" + }, + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "type": "analyzes" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "analyzes" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "analyzes" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "analyzes" + }, + { + "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "type": "analyzes" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "analyzes" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "analyzes" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "analyzes" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "analyzes" + }, + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "type": "analyzes" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "analyzes" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "analyzes" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "analyzes" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "analyzes" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "analyzes" + }, + { + "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", + "type": "analyzes" + }, + { + "dest-uuid": "3120b9fa-23b8-4500-ae73-09494f607b7d", + "type": "analyzes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "analyzes" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "analyzes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "analyzes" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "analyzes" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "analyzes" + }, + { + "dest-uuid": "a9e2cea0-c805-4bf8-9e31-f5f0513a3634", + "type": "analyzes" + }, + { + "dest-uuid": "e5cc9e7a-e61a-46a1-b869-55fb6eab058e", + "type": "analyzes" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "analyzes" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "analyzes" + }, + { + "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", + "type": "analyzes" + }, + { + "dest-uuid": "32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490", + "type": "analyzes" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "analyzes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "analyzes" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "analyzes" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "analyzes" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "analyzes" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "analyzes" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "analyzes" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "analyzes" + }, + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "type": "analyzes" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "analyzes" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "analyzes" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "analyzes" + }, + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "type": "analyzes" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "analyzes" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "analyzes" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "analyzes" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "analyzes" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "analyzes" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "type": "analyzes" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "analyzes" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "analyzes" + }, + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "type": "analyzes" + }, + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "analyzes" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "analyzes" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "analyzes" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "type": "analyzes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "analyzes" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "analyzes" + }, + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "type": "analyzes" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "analyzes" + }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "type": "analyzes" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "analyzes" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "type": "analyzes" + }, + { + "dest-uuid": "c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b", + "type": "analyzes" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "analyzes" + }, + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "type": "analyzes" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "analyzes" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "analyzes" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "analyzes" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "analyzes" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "analyzes" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "analyzes" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "analyzes" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "analyzes" + }, + { + "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "analyzes" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "analyzes" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "type": "analyzes" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "analyzes" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "analyzes" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "analyzes" + }, + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "type": "analyzes" + }, + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "type": "analyzes" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "analyzes" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "analyzes" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "analyzes" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "type": "analyzes" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "analyzes" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "analyzes" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "analyzes" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "analyzes" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "analyzes" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "analyzes" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "analyzes" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "analyzes" + }, + { + "dest-uuid": "e5cc9e7a-e61a-46a1-b869-55fb6eab058e", + "type": "analyzes" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "analyzes" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "type": "analyzes" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "analyzes" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "analyzes" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "analyzes" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "analyzes" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "analyzes" + }, + { + "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", + "type": "analyzes" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "analyzes" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "analyzes" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "analyzes" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "type": "analyzes" + } + ], + "uuid": "a6c54822-7f49-5770-a99f-29af0d08bf31", + "value": "File Integrity Monitoring" + }, + { + "description": "Identifying and extracting files from network application protocols through the use of network stream reassembly software.", + "meta": { + "external_id": "D3-FC", + "kill_chain": [ + "Detect:Network-Traffic-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:FileCarving" + ] + }, + "related": [ + { + "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", + "type": "analyzes" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "type": "analyzes" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "type": "analyzes" + }, + { + "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", + "type": "analyzes" + } + ], + "uuid": "622fc290-78ea-5b80-9676-afd844e30b56", + "value": "File Carving" + }, + { + "description": "Blocking the execution of files on a host in accordance with defined application policy rules.", + "meta": { + "external_id": "D3-EDL", + "kill_chain": [ + "Isolate:Execution-Isolation" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting" + ], + "synonyms": [ + "Executable Blacklisting" + ] + }, + "related": [ + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "blocks" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "blocks" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "blocks" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "blocks" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "blocks" + }, + { + "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", + "type": "blocks" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "restricts" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restricts" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "restricts" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "blocks" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "restricts" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "blocks" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restricts" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "blocks" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "restricts" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "blocks" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "blocks" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "blocks" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "blocks" + }, + { + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "type": "blocks" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "blocks" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restricts" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "restricts" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "blocks" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "blocks" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "blocks" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "blocks" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "blocks" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "blocks" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "restricts" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "restricts" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "blocks" + }, + { + "dest-uuid": "32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490", + "type": "blocks" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "type": "blocks" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "type": "restricts" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "type": "restricts" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "blocks" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "blocks" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "blocks" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "restricts" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "restricts" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "restricts" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "restricts" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "restricts" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "blocks" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "restricts" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "blocks" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "restricts" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "blocks" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "type": "restricts" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "blocks" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "blocks" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "restricts" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "blocks" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "blocks" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "blocks" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restricts" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "restricts" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "restricts" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "blocks" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "blocks" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "blocks" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "restricts" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "blocks" + }, + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "type": "blocks" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "restricts" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restricts" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "blocks" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "blocks" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "restricts" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "blocks" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "blocks" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "blocks" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "blocks" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "restricts" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "blocks" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "blocks" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "blocks" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "restricts" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "blocks" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "blocks" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "restricts" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "restricts" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "blocks" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restricts" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "restricts" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "blocks" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "blocks" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "blocks" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "blocks" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "restricts" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "restricts" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "restricts" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "blocks" + }, + { + "dest-uuid": "32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490", + "type": "blocks" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restricts" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "blocks" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "restricts" + }, + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "type": "blocks" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "blocks" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "type": "blocks" + }, + { + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "type": "blocks" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "blocks" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "blocks" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "blocks" + }, + { + "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", + "type": "blocks" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "restricts" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "restricts" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "blocks" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "blocks" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "restricts" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "blocks" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "restricts" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "blocks" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "blocks" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "blocks" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "blocks" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "blocks" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "blocks" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "blocks" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "restricts" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "blocks" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "restricts" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "restricts" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "blocks" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "restricts" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restricts" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restricts" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "restricts" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "blocks" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "blocks" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "blocks" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "restricts" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "blocks" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "blocks" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "blocks" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "blocks" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "blocks" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restricts" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "blocks" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "blocks" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "blocks" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "blocks" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "blocks" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "type": "restricts" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "blocks" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "blocks" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "blocks" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "blocks" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "type": "restricts" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restricts" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "blocks" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "blocks" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "restricts" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restricts" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "blocks" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "restricts" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "restricts" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "blocks" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "restricts" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "blocks" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "restricts" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "blocks" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "blocks" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "restricts" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "type": "restricts" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "restricts" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "restricts" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "blocks" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "blocks" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "restricts" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "restricts" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "restricts" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "blocks" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "blocks" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "blocks" + } + ], + "uuid": "4cfdeb35-2f05-591c-b28c-c41a7ce4e520", + "value": "Executable Denylisting" + }, + { + "description": "A decoy service, system, or environment, that is connected to the enterprise network, and simulates or emulates certain functionality to the network, without exposing full access to a production system.", + "meta": { + "external_id": "D3-CHN", + "kill_chain": [ + "Deceive:Decoy-Environment" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ConnectedHoneynet" + ] + }, + "uuid": "8dfb525b-bbe8-5092-86b2-4e00969bb712", + "value": "Connected Honeynet" + }, + { + "description": "Restricting a user account's access to resources.", + "meta": { + "external_id": "D3-UAP", + "kill_chain": [ + "Harden:Credential-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:UserAccountPermissions" + ] + }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restricts" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restricts" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restricts" + }, + { + "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", + "type": "restricts" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restricts" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restricts" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restricts" + }, + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "type": "restricts" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restricts" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restricts" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "restricts" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "type": "restricts" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restricts" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restricts" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "restricts" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "restricts" + }, + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "type": "restricts" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restricts" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "restricts" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "restricts" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restricts" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "restricts" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "restricts" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restricts" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restricts" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restricts" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "restricts" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restricts" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restricts" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restricts" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restricts" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restricts" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restricts" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "restricts" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restricts" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restricts" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "restricts" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restricts" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "restricts" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restricts" + }, + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "type": "restricts" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "restricts" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restricts" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restricts" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restricts" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "type": "restricts" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restricts" + }, + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "type": "restricts" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "restricts" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restricts" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restricts" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "restricts" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "restricts" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restricts" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "restricts" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restricts" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restricts" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restricts" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restricts" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restricts" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restricts" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restricts" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restricts" + }, + { + "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", + "type": "restricts" + } + ], + "uuid": "5da33a29-c3a3-5235-80b7-58cbf01da3a5", + "value": "User Account Permissions" + }, + { + "description": "Comparing the \"text\" or \"code\" memory segments to a source of truth.", + "meta": { + "external_id": "D3-PCSV", + "kill_chain": [ + "Detect:Process-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ProcessCodeSegmentVerification" + ] + }, + "related": [ + { + "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", + "type": "verifies" + }, + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "type": "verifies" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "verifies" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "verifies" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "type": "verifies" + }, + { + "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", + "type": "verifies" + }, + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "type": "verifies" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "type": "verifies" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "type": "verifies" + }, + { + "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", + "type": "verifies" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "verifies" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "type": "verifies" + }, + { + "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", + "type": "verifies" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "verifies" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "type": "verifies" + }, + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "type": "verifies" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "type": "verifies" + }, + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "type": "verifies" + } + ], + "uuid": "fbab09d5-0032-5dff-8122-6afeddab8cff", + "value": "Process Code Segment Verification" + }, + { + "description": "Persisting either a server's X.509 certificate or their public key and comparing that to server's presented identity to allow for greater client confidence in the remote server's identity for SSL connections.", + "meta": { + "external_id": "D3-CP", + "kill_chain": [ + "Harden:Credential-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:CertificatePinning" + ] + }, + "uuid": "2a4d2791-e193-57af-a4c1-b6f1409a8ebd", + "value": "Certificate Pinning" + }, + { + "description": "Permitting only approved domains and their subdomains to be resolved.", + "meta": { + "external_id": "D3-DNSAL", + "kill_chain": [ + "Isolate:Network-Isolation" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:DNSAllowlisting" + ], + "synonyms": [ + "DNS Whitelisting" + ] + }, + "related": [ + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "blocks" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "blocks" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "blocks" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "blocks" + } + ], + "uuid": "99a2e93d-e41a-552c-b32a-7ed9820a9126", + "value": "DNS Allowlisting" + }, + { + "description": "The practice of setting decoys in a production environment to entice interaction from attackers.", + "meta": { + "external_id": "D3-IHN", + "kill_chain": [ + "Deceive:Decoy-Environment" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:IntegratedHoneynet" + ] + }, + "uuid": "2cf6eef1-6a36-59bc-8157-2d825e35b90d", + "value": "Integrated Honeynet" + }, + { + "description": "Adding physical barriers to a platform to prevent undesired radio interference.", + "meta": { + "external_id": "D3-RFS", + "kill_chain": [ + "Harden:Platform-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:RFShielding" + ] + }, + "uuid": "e9ae72b7-3c4d-5680-8112-532cca3ed550", + "value": "RF Shielding" + }, + { + "description": "Analyzing system calls to determine whether a process is exhibiting unauthorized behavior.", + "meta": { + "external_id": "D3-SCA", + "kill_chain": [ + "Detect:Process-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis" + ] + }, + "related": [ + { + "dest-uuid": "b84903f0-c7d5-435d-a69e-de47cc3578c0", + "type": "analyzes" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "analyzes" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "analyzes" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "analyzes" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "analyzes" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "e49ee9d2-0d98-44ef-85e5-5d3100065744", + "type": "analyzes" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "analyzes" + }, + { + "dest-uuid": "ea016b56-ae0e-47fe-967a-cc0ad51af67f", + "type": "analyzes" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "type": "analyzes" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "analyzes" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "type": "analyzes" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "type": "analyzes" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "analyzes" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "analyzes" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "type": "analyzes" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "type": "analyzes" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "analyzes" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "type": "analyzes" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "analyzes" + }, + { + "dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "analyzes" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "analyzes" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "analyzes" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "analyzes" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "analyzes" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "analyzes" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "analyzes" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "analyzes" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "analyzes" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "analyzes" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "analyzes" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "type": "analyzes" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "analyzes" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "analyzes" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "analyzes" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "analyzes" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "analyzes" + }, + { + "dest-uuid": "ea016b56-ae0e-47fe-967a-cc0ad51af67f", + "type": "analyzes" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "analyzes" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "analyzes" + }, + { + "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "type": "analyzes" + }, + { + "dest-uuid": "e49ee9d2-0d98-44ef-85e5-5d3100065744", + "type": "analyzes" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "analyzes" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "analyzes" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "type": "analyzes" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "analyzes" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "analyzes" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "analyzes" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "analyzes" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "analyzes" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "analyzes" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "analyzes" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "type": "analyzes" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "analyzes" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "analyzes" + }, + { + "dest-uuid": "b84903f0-c7d5-435d-a69e-de47cc3578c0", + "type": "analyzes" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "analyzes" + }, + { + "dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9", + "type": "analyzes" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "analyzes" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "analyzes" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "analyzes" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "analyzes" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "type": "analyzes" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "analyzes" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "type": "analyzes" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "analyzes" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "analyzes" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "analyzes" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "analyzes" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9", + "type": "analyzes" + }, + { + "dest-uuid": "b84903f0-c7d5-435d-a69e-de47cc3578c0", + "type": "analyzes" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "analyzes" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "type": "analyzes" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "type": "analyzes" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "analyzes" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "analyzes" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "analyzes" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "analyzes" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "type": "analyzes" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "analyzes" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "analyzes" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "analyzes" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "analyzes" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "analyzes" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "analyzes" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "analyzes" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "analyzes" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "analyzes" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "analyzes" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "analyzes" + }, + { + "dest-uuid": "ea016b56-ae0e-47fe-967a-cc0ad51af67f", + "type": "analyzes" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "analyzes" + }, + { + "dest-uuid": "e49ee9d2-0d98-44ef-85e5-5d3100065744", + "type": "analyzes" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "analyzes" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "analyzes" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "analyzes" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "analyzes" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "analyzes" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "analyzes" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "analyzes" + }, + { + "dest-uuid": "e49ee9d2-0d98-44ef-85e5-5d3100065744", + "type": "analyzes" + }, + { + "dest-uuid": "ea016b56-ae0e-47fe-967a-cc0ad51af67f", + "type": "analyzes" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "analyzes" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "type": "analyzes" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "type": "analyzes" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "type": "analyzes" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "analyzes" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "analyzes" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "analyzes" + }, + { + "dest-uuid": "98be40f2-c86b-4ade-b6fc-4964932040e5", + "type": "analyzes" + }, + { + "dest-uuid": "b84903f0-c7d5-435d-a69e-de47cc3578c0", + "type": "analyzes" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "type": "analyzes" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "analyzes" + }, + { + "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "type": "analyzes" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "analyzes" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "analyzes" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "type": "analyzes" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "analyzes" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "analyzes" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "analyzes" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "analyzes" + }, + { + "dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9", + "type": "analyzes" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "analyzes" + } + ], + "uuid": "8efc9cbd-0353-5a6f-8b9b-dcc72a91e8cd", + "value": "System Call Analysis" + }, + { + "description": "Cryptographically verifying peripheral firmware integrity.", + "meta": { + "external_id": "D3-PFV", + "kill_chain": [ + "Detect:Platform-Monitoring" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:PeripheralFirmwareVerification" + ] + }, + "uuid": "1712071c-f306-54a3-8d20-092ec6649003", + "value": "Peripheral Firmware Verification" + }, + { + "description": "Network traffic policy mapping identifies and models the allowed pathways of data at the network, tranport, and/or application levels.", + "meta": { + "external_id": "D3-NTPM", + "kill_chain": [ + "Model:Network-Mapping" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:NetworkTrafficPolicyMapping" + ], + "synonyms": [ + "DLP Policy Mapping", + "Firewall Mapping", + "IPS Policy Mapping", + "Web Security Gateway Policy Mapping" + ] + }, + "related": [ + { + "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", + "type": "maps" + }, + { + "dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023", + "type": "maps" + }, + { + "dest-uuid": "65917ae0-b854-4139-83fe-bf2441cf0196", + "type": "maps" + }, + { + "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", + "type": "maps" + }, + { + "dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9", + "type": "maps" + }, + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "type": "maps" + }, + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "type": "maps" + }, + { + "dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9", + "type": "maps" + }, + { + "dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023", + "type": "maps" + }, + { + "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", + "type": "maps" + }, + { + "dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023", + "type": "maps" + }, + { + "dest-uuid": "65917ae0-b854-4139-83fe-bf2441cf0196", + "type": "maps" + }, + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "type": "maps" + }, + { + "dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9", + "type": "maps" + }, + { + "dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9", + "type": "maps" + }, + { + "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", + "type": "maps" + }, + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "type": "maps" + }, + { + "dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023", + "type": "maps" + } + ], + "uuid": "19aec027-51a7-55de-a2c9-33a8cd40802e", + "value": "Network Traffic Policy Mapping" + }, + { + "description": "Analyzing the reputation of an IP address.", + "meta": { + "external_id": "D3-IPRA", + "kill_chain": [ + "Detect:Identifier-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:IPReputationAnalysis" + ] + }, + "uuid": "674fc229-ea1b-5a79-8a8c-445ed579d634", + "value": "IP Reputation Analysis" + }, + { + "description": "Blocking a reverse DNS lookup's answer's domain name value.", + "meta": { + "external_id": "D3-RRDD", + "kill_chain": [ + "Isolate:Network-Isolation" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ReverseResolutionDomainDenylisting" + ], + "synonyms": [ + "Reverse Resolution Domain Blacklisting" + ] + }, + "uuid": "0f4c7202-d19e-5fef-ae15-e82e14d4337a", + "value": "Reverse Resolution Domain Denylisting" + }, + { + "description": "Using a digital signature to authenticate a file before opening.", + "meta": { + "external_id": "D3-EAL", + "kill_chain": [ + "Isolate:Execution-Isolation" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting" + ], + "synonyms": [ + "File Signature Authentication" + ] + }, + "related": [ + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "blocks" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "type": "restricts" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "blocks" + }, + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "type": "blocks" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "restricts" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "restricts" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "type": "restricts" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "blocks" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "blocks" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "blocks" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "blocks" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restricts" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restricts" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "blocks" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "blocks" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "blocks" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "restricts" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "restricts" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "blocks" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "blocks" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "blocks" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "restricts" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "restricts" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "blocks" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "blocks" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "restricts" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "restricts" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "blocks" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restricts" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "blocks" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "blocks" + }, + { + "dest-uuid": "32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490", + "type": "blocks" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "restricts" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "restricts" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restricts" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "restricts" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "blocks" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "blocks" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "restricts" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "blocks" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "blocks" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "blocks" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "blocks" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "restricts" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "blocks" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "restricts" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "restricts" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restricts" + }, + { + "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", + "type": "blocks" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "blocks" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "blocks" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "restricts" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "blocks" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "restricts" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "restricts" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restricts" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "restricts" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "blocks" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "restricts" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "blocks" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "blocks" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "blocks" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "blocks" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "blocks" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "restricts" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "blocks" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "blocks" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "blocks" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "restricts" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "blocks" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "blocks" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "blocks" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "blocks" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "blocks" + }, + { + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "type": "blocks" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "blocks" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "blocks" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "blocks" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "blocks" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "restricts" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "restricts" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "type": "blocks" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "blocks" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "blocks" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "blocks" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "blocks" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "restricts" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "type": "restricts" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "restricts" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "blocks" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "restricts" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "restricts" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "blocks" + }, + { + "dest-uuid": "32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490", + "type": "blocks" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restricts" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "blocks" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "restricts" + }, + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "type": "blocks" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "type": "blocks" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "blocks" + }, + { + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "type": "blocks" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "blocks" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "blocks" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "blocks" + }, + { + "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", + "type": "blocks" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "restricts" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "blocks" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "restricts" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "restricts" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "blocks" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "blocks" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "restricts" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "blocks" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "blocks" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "blocks" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "blocks" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "blocks" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "blocks" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "blocks" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "restricts" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "blocks" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "restricts" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "restricts" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "blocks" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "restricts" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restricts" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "restricts" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restricts" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "blocks" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "blocks" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "blocks" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "restricts" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "blocks" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "blocks" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "blocks" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "blocks" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "blocks" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restricts" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "blocks" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "blocks" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "blocks" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "blocks" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "blocks" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "type": "restricts" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "blocks" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "blocks" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "blocks" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "blocks" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "blocks" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "type": "restricts" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restricts" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "blocks" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restricts" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "restricts" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "blocks" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "restricts" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "restricts" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "blocks" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "restricts" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "blocks" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "restricts" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "blocks" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "blocks" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "restricts" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "type": "restricts" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "restricts" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "restricts" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "blocks" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "blocks" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "restricts" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "restricts" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "restricts" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "blocks" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "blocks" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "blocks" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "blocks" + } + ], + "uuid": "bf384e38-6fa5-5159-b729-c8bb3af47fe6", + "value": "Executable Allowlisting" + }, + { + "description": "A Credential created for the purpose of deceiving an adversary.", + "meta": { + "external_id": "D3-DUC", + "kill_chain": [ + "Deceive:Decoy-Object" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:DecoyUserCredential" + ] + }, + "related": [ + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "spoofs" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "spoofs" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "spoofs" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "spoofs" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "spoofs" + }, + { + "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d", + "type": "spoofs" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "spoofs" + }, + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "type": "spoofs" + }, + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "type": "spoofs" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "spoofs" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "spoofs" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "spoofs" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "spoofs" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "spoofs" + }, + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "type": "spoofs" + }, + { + "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", + "type": "spoofs" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "spoofs" + }, + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "type": "spoofs" + }, + { + "dest-uuid": "768dce68-8d0d-477a-b01d-0eea98b963a1", + "type": "spoofs" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "type": "spoofs" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "type": "spoofs" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "spoofs" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "spoofs" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "spoofs" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "spoofs" + }, + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "type": "spoofs" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "spoofs" + }, + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "type": "spoofs" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "spoofs" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "spoofs" + }, + { + "dest-uuid": "768dce68-8d0d-477a-b01d-0eea98b963a1", + "type": "spoofs" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "type": "spoofs" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "spoofs" + }, + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "type": "spoofs" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "spoofs" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "type": "spoofs" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "spoofs" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "spoofs" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "spoofs" + }, + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "type": "spoofs" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "spoofs" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "spoofs" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "spoofs" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "spoofs" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "spoofs" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "spoofs" + }, + { + "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d", + "type": "spoofs" + }, + { + "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", + "type": "spoofs" + } + ], + "uuid": "9a7bed7b-0baa-5232-b24f-de436702894d", + "value": "Decoy User Credential" + }, + { + "description": "Active physical link mapping sends and receives network traffic as a means to map the physical layer.", + "meta": { + "external_id": "D3-APLM", + "kill_chain": [ + "Model:Network-Mapping" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ActivePhysicalLinkMapping" + ], + "synonyms": [ + "Active Physical Layer Mapping" + ] + }, + "uuid": "f8cda405-1809-5fad-943f-ce794c67c2d6", + "value": "Active Physical Link Mapping" + }, + { + "description": "Tracking changes to the state or configuration of critical system level processes.", + "meta": { + "external_id": "D3-SDM", + "kill_chain": [ + "Detect:Platform-Monitoring" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:SystemDaemonMonitoring" + ] + }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "monitors" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "monitors" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "monitors" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "monitors" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "monitors" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "monitors" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "monitors" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "monitors" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "monitors" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "monitors" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "monitors" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "monitors" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "monitors" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "monitors" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "monitors" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "monitors" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "monitors" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "monitors" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "monitors" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "monitors" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "monitors" + } + ], + "uuid": "be40547e-6646-5d8c-8064-f083a8791ec7", + "value": "System Daemon Monitoring" + }, + { + "description": "Determining if a URL is benign or malicious by analyzing the URL or its components.", + "meta": { + "external_id": "D3-UA", + "kill_chain": [ + "Detect:Identifier-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:URLAnalysis" + ] + }, + "related": [ + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "analyzes" + }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "type": "analyzes" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "analyzes" + }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "analyzes" + } + ], + "uuid": "5c24a72a-e61a-51e9-b6e5-911755b32ee0", + "value": "URL Analysis" + }, + { + "description": "Actively collecting PKI certificates by connecting to the server and downloading its server certificates for analysis.", + "meta": { + "external_id": "D3-ACA", + "kill_chain": [ + "Detect:Network-Traffic-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ActiveCertificateAnalysis" + ] + }, + "uuid": "a0c35dda-500c-5845-a6a1-5de02df3bed6", + "value": "Active Certificate Analysis" + }, + { + "description": "Analyzing modifications to user session config files such as .bashrc or .bash_profile.", + "meta": { + "external_id": "D3-USICA", + "kill_chain": [ + "Detect:Platform-Monitoring" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:UserSessionInitConfigAnalysis" + ], + "synonyms": [ + "User Startup Config Analysis" + ] + }, + "related": [ + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "analyzes" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "analyzes" + }, + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "type": "analyzes" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "analyzes" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "analyzes" + }, + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "type": "analyzes" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "analyzes" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "type": "analyzes" + }, + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "type": "analyzes" + } + ], + "uuid": "a15581c3-dacb-513e-a7bc-54f76a4b2554", + "value": "User Session Init Config Analysis" + }, + { + "description": "Emulating instructions in a file looking for specific patterns.", + "meta": { + "external_id": "D3-EFA", + "kill_chain": [ + "Detect:File-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:EmulatedFileAnalysis" + ] + }, + "related": [ + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "analyzes" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "analyzes" + }, + { + "dest-uuid": "c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b", + "type": "analyzes" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "analyzes" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "analyzes" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "analyzes" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "analyzes" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "analyzes" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "analyzes" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "analyzes" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "analyzes" + }, + { + "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", + "type": "analyzes" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "analyzes" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "analyzes" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "analyzes" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "analyzes" + }, + { + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "type": "analyzes" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "analyzes" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "analyzes" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "analyzes" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "analyzes" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "analyzes" + }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "analyzes" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "analyzes" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "analyzes" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "analyzes" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "analyzes" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "analyzes" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "analyzes" + }, + { + "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", + "type": "analyzes" + }, + { + "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", + "type": "analyzes" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "analyzes" + }, + { + "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", + "type": "analyzes" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "analyzes" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "analyzes" + }, + { + "dest-uuid": "a9e2cea0-c805-4bf8-9e31-f5f0513a3634", + "type": "analyzes" + }, + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "type": "analyzes" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "analyzes" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "analyzes" + }, + { + "dest-uuid": "32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490", + "type": "analyzes" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "analyzes" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "analyzes" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "analyzes" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "type": "analyzes" + }, + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "type": "analyzes" + }, + { + "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "analyzes" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "analyzes" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "type": "analyzes" + }, + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "type": "analyzes" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "analyzes" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "analyzes" + }, + { + "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", + "type": "analyzes" + }, + { + "dest-uuid": "63220765-d418-44de-8fae-694b3912317d", + "type": "analyzes" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "analyzes" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "analyzes" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "type": "analyzes" + } + ], + "uuid": "66fe2000-adca-5925-ba07-730a792bf17d", + "value": "Emulated File Analysis" + }, + { + "description": "Comparing strings using a variety of techniques to determine if a deceptive or malicious string is being presented to a user.", + "meta": { + "external_id": "D3-HD", + "kill_chain": [ + "Detect:Identifier-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:HomoglyphDetection" + ] + }, + "related": [ + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "analyzes" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "analyzes" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "analyzes" + }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "type": "analyzes" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "analyzes" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "analyzes" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "analyzes" + }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "type": "analyzes" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "analyzes" + } + ], + "uuid": "1d230cb4-3f98-5241-95df-90a76583cfac", + "value": "Homoglyph Detection" + }, + { + "description": "Comparing the cryptographic hash or derivative of a pointer's value to an expected value.", + "meta": { + "external_id": "D3-PAN", + "kill_chain": [ + "Harden:Application-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:PointerAuthentication" + ] + }, + "uuid": "122f35a5-4f26-5e24-aa9e-51ba21f2d11c", + "value": "Pointer Authentication" + }, + { + "description": "Cryptographically authenticating the bootloader software before system boot.", + "meta": { + "external_id": "D3-BA", + "kill_chain": [ + "Harden:Platform-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:BootloaderAuthentication" + ], + "synonyms": [ + "Secure Boot" + ] + }, + "related": [ + { + "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", + "type": "authenticates" + }, + { + "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", + "type": "authenticates" + }, + { + "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", + "type": "authenticates" + }, + { + "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", + "type": "authenticates" + } + ], + "uuid": "a534994d-125d-549d-bbd5-20f31a2eee6c", + "value": "Bootloader Authentication" + }, + { + "description": "Restoring an email for an entity to access.", + "meta": { + "external_id": "D3-RE", + "kill_chain": [ + "Restore:Restore-Object" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:RestoreEmail" + ] + }, + "related": [ + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "restores" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "restores" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "restores" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "restores" + } + ], + "uuid": "680e813d-2f92-56a8-8b40-2982242b2ae7", + "value": "Restore Email" + }, + { + "description": "Broadcast isolation restricts the number of computers a host can contact on their LAN.", + "meta": { + "external_id": "D3-BDI", + "kill_chain": [ + "Isolate:Network-Isolation" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:BroadcastDomainIsolation" + ], + "synonyms": [ + "Network Segmentation" + ] + }, + "uuid": "a7b7017a-6daa-564d-8b25-ed571952d0c0", + "value": "Broadcast Domain Isolation" + }, + { + "description": "Limiting the transmission of a credential to a scoped set of relying parties.", + "meta": { + "external_id": "D3-CTS", + "kill_chain": [ + "Harden:Credential-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:CredentialTransmissionScoping" + ], + "synonyms": [ + "Phishing Resistant Authentication" + ] + }, + "related": [ + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "restricts" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "restricts" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "restricts" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "restricts" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "type": "restricts" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "type": "restricts" + }, + { + "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d", + "type": "restricts" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "restricts" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "restricts" + }, + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "type": "restricts" + }, + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "type": "restricts" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "restricts" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "restricts" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "restricts" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "restricts" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "restricts" + }, + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "type": "restricts" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "restricts" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "restricts" + }, + { + "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", + "type": "restricts" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "restricts" + }, + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "type": "restricts" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "restricts" + }, + { + "dest-uuid": "768dce68-8d0d-477a-b01d-0eea98b963a1", + "type": "restricts" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "restricts" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "restricts" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "restricts" + }, + { + "dest-uuid": "768dce68-8d0d-477a-b01d-0eea98b963a1", + "type": "restricts" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "restricts" + }, + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "type": "restricts" + }, + { + "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", + "type": "restricts" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "restricts" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "restricts" + }, + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "type": "restricts" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "type": "restricts" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "restricts" + }, + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "type": "restricts" + }, + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "type": "restricts" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "restricts" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "restricts" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "restricts" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "restricts" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "restricts" + }, + { + "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d", + "type": "restricts" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "restricts" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "restricts" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "type": "restricts" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "restricts" + } + ], + "uuid": "1bb2497c-12e1-5547-8cd8-1ef510275ba1", + "value": "Credential Transmission Scoping" + }, + { + "description": "Suspending a running process on a computer system.", + "meta": { + "external_id": "D3-PS", + "kill_chain": [ + "Evict:Process-Eviction" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ProcessSuspension" + ] + }, + "related": [ + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "suspends" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "suspends" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "suspends" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "suspends" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "suspends" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "suspends" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "suspends" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "suspends" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "suspends" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "suspends" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "suspends" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "type": "suspends" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "suspends" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "suspends" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "suspends" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "suspends" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "suspends" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "suspends" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "suspends" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "suspends" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "suspends" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "suspends" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "suspends" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "suspends" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "suspends" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "suspends" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "suspends" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "suspends" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "suspends" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "suspends" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "suspends" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "suspends" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "suspends" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "suspends" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "suspends" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "suspends" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "suspends" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "suspends" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "suspends" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "suspends" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "suspends" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "suspends" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "type": "suspends" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "suspends" + } + ], + "uuid": "c7271e9f-f0e6-5e03-bb4d-c02e65a5e3b2", + "value": "Process Suspension" + }, + { + "description": "Monitoring the existence of or changes to Domain User Accounts.", + "meta": { + "external_id": "D3-DAM", + "kill_chain": [ + "Detect:User-Behavior-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:DomainAccountMonitoring" + ] + }, + "related": [ + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "monitors" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "monitors" + }, + { + "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", + "type": "monitors" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "monitors" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "monitors" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "monitors" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "monitors" + }, + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "type": "monitors" + }, + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "type": "monitors" + }, + { + "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", + "type": "monitors" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "monitors" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "monitors" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "monitors" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "monitors" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "monitors" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "monitors" + } + ], + "uuid": "c899ef50-74bd-5ba7-a5ad-27d357e78f1b", + "value": "Domain Account Monitoring" + }, + { + "description": "Analyzing the reputation of a URL.", + "meta": { + "external_id": "D3-URA", + "kill_chain": [ + "Detect:Identifier-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:URLReputationAnalysis" + ] + }, + "related": [ + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "type": "analyzes" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "analyzes" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "analyzes" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "analyzes" + }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "type": "analyzes" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "type": "analyzes" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "analyzes" + } + ], + "uuid": "9d0e3d9e-4219-511d-9a0c-3df08dded6c0", + "value": "URL Reputation Analysis" + }, + { + "description": "Authenticating the sender of a message and ensuring message integrity.", + "meta": { + "external_id": "D3-MAN", + "kill_chain": [ + "Harden:Message-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:MessageAuthentication" + ] + }, + "uuid": "6724076f-3bc2-5da7-870f-bc4688051091", + "value": "Message Authentication" + }, + { + "description": "Validating that server components of a messaging infrastructure are authorized to send a particular message.", + "meta": { + "external_id": "D3-TAAN", + "kill_chain": [ + "Harden:Message-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:TransferAgentAuthentication" + ] + }, + "uuid": "0ff8bb88-a078-55fd-a42d-7da9fdcd52b7", + "value": "Transfer Agent Authentication" + }, + { + "description": "Restricting network traffic originating from any location.", + "meta": { + "external_id": "D3-NTF", + "kill_chain": [ + "Isolate:Network-Isolation" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:NetworkTrafficFiltering" + ] + }, + "related": [ + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "filters" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "filters" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "filters" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "filters" + }, + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "type": "filters" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "filters" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "filters" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "filters" + }, + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "type": "filters" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "filters" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "filters" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "filters" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "filters" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "filters" + }, + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "type": "filters" + }, + { + "dest-uuid": "0bda01d5-4c1d-4062-8ee2-6872334383c3", + "type": "filters" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "filters" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "filters" + }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "type": "filters" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "type": "filters" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "filters" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "filters" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "filters" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "filters" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "filters" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "type": "filters" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "filters" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "filters" + }, + { + "dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6", + "type": "filters" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "filters" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "type": "filters" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "filters" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "type": "filters" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "filters" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "filters" + }, + { + "dest-uuid": "5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5", + "type": "filters" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "filters" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "type": "filters" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "filters" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "filters" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "type": "filters" + }, + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "type": "filters" + }, + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "type": "filters" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "filters" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "filters" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "filters" + }, + { + "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", + "type": "filters" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "filters" + }, + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "type": "filters" + }, + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "type": "filters" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "filters" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "filters" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "filters" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "filters" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "filters" + }, + { + "dest-uuid": "36b2a1d7-e09e-49bf-b45e-477076c2ec01", + "type": "filters" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "filters" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "type": "filters" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "filters" + }, + { + "dest-uuid": "79a4052e-1a89-4b09-aea6-51f1d11fe19c", + "type": "filters" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "filters" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "filters" + }, + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "type": "filters" + }, + { + "dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87", + "type": "filters" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "filters" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "type": "filters" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "filters" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "filters" + }, + { + "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "type": "filters" + }, + { + "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", + "type": "filters" + }, + { + "dest-uuid": "38eb0c22-6caf-46ce-8869-5964bd735858", + "type": "filters" + }, + { + "dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2", + "type": "filters" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "filters" + }, + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "type": "filters" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "filters" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "type": "filters" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "filters" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "type": "filters" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "filters" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "filters" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "type": "filters" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "filters" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "filters" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "type": "filters" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "filters" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "filters" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "type": "filters" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "type": "filters" + }, + { + "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", + "type": "filters" + }, + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "type": "filters" + }, + { + "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", + "type": "filters" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "filters" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "type": "filters" + }, + { + "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "type": "filters" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "type": "filters" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "filters" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "filters" + }, + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "type": "filters" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "filters" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "type": "filters" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "filters" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "filters" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "filters" + }, + { + "dest-uuid": "36b2a1d7-e09e-49bf-b45e-477076c2ec01", + "type": "filters" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "type": "filters" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "filters" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "filters" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "filters" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "filters" + }, + { + "dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2", + "type": "filters" + }, + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "type": "filters" + }, + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "type": "filters" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "filters" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "filters" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "filters" + }, + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "type": "filters" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "filters" + }, + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "type": "filters" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "filters" + }, + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "type": "filters" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "filters" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "filters" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "filters" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "filters" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "filters" + }, + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "type": "filters" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "type": "filters" + }, + { + "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", + "type": "filters" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "filters" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "filters" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "filters" + }, + { + "dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6", + "type": "filters" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "filters" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "type": "filters" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "filters" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "filters" + }, + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "type": "filters" + }, + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "type": "filters" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "filters" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "type": "filters" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "filters" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "filters" + }, + { + "dest-uuid": "0bda01d5-4c1d-4062-8ee2-6872334383c3", + "type": "filters" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "filters" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "type": "filters" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "type": "filters" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "filters" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "filters" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "filters" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "filters" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "filters" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "filters" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "filters" + }, + { + "dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87", + "type": "filters" + }, + { + "dest-uuid": "5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5", + "type": "filters" + }, + { + "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", + "type": "filters" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "filters" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "filters" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "filters" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "filters" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "type": "filters" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "filters" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "type": "filters" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "filters" + }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "type": "filters" + }, + { + "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", + "type": "filters" + }, + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "type": "filters" + }, + { + "dest-uuid": "79a4052e-1a89-4b09-aea6-51f1d11fe19c", + "type": "filters" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "filters" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "filters" + }, + { + "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", + "type": "filters" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "filters" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "filters" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "filters" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "type": "filters" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "filters" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "type": "filters" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "type": "filters" + }, + { + "dest-uuid": "38eb0c22-6caf-46ce-8869-5964bd735858", + "type": "filters" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "type": "filters" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "type": "filters" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "filters" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "filters" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "filters" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "filters" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "filters" + } + ], + "uuid": "b1c0b6bb-deac-54d4-8a62-4bc57702fd28", + "value": "Network Traffic Filtering" + }, + { + "description": "Using biological measures in order to authenticate a user.", + "meta": { + "external_id": "D3-BAN", + "kill_chain": [ + "Harden:Credential-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:BiometricAuthentication" + ] + }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "authenticates" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "authenticates" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "authenticates" + }, + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "type": "authenticates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "authenticates" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "authenticates" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "authenticates" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "authenticates" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "authenticates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "authenticates" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "authenticates" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "authenticates" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "authenticates" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "authenticates" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "authenticates" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "type": "authenticates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "authenticates" + }, + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "type": "authenticates" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "authenticates" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "authenticates" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "authenticates" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "authenticates" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "authenticates" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "authenticates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "authenticates" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "authenticates" + }, + { + "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", + "type": "authenticates" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "authenticates" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "authenticates" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "authenticates" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "authenticates" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "authenticates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "authenticates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "authenticates" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "authenticates" + }, + { + "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", + "type": "authenticates" + }, + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "type": "authenticates" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "authenticates" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "authenticates" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "authenticates" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "authenticates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "authenticates" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "authenticates" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "authenticates" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "type": "authenticates" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "authenticates" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "authenticates" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "authenticates" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "authenticates" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "authenticates" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "authenticates" + }, + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "type": "authenticates" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "authenticates" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "authenticates" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "authenticates" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "authenticates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "authenticates" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "authenticates" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "authenticates" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "authenticates" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "authenticates" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "authenticates" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "authenticates" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "authenticates" + } + ], + "uuid": "0cf84afc-e9a9-52a8-9a64-1146ed86e0c4", + "value": "Biometric Authentication" + }, + { + "description": "Analyzing the reputation of a file hash.", + "meta": { + "external_id": "D3-FHRA", + "kill_chain": [ + "Detect:Identifier-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:FileHashReputationAnalysis" + ] + }, + "uuid": "f0b15269-e543-5202-b9d7-cfd6621ba2a2", + "value": "File Hash Reputation Analysis" + }, + { + "description": "Collecting network communication protocol metadata and identifying statistical outliers.", + "meta": { + "external_id": "D3-PMAD", + "kill_chain": [ + "Detect:Network-Traffic-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection" + ] + }, + "related": [ + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "analyzes" + }, + { + "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", + "type": "analyzes" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "type": "analyzes" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "type": "analyzes" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "analyzes" + }, + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "type": "analyzes" + }, + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87", + "type": "analyzes" + }, + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "type": "analyzes" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "type": "analyzes" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "type": "analyzes" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "analyzes" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "79a4052e-1a89-4b09-aea6-51f1d11fe19c", + "type": "analyzes" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "analyzes" + }, + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + }, + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "type": "analyzes" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "type": "analyzes" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "analyzes" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "analyzes" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "analyzes" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6", + "type": "analyzes" + }, + { + "dest-uuid": "0bda01d5-4c1d-4062-8ee2-6872334383c3", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "38eb0c22-6caf-46ce-8869-5964bd735858", + "type": "analyzes" + }, + { + "dest-uuid": "36b2a1d7-e09e-49bf-b45e-477076c2ec01", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "type": "analyzes" + }, + { + "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "type": "analyzes" + }, + { + "dest-uuid": "5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5", + "type": "analyzes" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "type": "analyzes" + }, + { + "dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2", + "type": "analyzes" + }, + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "type": "analyzes" + }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "type": "analyzes" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "type": "analyzes" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "analyzes" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "analyzes" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "type": "analyzes" + }, + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "type": "analyzes" + }, + { + "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", + "type": "analyzes" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "type": "analyzes" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "type": "analyzes" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "type": "analyzes" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "analyzes" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "type": "analyzes" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "analyzes" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "analyzes" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "analyzes" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "analyzes" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "analyzes" + }, + { + "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", + "type": "analyzes" + }, + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87", + "type": "analyzes" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "type": "analyzes" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "type": "analyzes" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "analyzes" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "type": "analyzes" + }, + { + "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", + "type": "analyzes" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "analyzes" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "analyzes" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "type": "analyzes" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "analyzes" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "analyzes" + }, + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "type": "analyzes" + }, + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", + "type": "analyzes" + }, + { + "dest-uuid": "5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5", + "type": "analyzes" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "type": "analyzes" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "type": "analyzes" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "analyzes" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "analyzes" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "type": "analyzes" + }, + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "type": "analyzes" + }, + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "type": "analyzes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "analyzes" + }, + { + "dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "analyzes" + }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "type": "analyzes" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "analyzes" + }, + { + "dest-uuid": "36b2a1d7-e09e-49bf-b45e-477076c2ec01", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "type": "analyzes" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "type": "analyzes" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "type": "analyzes" + }, + { + "dest-uuid": "38eb0c22-6caf-46ce-8869-5964bd735858", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "type": "analyzes" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "analyzes" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "analyzes" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "type": "analyzes" + }, + { + "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "type": "analyzes" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "analyzes" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "type": "analyzes" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "analyzes" + }, + { + "dest-uuid": "79a4052e-1a89-4b09-aea6-51f1d11fe19c", + "type": "analyzes" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "analyzes" + }, + { + "dest-uuid": "0bda01d5-4c1d-4062-8ee2-6872334383c3", + "type": "analyzes" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "analyzes" + }, + { + "dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6", + "type": "analyzes" + }, + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "type": "analyzes" + }, + { + "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "analyzes" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "analyzes" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "analyzes" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "analyzes" + }, + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "type": "analyzes" + }, + { + "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", + "type": "analyzes" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", + "type": "analyzes" + }, + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "type": "analyzes" + }, + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "type": "analyzes" + }, + { + "dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5", + "type": "analyzes" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "analyzes" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "analyzes" + } + ], + "uuid": "c0fa4b60-cc10-5b50-8eb3-4a26752852f2", + "value": "Protocol Metadata Anomaly Detection" + }, + { + "description": "Analyzing spawn arguments or attributes of a process to detect processes that are unauthorized.", + "meta": { + "external_id": "D3-PSA", + "kill_chain": [ + "Detect:Process-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis" + ] + }, + "related": [ + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "analyzes" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "analyzes" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "analyzes" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "analyzes" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "analyzes" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "analyzes" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "analyzes" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "analyzes" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "type": "analyzes" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "type": "analyzes" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "analyzes" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "analyzes" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "analyzes" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "analyzes" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "analyzes" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "analyzes" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "analyzes" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "analyzes" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "analyzes" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "analyzes" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "analyzes" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "analyzes" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "analyzes" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "analyzes" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "analyzes" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "analyzes" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "analyzes" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "type": "analyzes" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "type": "analyzes" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "analyzes" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "analyzes" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "analyzes" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "analyzes" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "analyzes" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "analyzes" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "analyzes" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "analyzes" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "analyzes" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "analyzes" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "analyzes" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "analyzes" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "analyzes" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "analyzes" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "type": "analyzes" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "analyzes" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "analyzes" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "analyzes" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "analyzes" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "type": "analyzes" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "analyzes" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "analyzes" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "analyzes" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "analyzes" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "analyzes" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "analyzes" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "analyzes" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "analyzes" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "analyzes" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "analyzes" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "analyzes" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "analyzes" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "analyzes" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "analyzes" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "analyzes" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "analyzes" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "analyzes" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "analyzes" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "analyzes" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "analyzes" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "analyzes" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "analyzes" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "analyzes" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "analyzes" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "analyzes" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "analyzes" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "analyzes" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "analyzes" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "analyzes" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "analyzes" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "analyzes" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "analyzes" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "analyzes" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "analyzes" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "analyzes" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "type": "analyzes" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "analyzes" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "analyzes" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "analyzes" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "analyzes" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "analyzes" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "type": "analyzes" + } + ], + "uuid": "b1cfe58d-38df-5fcd-bb68-b832d15a395f", + "value": "Process Spawn Analysis" + }, + { + "description": "Requiring proof of two or more pieces of evidence in order to authenticate a user.", + "meta": { + "external_id": "D3-MFA", + "kill_chain": [ + "Harden:Credential-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication" + ] + }, + "related": [ + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "authenticates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "authenticates" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "authenticates" + }, + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "type": "authenticates" + }, + { + "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", + "type": "authenticates" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "authenticates" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "authenticates" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "authenticates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "authenticates" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "authenticates" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "type": "authenticates" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "authenticates" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "authenticates" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "authenticates" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "authenticates" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "authenticates" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "authenticates" + }, + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "type": "authenticates" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "authenticates" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "authenticates" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "authenticates" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "authenticates" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "authenticates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "authenticates" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "authenticates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "authenticates" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "authenticates" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "authenticates" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "authenticates" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "authenticates" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "authenticates" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "authenticates" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "authenticates" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "authenticates" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "authenticates" + }, + { + "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", + "type": "authenticates" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "authenticates" + }, + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "type": "authenticates" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "authenticates" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "authenticates" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "authenticates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "authenticates" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "type": "authenticates" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "authenticates" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "authenticates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "authenticates" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "authenticates" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "authenticates" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "authenticates" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "authenticates" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "authenticates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "authenticates" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "authenticates" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "authenticates" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "authenticates" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "authenticates" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "authenticates" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "authenticates" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "authenticates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "authenticates" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "authenticates" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "authenticates" + }, + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "type": "authenticates" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "authenticates" + } + ], + "uuid": "f0b9dd4e-6891-54be-bfd8-2d9cff119944", + "value": "Multi-factor Authentication" + }, + { + "description": "Issuing publicly released media to deceive adversaries.", + "meta": { + "external_id": "D3-DPR", + "kill_chain": [ + "Deceive:Decoy-Object" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:DecoyPublicRelease" + ] + }, + "uuid": "cf471e91-4537-54b6-b0f7-0ad331543361", + "value": "Decoy Public Release" + }, + { + "description": "Detection of unauthorized use of administrative network protocols by analyzing network activity against a baseline.", + "meta": { + "external_id": "D3-ANAA", + "kill_chain": [ + "Detect:Network-Traffic-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:AdministrativeNetworkActivityAnalysis" + ] + }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "type": "analyzes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "analyzes" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "type": "analyzes" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + }, + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "analyzes" + }, + { + "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "type": "analyzes" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "type": "analyzes" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "analyzes" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "type": "analyzes" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "analyzes" + } + ], + "uuid": "bbb6dd55-5a7c-576e-8230-8b1b30a0abd7", + "value": "Administrative Network Activity Analysis" + }, + { + "description": "Restoring a user account's access to resources.", + "meta": { + "external_id": "D3-RUAA", + "kill_chain": [ + "Restore:Restore-Access" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:RestoreUserAccountAccess" + ] + }, + "related": [ + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "restores" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "restores" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "restores" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "restores" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "restores" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restores" + }, + { + "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", + "type": "restores" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restores" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restores" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restores" + }, + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "type": "restores" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restores" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restores" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restores" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restores" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restores" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restores" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restores" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restores" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restores" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restores" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restores" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "restores" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restores" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restores" + }, + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "type": "restores" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "restores" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restores" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restores" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "restores" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restores" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "type": "restores" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restores" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "restores" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restores" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restores" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restores" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restores" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "restores" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restores" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restores" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "restores" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restores" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "restores" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restores" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restores" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "type": "restores" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restores" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "restores" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restores" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restores" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restores" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restores" + }, + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "type": "restores" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "restores" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restores" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "restores" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restores" + }, + { + "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", + "type": "restores" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "restores" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restores" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restores" + }, + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "type": "restores" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restores" + } + ], + "uuid": "75f4788e-dfce-5ef5-b3f5-cb034a7571db", + "value": "Restore User Account Access" + }, + { + "description": "Blocking a reverse lookup based on the query's IP address value.", + "meta": { + "external_id": "D3-RRID", + "kill_chain": [ + "Isolate:Network-Isolation" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ReverseResolutionIPDenylisting" + ], + "synonyms": [ + "Reverse Resolution IP Blacklisting" + ] + }, + "related": [ + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "blocks" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "blocks" + } + ], + "uuid": "73e18f53-e95a-5309-b6c5-7d51879d394f", + "value": "Reverse Resolution IP Denylisting" + }, + { + "description": "Operating system level mechanisms to prevent abusive input device exploitation.", + "meta": { + "external_id": "D3-IDA", + "kill_chain": [ + "Detect:Platform-Monitoring" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:InputDeviceAnalysis" + ] + }, + "related": [ + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "type": "analyzes" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "type": "analyzes" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "type": "analyzes" + }, + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "type": "analyzes" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "type": "analyzes" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "type": "analyzes" + }, + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "type": "analyzes" + }, + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "type": "analyzes" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "type": "analyzes" + }, + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "type": "analyzes" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "type": "analyzes" + }, + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "type": "analyzes" + } + ], + "uuid": "fdc3fedb-3a22-5b75-b342-b2e7a4346349", + "value": "Input Device Analysis" + }, + { + "description": "Issue a new credential to a user which supercedes their old credential.", + "meta": { + "external_id": "D3-RIC", + "kill_chain": [ + "Restore:Restore-Object" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ReissueCredential" + ] + }, + "related": [ + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "type": "restores" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "restores" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "restores" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "restores" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "restores" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "type": "restores" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "restores" + }, + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "type": "restores" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "restores" + }, + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "type": "restores" + }, + { + "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", + "type": "restores" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "restores" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "restores" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "restores" + }, + { + "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d", + "type": "restores" + }, + { + "dest-uuid": "768dce68-8d0d-477a-b01d-0eea98b963a1", + "type": "restores" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "restores" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "restores" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "restores" + }, + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "type": "restores" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "restores" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "restores" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "restores" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "type": "restores" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "type": "restores" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "restores" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "restores" + }, + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "type": "restores" + }, + { + "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", + "type": "restores" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "restores" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "restores" + }, + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "type": "restores" + }, + { + "dest-uuid": "768dce68-8d0d-477a-b01d-0eea98b963a1", + "type": "restores" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "restores" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "restores" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "type": "restores" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "type": "restores" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "restores" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "restores" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "type": "restores" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "restores" + }, + { + "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", + "type": "restores" + }, + { + "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d", + "type": "restores" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "restores" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "restores" + }, + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "type": "restores" + }, + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "type": "restores" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "restores" + } + ], + "uuid": "937e8243-e4a8-54b7-a09b-16c88e1f94bb", + "value": "Reissue Credential" + }, + { + "description": "Initiating a host's shutdown sequence to terminate all running processes.", + "meta": { + "external_id": "D3-HS", + "kill_chain": [ + "Evict:Process-Eviction" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:HostShutdown" + ] + }, + "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "terminates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "terminates" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "terminates" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "terminates" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "terminates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "terminates" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "terminates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "terminates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "terminates" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "terminates" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "terminates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "terminates" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "terminates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "terminates" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "terminates" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "type": "terminates" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "terminates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "terminates" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "terminates" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "terminates" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "terminates" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "terminates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "terminates" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "terminates" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "terminates" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "terminates" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "terminates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "terminates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "terminates" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "terminates" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "terminates" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "terminates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "terminates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "terminates" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "terminates" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "type": "terminates" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "terminates" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "terminates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "terminates" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "terminates" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "terminates" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "terminates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "terminates" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "terminates" + } + ], + "uuid": "6ecb5446-d874-584a-86d8-704bb8fa8ca2", + "value": "Host Shutdown" + }, + { + "description": "Data exchange mapping identifies and models the organization's intended design for the flows of the data types, formats, and volumes between systems at the application layer.", + "meta": { + "external_id": "D3-DEM", + "kill_chain": [ + "Model:System-Mapping" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:DataExchangeMapping" + ], + "synonyms": [ + "Data Flow Mapping", + "Information Exchange Mapping" + ] + }, + "uuid": "bc9684d4-bd04-531b-a37e-0c709d694e20", + "value": "Data Exchange Mapping" + }, + { + "description": "Detects processes that modify, change, or replace their own code at runtime.", + "meta": { + "external_id": "D3-PSMD", + "kill_chain": [ + "Detect:Process-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ProcessSelf-ModificationDetection" + ] + }, + "related": [ + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "analyzes" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "analyzes" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "analyzes" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "analyzes" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "analyzes" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "analyzes" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "analyzes" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "analyzes" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "type": "analyzes" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "analyzes" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "analyzes" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "analyzes" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "analyzes" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "analyzes" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "analyzes" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "analyzes" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "analyzes" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "analyzes" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "analyzes" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "analyzes" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "analyzes" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "analyzes" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "analyzes" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "analyzes" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "analyzes" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "analyzes" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "analyzes" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "analyzes" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "analyzes" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "analyzes" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "type": "analyzes" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "analyzes" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "analyzes" + } + ], + "uuid": "b9b2e3b0-4cee-58d7-b97e-33231a812799", + "value": "Process Self-Modification Detection" + }, + { + "description": "Passive logical link mapping only listens to network traffic as a means to map the the whole data link layer, where the links represent logical data flows rather than physical connections.", + "meta": { + "external_id": "D3-PLLM", + "kill_chain": [ + "Model:Network-Mapping" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:PassiveLogicalLinkMapping" + ], + "synonyms": [ + "Passive Logical Layer Mapping" + ] + }, + "uuid": "52edb6e4-fa0f-5594-812b-54e4bed33360", + "value": "Passive Logical Link Mapping" + }, + { + "description": "A one-time password is valid for only one user authentication.", + "meta": { + "external_id": "D3-OTP", + "kill_chain": [ + "Harden:Credential-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:One-timePassword" + ], + "synonyms": [ + "OTP" + ] + }, + "related": [ + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "authenticates" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "authenticates" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "authenticates" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "authenticates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "authenticates" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "authenticates" + }, + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "type": "authenticates" + }, + { + "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", + "type": "authenticates" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "authenticates" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "authenticates" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "authenticates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "authenticates" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "authenticates" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "type": "authenticates" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "authenticates" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "authenticates" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "authenticates" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "authenticates" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "authenticates" + }, + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "type": "authenticates" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "authenticates" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "authenticates" + }, + { + "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", + "type": "use-limits" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "authenticates" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "authenticates" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "authenticates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "authenticates" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "authenticates" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "use-limits" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "authenticates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "authenticates" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "authenticates" + }, + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "type": "use-limits" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "authenticates" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "authenticates" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "authenticates" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "authenticates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "authenticates" + }, + { + "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", + "type": "authenticates" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "authenticates" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "authenticates" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "authenticates" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "authenticates" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "use-limits" + }, + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "type": "use-limits" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "authenticates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "authenticates" + }, + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "type": "authenticates" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "authenticates" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "authenticates" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "authenticates" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "type": "authenticates" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "authenticates" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "authenticates" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "authenticates" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "authenticates" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "authenticates" + }, + { + "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", + "type": "use-limits" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "authenticates" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "authenticates" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "authenticates" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "authenticates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "authenticates" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "authenticates" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "authenticates" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "authenticates" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "authenticates" + }, + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "type": "authenticates" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "authenticates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "authenticates" + } + ], + "uuid": "b7b2e1e7-8e4c-5ba4-bc19-0a67e8f439c5", + "value": "One-time Password" + }, + { + "description": "Analyzing changes in service binary files by comparing to a source of truth.", + "meta": { + "external_id": "D3-SBV", + "kill_chain": [ + "Detect:Platform-Monitoring" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ServiceBinaryVerification" + ] + }, + "related": [ + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "verifies" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "verifies" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "verifies" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "verifies" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "verifies" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "verifies" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "verifies" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "verifies" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "verifies" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "verifies" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "verifies" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "verifies" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "verifies" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "verifies" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "verifies" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "verifies" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "verifies" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "verifies" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "verifies" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "verifies" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "verifies" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "verifies" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "verifies" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "verifies" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "verifies" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "verifies" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "verifies" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "verifies" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "verifies" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "verifies" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "verifies" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "verifies" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "verifies" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "verifies" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "verifies" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "verifies" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "verifies" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "verifies" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "verifies" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "verifies" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "verifies" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "verifies" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "verifies" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "verifies" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "verifies" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "verifies" + }, + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "type": "verifies" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "verifies" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "verifies" + }, + { + "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "type": "verifies" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "type": "verifies" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "type": "verifies" + } + ], + "uuid": "2a9aa494-f476-59c5-8bc1-520f19a731f3", + "value": "Service Binary Verification" + }, + { + "description": "Removing unreachable or \"dead code\" from compiled source code.", + "meta": { + "external_id": "D3-DCE", + "kill_chain": [ + "Harden:Application-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:DeadCodeElimination" + ] + }, + "uuid": "a6ab4a27-bea4-52a9-aee6-b3ada84e12f0", + "value": "Dead Code Elimination" + }, + { + "description": "Preventing one process from writing to the memory space of another process through hardware based address manager implementations.", + "meta": { + "external_id": "D3-HBPI", + "kill_chain": [ + "Isolate:Execution-Isolation" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation" + ], + "synonyms": [ + "Virtualization" + ] + }, + "related": [ + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "isolates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "restricts" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "restricts" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "restricts" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "isolates" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "isolates" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restricts" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "isolates" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "restricts" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "restricts" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "restricts" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "restricts" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "restricts" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "restricts" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "restricts" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "restricts" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "restricts" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restricts" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restricts" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "restricts" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "isolates" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "isolates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "isolates" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "restricts" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "isolates" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restricts" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "isolates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "isolates" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "isolates" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "type": "isolates" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "isolates" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "isolates" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "isolates" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "isolates" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "type": "restricts" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "isolates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "isolates" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "isolates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "isolates" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "type": "restricts" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restricts" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restricts" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "restricts" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "restricts" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "restricts" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "restricts" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "isolates" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "restricts" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "restricts" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "type": "restricts" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "restricts" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "restricts" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "restricts" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "restricts" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "restricts" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "isolates" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "restricts" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "isolates" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "restricts" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "isolates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "isolates" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "isolates" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "restricts" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "restricts" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "isolates" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "isolates" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "type": "restricts" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "restricts" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "isolates" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "isolates" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "restricts" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "restricts" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "restricts" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restricts" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "isolates" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "isolates" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restricts" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "restricts" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "restricts" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "restricts" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "isolates" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "restricts" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "restricts" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "restricts" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "type": "restricts" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "isolates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restricts" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "restricts" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "restricts" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "type": "isolates" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "isolates" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "type": "restricts" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "restricts" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "isolates" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "isolates" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "restricts" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "restricts" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "restricts" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "isolates" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "restricts" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "isolates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "isolates" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "restricts" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "isolates" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "restricts" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "restricts" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "isolates" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "restricts" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restricts" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restricts" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "isolates" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restricts" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + } + ], + "uuid": "2c5d7563-06b0-5250-b72c-d6ff3b4dcdb6", + "value": "Hardware-based Process Isolation" + }, + { + "description": "Restricting inter-domain trust by modifying domain configuration.", + "meta": { + "external_id": "D3-DTP", + "kill_chain": [ + "Harden:Credential-Hardening" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:DomainTrustPolicy" + ] + }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "restricts" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "restricts" + } + ], + "uuid": "177288bd-0d7a-575e-901c-3af228358234", + "value": "Domain Trust Policy" + }, + { + "description": "Blocking a DNS lookup's answer's IP address value.", + "meta": { + "external_id": "D3-FRIDL", + "kill_chain": [ + "Isolate:Network-Isolation" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ForwardResolutionIPDenylisting" + ], + "synonyms": [ + "Forward Resolution IP Blacklisting" + ] + }, + "uuid": "644db38c-94cd-5e09-956b-c274eea9be16", + "value": "Forward Resolution IP Denylisting" + }, + { + "description": "Analyzing a Container Image with respect to a set of policies.", + "meta": { + "external_id": "D3-CIA", + "kill_chain": [ + "Model:Asset-Inventory" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ContainerImageAnalysis" + ], + "synonyms": [ + "Container Image Scanning" + ] + }, + "related": [ + { + "dest-uuid": "4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f", + "type": "analyzes" + }, + { + "dest-uuid": "4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f", + "type": "analyzes" + }, + { + "dest-uuid": "4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f", + "type": "analyzes" + } + ], + "uuid": "8c2294c7-d7c4-556b-b908-144ae891f1a2", + "value": "Container Image Analysis" + }, + { + "description": "Active logical link mapping sends and receives network traffic as a means to map the whole data link layer, where the links represent logical data flows rather than physical connection", + "meta": { + "external_id": "D3-ALLM", + "kill_chain": [ + "Model:Network-Mapping" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ActiveLogicalLinkMapping" + ] + }, + "uuid": "e776f523-cc55-5076-b26d-db08bbdffc01", + "value": "Active Logical Link Mapping" + }, + { + "description": "Controlling access to local computer system resources with kernel-level capabilities.", + "meta": { + "external_id": "D3-MAC", + "kill_chain": [ + "Isolate:Execution-Isolation" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl" + ] + }, + "related": [ + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "isolates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "restricts" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "restricts" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "restricts" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "isolates" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "isolates" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restricts" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "isolates" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "restricts" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "restricts" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "restricts" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "restricts" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "restricts" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "restricts" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "restricts" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "restricts" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "restricts" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restricts" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restricts" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "restricts" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "isolates" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "isolates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "isolates" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "restricts" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "isolates" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restricts" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "isolates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "isolates" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "isolates" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "type": "isolates" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "isolates" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "isolates" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "isolates" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "isolates" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "type": "restricts" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "isolates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "isolates" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "isolates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "isolates" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "type": "restricts" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restricts" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restricts" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "restricts" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "restricts" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "restricts" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "restricts" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "isolates" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "restricts" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "restricts" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "type": "restricts" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "restricts" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "restricts" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "restricts" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "restricts" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "restricts" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "isolates" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "type": "restricts" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "restricts" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "isolates" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "isolates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "isolates" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "restricts" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "restricts" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "restricts" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "isolates" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "restricts" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "restricts" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "restricts" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "restricts" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "restricts" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "restricts" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restricts" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "restricts" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "type": "restricts" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "restricts" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "restricts" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "restricts" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "restricts" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "restricts" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restricts" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restricts" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "restricts" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "restricts" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "isolates" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "isolates" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "isolates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "isolates" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "restricts" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "restricts" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "restricts" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "restricts" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "restricts" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "isolates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "isolates" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "restricts" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restricts" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restricts" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "isolates" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restricts" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "type": "restricts" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "restricts" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "isolates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "isolates" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "isolates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "isolates" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "type": "isolates" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "isolates" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "isolates" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "isolates" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "isolates" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "isolates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "isolates" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "restricts" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restricts" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "isolates" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "restricts" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "restricts" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "type": "isolates" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "isolates" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "type": "restricts" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "isolates" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "restricts" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "restricts" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "isolates" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "restricts" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "restricts" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "restricts" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "isolates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "isolates" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restricts" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "restricts" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "restricts" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "type": "restricts" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "restricts" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "isolates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "restricts" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "restricts" + }, + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "type": "restricts" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "isolates" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "isolates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "restricts" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "restricts" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "restricts" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "restricts" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "restricts" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "isolates" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "restricts" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restricts" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "restricts" + }, + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "type": "restricts" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "restricts" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "isolates" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "type": "restricts" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "isolates" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "isolates" + }, + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "type": "restricts" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "isolates" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "isolates" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "type": "restricts" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "isolates" + }, + { + "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "type": "restricts" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "isolates" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "type": "restricts" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "restricts" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "isolates" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "isolates" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "restricts" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "isolates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "isolates" + } + ], + "uuid": "5c13ef28-ac3a-52fa-99de-563fc6a0bd45", + "value": "Mandatory Access Control" + }, + { + "description": "Cryptographically verifying installed system firmware integrity.", + "meta": { + "external_id": "D3-SFV", + "kill_chain": [ + "Detect:Platform-Monitoring" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:SystemFirmwareVerification" + ] + }, + "related": [ + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "verifies" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "verifies" + }, + { + "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", + "type": "verifies" + }, + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "type": "verifies" + } + ], + "uuid": "4905080d-7cd7-5a17-9223-2454462d5481", + "value": "System Firmware Verification" + }, + { + "description": "Analyzing the properties of file create system call invocations.", + "meta": { + "external_id": "D3-FCA", + "kill_chain": [ + "Detect:Process-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:FileCreationAnalysis" + ] + }, + "related": [ + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "analyzes" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "analyzes" + }, + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "type": "analyzes" + } + ], + "uuid": "4d53ce87-4d9e-58e6-887f-61a7998fe875", + "value": "File Creation Analysis" + }, + { + "description": "Analysis of any system process startup configuration.", + "meta": { + "external_id": "D3-SICA", + "kill_chain": [ + "Detect:Platform-Monitoring" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:SystemInitConfigAnalysis" + ], + "synonyms": [ + "Autorun Analysis", + "Startup Analysis" + ] + }, + "related": [ + { + "dest-uuid": "28170e17-8384-415c-8486-2e6b294cb803", + "type": "analyzes" + }, + { + "dest-uuid": "c0dfe7b0-b873-4618-9ff8-53e31f70907f", + "type": "analyzes" + }, + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "type": "analyzes" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "analyzes" + }, + { + "dest-uuid": "c0dfe7b0-b873-4618-9ff8-53e31f70907f", + "type": "analyzes" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "analyzes" + }, + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "type": "analyzes" + }, + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "type": "analyzes" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "analyzes" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "analyzes" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "analyzes" + }, + { + "dest-uuid": "c0dfe7b0-b873-4618-9ff8-53e31f70907f", + "type": "analyzes" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "analyzes" + }, + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "type": "analyzes" + }, + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "type": "analyzes" + }, + { + "dest-uuid": "28170e17-8384-415c-8486-2e6b294cb803", + "type": "analyzes" + }, + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "type": "analyzes" + }, + { + "dest-uuid": "c0dfe7b0-b873-4618-9ff8-53e31f70907f", + "type": "analyzes" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "analyzes" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "analyzes" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "analyzes" + }, + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "type": "analyzes" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "analyzes" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "analyzes" + }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "analyzes" + }, + { + "dest-uuid": "c0dfe7b0-b873-4618-9ff8-53e31f70907f", + "type": "analyzes" + }, + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "type": "analyzes" + }, + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "type": "analyzes" + }, + { + "dest-uuid": "28170e17-8384-415c-8486-2e6b294cb803", + "type": "analyzes" + }, + { + "dest-uuid": "c0dfe7b0-b873-4618-9ff8-53e31f70907f", + "type": "analyzes" + } + ], + "uuid": "3ff31fe3-4b89-5376-ac54-497528092610", + "value": "System Init Config Analysis" + }, + { + "description": "Passive physical link mapping only listens to network traffic as a means to map the physical layer.", + "meta": { + "external_id": "D3-PPLM", + "kill_chain": [ + "Model:Network-Mapping" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:PassivePhysicalLinkMapping" + ], + "synonyms": [ + "Passive Physical Layer Mapping" + ] + }, + "uuid": "520a48b5-b5b2-5eb9-8c8d-10c3e806e8d1", + "value": "Passive Physical Link Mapping" + }, + { + "description": "Identification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of each node on the tree, such as process execution, duration, and order relative to siblings and ancestors.", + "meta": { + "external_id": "D3-PLA", + "kill_chain": [ + "Detect:Process-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis" + ], + "synonyms": [ + "Process Tree Analysis" + ] + }, + "related": [ + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "analyzes" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "analyzes" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "analyzes" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "analyzes" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "analyzes" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "analyzes" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "analyzes" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "analyzes" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "analyzes" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "type": "analyzes" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "analyzes" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "analyzes" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "analyzes" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "analyzes" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "analyzes" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "analyzes" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "analyzes" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "type": "analyzes" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "analyzes" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "analyzes" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "analyzes" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "analyzes" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "analyzes" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "analyzes" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "analyzes" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "analyzes" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "analyzes" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "analyzes" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "analyzes" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "analyzes" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "analyzes" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "analyzes" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "analyzes" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "analyzes" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "analyzes" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "analyzes" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "analyzes" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "analyzes" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "analyzes" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "analyzes" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "analyzes" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "analyzes" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "analyzes" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "analyzes" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "analyzes" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "analyzes" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "analyzes" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "analyzes" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "type": "analyzes" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "analyzes" + } + ], + "uuid": "32c75bca-fd70-593c-a40a-4a6d582599a2", + "value": "Process Lineage Analysis" + }, + { + "description": "Blocking DNS queries that are deceptively similar to legitimate domain names.", + "meta": { + "external_id": "D3-HDL", + "kill_chain": [ + "Isolate:Network-Isolation" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:HomoglyphDenylisting" + ], + "synonyms": [ + "Homoglyph Blacklisting" + ] + }, + "uuid": "0352af96-b290-5e0e-9229-828c3298b663", + "value": "Homoglyph Denylisting" + }, + { + "description": "Employing a pattern matching rule language to analyze the content of files.", + "meta": { + "external_id": "D3-FCR", + "kill_chain": [ + "Detect:File-Analysis" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:FileContentRules" + ], + "synonyms": [ + "File Content Signatures", + "File Signatures" + ] + }, + "uuid": "dabd0a87-3fc1-57fb-8cf0-d5915a0d660f", + "value": "File Content Rules" + }, + { + "description": "Restricting network traffic originating from untrusted networks destined towards a private host or enclave.", + "meta": { + "external_id": "D3-ITF", + "kill_chain": [ + "Isolate:Network-Isolation" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering" + ] + }, + "related": [ + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "filters" + }, + { + "dest-uuid": "36b2a1d7-e09e-49bf-b45e-477076c2ec01", + "type": "filters" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "filters" + }, + { + "dest-uuid": "38eb0c22-6caf-46ce-8869-5964bd735858", + "type": "filters" + }, + { + "dest-uuid": "0bda01d5-4c1d-4062-8ee2-6872334383c3", + "type": "filters" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "filters" + } + ], + "uuid": "f2df5454-8782-517a-ab19-1e51e2df4fb9", + "value": "Inbound Traffic Filtering" + }, + { + "description": "Restricting network traffic originating from a private host or enclave destined towards untrusted networks.", + "meta": { + "external_id": "D3-OTF", + "kill_chain": [ + "Isolate:Network-Isolation" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering" + ] + }, + "related": [ + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "type": "filters" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "filters" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "filters" + }, + { + "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", + "type": "filters" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "type": "filters" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "filters" + }, + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "type": "filters" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "filters" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "type": "filters" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "filters" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "filters" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "filters" + }, + { + "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", + "type": "filters" + }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "type": "filters" + }, + { + "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", + "type": "filters" + }, + { + "dest-uuid": "79a4052e-1a89-4b09-aea6-51f1d11fe19c", + "type": "filters" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "type": "filters" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "filters" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "type": "filters" + }, + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "type": "filters" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "type": "filters" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "type": "filters" + }, + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "type": "filters" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "filters" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "type": "filters" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "filters" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "filters" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "type": "filters" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "type": "filters" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "filters" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "filters" + }, + { + "dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2", + "type": "filters" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "type": "filters" + } + ], + "uuid": "d6c9eb1e-5fb2-5a10-a73b-9b1075ac4a59", + "value": "Outbound Traffic Filtering" + }, + { + "description": "Restoring a user account's access to resources by unlocking a locked User Account.", + "meta": { + "external_id": "D3-ULA", + "kill_chain": [ + "Restore:Restore-Access" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:UnlockAccount" + ] + }, + "related": [ + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "restores" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "restores" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restores" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "restores" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restores" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restores" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restores" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restores" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restores" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restores" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restores" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restores" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restores" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restores" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restores" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restores" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restores" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restores" + }, + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "type": "restores" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "restores" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restores" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "restores" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "restores" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restores" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restores" + }, + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "type": "restores" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "restores" + }, + { + "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", + "type": "restores" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restores" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restores" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "restores" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "type": "restores" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restores" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restores" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restores" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "restores" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restores" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restores" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restores" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restores" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "restores" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restores" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restores" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restores" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "restores" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restores" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restores" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "restores" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restores" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "restores" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restores" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "restores" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restores" + }, + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "type": "restores" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "restores" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restores" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restores" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restores" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "type": "restores" + }, + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "type": "restores" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restores" + }, + { + "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", + "type": "restores" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "restores" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restores" + }, + { + "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", + "type": "restores" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restores" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restores" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restores" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "restores" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restores" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restores" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "restores" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restores" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restores" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "restores" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restores" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restores" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restores" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "restores" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "type": "restores" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restores" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restores" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "restores" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restores" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "restores" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "restores" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "restores" + }, + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "type": "restores" + }, + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "type": "restores" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "type": "restores" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restores" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "restores" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "restores" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "restores" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restores" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "restores" + } + ], + "uuid": "dd547285-c3de-518b-bb09-8788627f3feb", + "value": "Unlock Account" + }, + { + "description": "Initiating a host's reboot sequence to terminate all running processes.", + "meta": { + "external_id": "D3-HR", + "kill_chain": [ + "Evict:Process-Eviction" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:HostReboot" + ] + }, + "related": [ + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "terminates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "terminates" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "terminates" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "terminates" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "terminates" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "terminates" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "terminates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "terminates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "terminates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "terminates" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "terminates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "terminates" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "terminates" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "terminates" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "terminates" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "terminates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "terminates" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "terminates" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "terminates" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "terminates" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "terminates" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "type": "terminates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "terminates" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "terminates" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "terminates" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "terminates" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "terminates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "terminates" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "terminates" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "terminates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "terminates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "terminates" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "terminates" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "terminates" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "terminates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "terminates" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "terminates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "terminates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "terminates" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "type": "terminates" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "terminates" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "terminates" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "terminates" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "terminates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "terminates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "terminates" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "terminates" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "terminates" + }, + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "type": "terminates" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "terminates" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "terminates" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "terminates" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "terminates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "terminates" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "type": "terminates" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "terminates" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "terminates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "terminates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "terminates" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "terminates" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "terminates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "type": "terminates" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "type": "terminates" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "terminates" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "terminates" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "terminates" + } + ], + "uuid": "342ba701-6921-5383-9e02-b3bf9e1d6f08", + "value": "Host Reboot" + }, + { + "description": "Filtering incoming email traffic based on specific criteria.", + "meta": { + "external_id": "D3-EF", + "kill_chain": [ + "Isolate:Network-Isolation" + ], + "refs": [ + "https://d3fend.mitre.org/technique/d3f:EmailFiltering" + ] + }, + "related": [ + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "filters" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "filters" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "filters" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "filters" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "filters" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "filters" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "filters" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "filters" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "filters" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "filters" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "filters" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "filters" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "filters" + }, + { + "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", + "type": "filters" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "filters" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "filters" + } + ], + "uuid": "1dfa7e9f-1160-5b18-9fac-19d228c3c691", + "value": "Email Filtering" + } + ], + "version": 1 +} diff --git a/galaxies/mitre-d3fend.json b/galaxies/mitre-d3fend.json new file mode 100644 index 0000000..eb31951 --- /dev/null +++ b/galaxies/mitre-d3fend.json @@ -0,0 +1,49 @@ +{ + "description": "A knowledge graph of cybersecurity countermeasures.", + "icon": "user-shield", + "kill_chain_order": { + "Model": [ + "Asset-Inventory", + "Network-Mapping", + "Operational-Activity-Mapping", + "System-Mapping" + ], + "Harden": [ + "Application-Hardening", + "Credential-Hardening", + "Message-Hardening", + "Platform-Hardening" + ], + "Detect": [ + "File-Analysis", + "Identifier-Analysis", + "Message-Analysis", + "Network-Traffic-Analysis", + "Platform-Monitoring", + "Process-Analysis", + "User-Behavior-Analysis" + ], + "Isolate": [ + "Execution-Isolation", + "Network-Isolation" + ], + "Deceive": [ + "Decoy-Environment", + "Decoy-Object" + ], + "Evict": [ + "Credential-Eviction", + "File-Eviction", + "Process-Eviction" + ], + "Restore": [ + "Restore-Access", + "Restore-Object" + ] + }, + "name": "MITRE D3FEND", + "namespace": "mitre", + "type": "mitre-d3fend", + "uuid": "77d1bbfa-2982-4e0a-9238-1dae4a48c5b4", + "version": 1 +} diff --git a/tools/gen_mitre_d3fend.py b/tools/gen_mitre_d3fend.py index 3bb0160..845d1ca 100755 --- a/tools/gen_mitre_d3fend.py +++ b/tools/gen_mitre_d3fend.py @@ -1,4 +1,22 @@ #!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# +# A simple convertor of the MITRE D3FEND to a MISP Galaxy datastructure. +# Copyright (C) 2024 Christophe Vandeplas +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + import json import os import requests @@ -7,15 +25,16 @@ import uuid d3fend_url = 'https://d3fend.mitre.org/ontologies/d3fend.json' d3fend_full_mappings_url = 'https://d3fend.mitre.org/api/ontology/inference/d3fend-full-mappings.json' +# we love eating lots of memory +r = requests.get(d3fend_url) +d3fend_json = r.json() + +r = requests.get(d3fend_full_mappings_url) +d3fend_mappings_json = r.json() + +with open('../clusters/mitre-attack-pattern.json', 'r') as mitre_f: + mitre = json.load(mitre_f) -try: - with open('d3fend.json', 'r') as f: - d3fend_json = json.load(f) -except Exception: - r = requests.get(d3fend_url) - with open('d3fend.json', 'w') as f: - f.write(r.text) - d3fend_json = r.json() uuid_seed = '35527064-12b4-4b73-952b-6d76b9f1b1e3' @@ -23,6 +42,7 @@ tactics = {} # key = tactic, value = phases phases_ids = [] techniques_ids = [] techniques = [] +relations = {} def get_as_list(item): @@ -103,6 +123,33 @@ def find_kill_chain_of(original_item): return find_kill_chain_of(data[parent_class]) +def find_mitre_uuid_from_technique_id(technique_id): + for item in mitre['values']: + if item['meta']['external_id'] == technique_id: + return item['uuid'] + print("No MITRE UUID found for technique_id: ", technique_id) + return None + + +# relationships +for item in d3fend_mappings_json['results']['bindings']: + d3fend_technique = item['def_tech_label']['value'] + attack_technique = item['off_tech_label']['value'] + attack_technique_id = item['off_tech']['value'].split('#')[-1] + # print(f"Mapping: {d3fend_technique} -> {attack_technique} ({attack_technique_id})") + dest_uuid = find_mitre_uuid_from_technique_id(attack_technique_id) + if dest_uuid: + rel_type = item['def_artifact_rel_label']['value'] + if d3fend_technique not in relations: + relations[d3fend_technique] = [] + relations[d3fend_technique].append( + { + 'dest-uuid': dest_uuid, + 'type': rel_type + } + ) + + # first convert as dict with key = @id data = {} for item in d3fend_json['@graph']: @@ -162,7 +209,9 @@ while seen_new: # synonyms if 'd3f:synonym' in item: technique['meta']['synonyms'] = get_as_list(item['d3f:synonym']) - # TODO relations + # relations + if item['rdfs:label'] in relations: + technique['related'] = relations[item['rdfs:label']] techniques.append(technique) print(f"Technique: {item['rdfs:label']} - {item['d3f:d3fend-id']}") @@ -175,7 +224,7 @@ galaxy_description = 'A knowledge graph of cybersecurity countermeasures.' galaxy_source = 'https://d3fend.mitre.org/' json_galaxy = { 'description': galaxy_description, - 'icon': "map", + 'icon': "user-shield", 'kill_chain_order': kill_chain_tactics, 'name': galaxy_name, 'namespace': "mitre", @@ -208,4 +257,3 @@ with open(os.path.join('..', 'clusters', galaxy_fname), 'w') as f: f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh.") - From 0528a62d9bd4f35968abd375efad239f85e6d947 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Tue, 28 May 2024 07:48:22 +0200 Subject: [PATCH 4/9] fix: [d3fend] sort keys to make jq_all_the_things happy --- galaxies/mitre-d3fend.json | 38 +++++++++++++++++++------------------- tools/gen_mitre_d3fend.py | 4 ++-- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/galaxies/mitre-d3fend.json b/galaxies/mitre-d3fend.json index eb31951..301f74b 100644 --- a/galaxies/mitre-d3fend.json +++ b/galaxies/mitre-d3fend.json @@ -2,17 +2,9 @@ "description": "A knowledge graph of cybersecurity countermeasures.", "icon": "user-shield", "kill_chain_order": { - "Model": [ - "Asset-Inventory", - "Network-Mapping", - "Operational-Activity-Mapping", - "System-Mapping" - ], - "Harden": [ - "Application-Hardening", - "Credential-Hardening", - "Message-Hardening", - "Platform-Hardening" + "Deceive": [ + "Decoy-Environment", + "Decoy-Object" ], "Detect": [ "File-Analysis", @@ -23,19 +15,27 @@ "Process-Analysis", "User-Behavior-Analysis" ], - "Isolate": [ - "Execution-Isolation", - "Network-Isolation" - ], - "Deceive": [ - "Decoy-Environment", - "Decoy-Object" - ], "Evict": [ "Credential-Eviction", "File-Eviction", "Process-Eviction" ], + "Harden": [ + "Application-Hardening", + "Credential-Hardening", + "Message-Hardening", + "Platform-Hardening" + ], + "Isolate": [ + "Execution-Isolation", + "Network-Isolation" + ], + "Model": [ + "Asset-Inventory", + "Network-Mapping", + "Operational-Activity-Mapping", + "System-Mapping" + ], "Restore": [ "Restore-Access", "Restore-Object" diff --git a/tools/gen_mitre_d3fend.py b/tools/gen_mitre_d3fend.py index 845d1ca..c397212 100755 --- a/tools/gen_mitre_d3fend.py +++ b/tools/gen_mitre_d3fend.py @@ -248,8 +248,8 @@ json_cluster = { # save the Galaxy and Cluster file with open(os.path.join('..', 'galaxies', galaxy_fname), 'w') as f: - # do not sort_keys as it would break the kill_chain_order - json.dump(json_galaxy, f, indent=2, ensure_ascii=False) + # sort_keys, even if it breaks the kill_chain_order , but jq_all_the_things requires sorted keys + json.dump(json_galaxy, f, indent=2, sort_keys=True, ensure_ascii=False) f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things with open(os.path.join('..', 'clusters', galaxy_fname), 'w') as f: From ebdcdf29689b5a8d2506e497aa88e770dedfbc06 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Tue, 28 May 2024 08:10:30 +0200 Subject: [PATCH 5/9] fix: [d3fend] updated readme --- README.md | 360 +++++++++++++++++++++------------------- tools/generate-index.py | 7 +- 2 files changed, 192 insertions(+), 175 deletions(-) diff --git a/README.md b/README.md index 55bd5c3..2b6822e 100644 --- a/README.md +++ b/README.md @@ -21,675 +21,691 @@ to localized information (which is not shared) or additional information (that c ## 360.net Threat Actors -[360.net Threat Actors](https://www.misp-project.org/galaxy.html#_360.net_threat_actors) - Known or estimated adversary groups as identified by 360.net. +[360.net Threat Actors](https://www.misp-galaxy.org/360net) - Known or estimated adversary groups as identified by 360.net. Category: *actor* - source: *https://apt.360.net/aptlist* - total: *42* elements -[[HTML](https://www.misp-project.org/galaxy.html#_360.net_threat_actors)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/360net.json)] +[[HTML](https://www.misp-galaxy.org/360net)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/360net.json)] ## Ammunitions -[Ammunitions](https://www.misp-project.org/galaxy.html#_ammunitions) - Common ammunitions galaxy +[Ammunitions](https://www.misp-galaxy.org/ammunitions) - Common ammunitions galaxy Category: *firearm* - source: *https://ammo.com/* - total: *410* elements -[[HTML](https://www.misp-project.org/galaxy.html#_ammunitions)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ammunitions.json)] +[[HTML](https://www.misp-galaxy.org/ammunitions)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ammunitions.json)] ## Android -[Android](https://www.misp-project.org/galaxy.html#_android) - Android malware galaxy based on multiple open sources. +[Android](https://www.misp-galaxy.org/android) - Android malware galaxy based on multiple open sources. Category: *tool* - source: *Open Sources* - total: *433* elements -[[HTML](https://www.misp-project.org/galaxy.html#_android)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/android.json)] +[[HTML](https://www.misp-galaxy.org/android)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/android.json)] ## Azure Threat Research Matrix -[Azure Threat Research Matrix](https://www.misp-project.org/galaxy.html#_azure_threat_research_matrix) - The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse. +[Azure Threat Research Matrix](https://www.misp-galaxy.org/atrm) - The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse. Category: *atrm* - source: *https://github.com/microsoft/Azure-Threat-Research-Matrix* - total: *90* elements -[[HTML](https://www.misp-project.org/galaxy.html#_azure_threat_research_matrix)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/atrm.json)] +[[HTML](https://www.misp-galaxy.org/atrm)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/atrm.json)] ## attck4fraud -[attck4fraud](https://www.misp-project.org/galaxy.html#_attck4fraud) - attck4fraud - Principles of MITRE ATT&CK in the fraud domain +[attck4fraud](https://www.misp-galaxy.org/attck4fraud) - attck4fraud - Principles of MITRE ATT&CK in the fraud domain Category: *guidelines* - source: *Open Sources* - total: *71* elements -[[HTML](https://www.misp-project.org/galaxy.html#_attck4fraud)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/attck4fraud.json)] +[[HTML](https://www.misp-galaxy.org/attck4fraud)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/attck4fraud.json)] ## Backdoor -[Backdoor](https://www.misp-project.org/galaxy.html#_backdoor) - A list of backdoor malware. +[Backdoor](https://www.misp-galaxy.org/backdoor) - A list of backdoor malware. Category: *tool* - source: *Open Sources* - total: *28* elements -[[HTML](https://www.misp-project.org/galaxy.html#_backdoor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/backdoor.json)] +[[HTML](https://www.misp-galaxy.org/backdoor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/backdoor.json)] ## Banker -[Banker](https://www.misp-project.org/galaxy.html#_banker) - A list of banker malware. +[Banker](https://www.misp-galaxy.org/banker) - A list of banker malware. Category: *tool* - source: *Open Sources* - total: *53* elements -[[HTML](https://www.misp-project.org/galaxy.html#_banker)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/banker.json)] +[[HTML](https://www.misp-galaxy.org/banker)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/banker.json)] ## Bhadra Framework -[Bhadra Framework](https://www.misp-project.org/galaxy.html#_bhadra_framework) - Bhadra Threat Modeling Framework +[Bhadra Framework](https://www.misp-galaxy.org/bhadra-framework) - Bhadra Threat Modeling Framework Category: *mobile* - source: *https://arxiv.org/pdf/2005.05110.pdf* - total: *47* elements -[[HTML](https://www.misp-project.org/galaxy.html#_bhadra_framework)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/bhadra-framework.json)] +[[HTML](https://www.misp-galaxy.org/bhadra-framework)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/bhadra-framework.json)] ## Botnet -[Botnet](https://www.misp-project.org/galaxy.html#_botnet) - botnet galaxy +[Botnet](https://www.misp-galaxy.org/botnet) - botnet galaxy Category: *tool* - source: *MISP Project* - total: *130* elements -[[HTML](https://www.misp-project.org/galaxy.html#_botnet)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/botnet.json)] +[[HTML](https://www.misp-galaxy.org/botnet)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/botnet.json)] ## Branded Vulnerability -[Branded Vulnerability](https://www.misp-project.org/galaxy.html#_branded_vulnerability) - List of known vulnerabilities and attacks with a branding +[Branded Vulnerability](https://www.misp-galaxy.org/branded_vulnerability) - List of known vulnerabilities and attacks with a branding Category: *vulnerability* - source: *Open Sources* - total: *14* elements -[[HTML](https://www.misp-project.org/galaxy.html#_branded_vulnerability)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/branded_vulnerability.json)] +[[HTML](https://www.misp-galaxy.org/branded_vulnerability)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/branded_vulnerability.json)] ## Cert EU GovSector -[Cert EU GovSector](https://www.misp-project.org/galaxy.html#_cert_eu_govsector) - Cert EU GovSector +[Cert EU GovSector](https://www.misp-galaxy.org/cert-eu-govsector) - Cert EU GovSector Category: *sector* - source: *CERT-EU* - total: *6* elements -[[HTML](https://www.misp-project.org/galaxy.html#_cert_eu_govsector)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/cert-eu-govsector.json)] +[[HTML](https://www.misp-galaxy.org/cert-eu-govsector)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/cert-eu-govsector.json)] ## China Defence Universities Tracker -[China Defence Universities Tracker](https://www.misp-project.org/galaxy.html#_china_defence_universities_tracker) - The China Defence Universities Tracker is a database of Chinese institutions engaged in military or security-related science and technology research. It was created by ASPI’s International Cyber Policy Centre. +[China Defence Universities Tracker](https://www.misp-galaxy.org/china-defence-universities) - The China Defence Universities Tracker is a database of Chinese institutions engaged in military or security-related science and technology research. It was created by ASPI’s International Cyber Policy Centre. Category: *academic-institution* - source: *ASPI International Cyber Policy Centre* - total: *159* elements -[[HTML](https://www.misp-project.org/galaxy.html#_china_defence_universities_tracker)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/china-defence-universities.json)] +[[HTML](https://www.misp-galaxy.org/china-defence-universities)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/china-defence-universities.json)] ## CONCORDIA Mobile Modelling Framework - Attack Pattern -[CONCORDIA Mobile Modelling Framework - Attack Pattern](https://www.misp-project.org/galaxy.html#_concordia_mobile_modelling_framework_-_attack_pattern) - A list of Techniques in CONCORDIA Mobile Modelling Framework. +[CONCORDIA Mobile Modelling Framework - Attack Pattern](https://www.misp-galaxy.org/cmtmf-attack-pattern) - A list of Techniques in CONCORDIA Mobile Modelling Framework. Category: *cmtmf-attack-pattern* - source: *https://5g4iot.vlab.cs.hioa.no/* - total: *93* elements -[[HTML](https://www.misp-project.org/galaxy.html#_concordia_mobile_modelling_framework_-_attack_pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/cmtmf-attack-pattern.json)] +[[HTML](https://www.misp-galaxy.org/cmtmf-attack-pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/cmtmf-attack-pattern.json)] ## Country -[Country](https://www.misp-project.org/galaxy.html#_country) - Country meta information based on the database provided by geonames.org. +[Country](https://www.misp-galaxy.org/country) - Country meta information based on the database provided by geonames.org. Category: *country* - source: *MISP Project* - total: *252* elements -[[HTML](https://www.misp-project.org/galaxy.html#_country)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/country.json)] +[[HTML](https://www.misp-galaxy.org/country)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/country.json)] ## Cryptominers -[Cryptominers](https://www.misp-project.org/galaxy.html#_cryptominers) - A list of cryptominer and cryptojacker malware. +[Cryptominers](https://www.misp-galaxy.org/cryptominers) - A list of cryptominer and cryptojacker malware. Category: *Cryptominers* - source: *Open Source Intelligence* - total: *5* elements -[[HTML](https://www.misp-project.org/galaxy.html#_cryptominers)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/cryptominers.json)] +[[HTML](https://www.misp-galaxy.org/cryptominers)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/cryptominers.json)] ## Actor Types -[Actor Types](https://www.misp-project.org/galaxy.html#_actor_types) - DISARM is a framework designed for describing and understanding disinformation incidents. +[Actor Types](https://www.misp-galaxy.org/disarm-actortypes) - DISARM is a framework designed for describing and understanding disinformation incidents. Category: *disarm* - source: *https://github.com/DISARMFoundation/DISARMframeworks* - total: *33* elements -[[HTML](https://www.misp-project.org/galaxy.html#_actor_types)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/disarm-actortypes.json)] +[[HTML](https://www.misp-galaxy.org/disarm-actortypes)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/disarm-actortypes.json)] ## Countermeasures -[Countermeasures](https://www.misp-project.org/galaxy.html#_countermeasures) - DISARM is a framework designed for describing and understanding disinformation incidents. +[Countermeasures](https://www.misp-galaxy.org/disarm-countermeasures) - DISARM is a framework designed for describing and understanding disinformation incidents. Category: *disarm* - source: *https://github.com/DISARMFoundation/DISARMframeworks* - total: *139* elements -[[HTML](https://www.misp-project.org/galaxy.html#_countermeasures)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/disarm-countermeasures.json)] +[[HTML](https://www.misp-galaxy.org/disarm-countermeasures)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/disarm-countermeasures.json)] ## Detections -[Detections](https://www.misp-project.org/galaxy.html#_detections) - DISARM is a framework designed for describing and understanding disinformation incidents. +[Detections](https://www.misp-galaxy.org/disarm-detections) - DISARM is a framework designed for describing and understanding disinformation incidents. Category: *disarm* - source: *https://github.com/DISARMFoundation/DISARMframeworks* - total: *94* elements -[[HTML](https://www.misp-project.org/galaxy.html#_detections)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/disarm-detections.json)] +[[HTML](https://www.misp-galaxy.org/disarm-detections)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/disarm-detections.json)] ## Techniques -[Techniques](https://www.misp-project.org/galaxy.html#_techniques) - DISARM is a framework designed for describing and understanding disinformation incidents. +[Techniques](https://www.misp-galaxy.org/disarm-techniques) - DISARM is a framework designed for describing and understanding disinformation incidents. Category: *disarm* - source: *https://github.com/DISARMFoundation/DISARMframeworks* - total: *298* elements -[[HTML](https://www.misp-project.org/galaxy.html#_techniques)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/disarm-techniques.json)] +[[HTML](https://www.misp-galaxy.org/disarm-techniques)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/disarm-techniques.json)] ## Election guidelines -[Election guidelines](https://www.misp-project.org/galaxy.html#_election_guidelines) - Universal Development and Security Guidelines as Applicable to Election Technology. +[Election guidelines](https://www.misp-galaxy.org/election-guidelines) - Universal Development and Security Guidelines as Applicable to Election Technology. Category: *guidelines* - source: *Open Sources* - total: *23* elements -[[HTML](https://www.misp-project.org/galaxy.html#_election_guidelines)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/election-guidelines.json)] +[[HTML](https://www.misp-galaxy.org/election-guidelines)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/election-guidelines.json)] + +## Entity + +[Entity](https://www.misp-galaxy.org/entity) - Description of entities that can be involved in events. + +Category: *actor* - source: *MISP Project* - total: *4* elements + +[[HTML](https://www.misp-galaxy.org/entity)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/entity.json)] ## Exploit-Kit -[Exploit-Kit](https://www.misp-project.org/galaxy.html#_exploit-kit) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years +[Exploit-Kit](https://www.misp-galaxy.org/exploit-kit) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years Category: *tool* - source: *MISP Project* - total: *52* elements -[[HTML](https://www.misp-project.org/galaxy.html#_exploit-kit)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/exploit-kit.json)] +[[HTML](https://www.misp-galaxy.org/exploit-kit)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/exploit-kit.json)] ## Firearms -[Firearms](https://www.misp-project.org/galaxy.html#_firearms) - Common firearms galaxy +[Firearms](https://www.misp-galaxy.org/firearms) - Common firearms galaxy Category: *firearm* - source: *https://www.impactguns.com* - total: *5953* elements -[[HTML](https://www.misp-project.org/galaxy.html#_firearms)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/firearms.json)] +[[HTML](https://www.misp-galaxy.org/firearms)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/firearms.json)] ## FIRST DNS Abuse Techniques Matrix -[FIRST DNS Abuse Techniques Matrix](https://www.misp-project.org/galaxy.html#_first_dns_abuse_techniques_matrix) - The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internet’s stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information. +[FIRST DNS Abuse Techniques Matrix](https://www.misp-galaxy.org/first-dns) - The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internet’s stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information. Category: *first-dns* - source: *https://www.first.org/global/sigs/dns/* - total: *21* elements -[[HTML](https://www.misp-project.org/galaxy.html#_first_dns_abuse_techniques_matrix)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/first-dns.json)] +[[HTML](https://www.misp-galaxy.org/first-dns)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/first-dns.json)] ## Intelligence Agencies -[Intelligence Agencies](https://www.misp-project.org/galaxy.html#_intelligence_agencies) - List of intelligence agencies +[Intelligence Agencies](https://www.misp-galaxy.org/intelligence-agencies) - List of intelligence agencies Category: *Intelligence Agencies* - source: *https://en.wikipedia.org/wiki/List_of_intelligence_agencies* - total: *436* elements -[[HTML](https://www.misp-project.org/galaxy.html#_intelligence_agencies)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/intelligence-agencies.json)] +[[HTML](https://www.misp-galaxy.org/intelligence-agencies)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/intelligence-agencies.json)] ## INTERPOL DWVA Taxonomy -[INTERPOL DWVA Taxonomy](https://www.misp-project.org/galaxy.html#_interpol_dwva_taxonomy) - This taxonomy defines common forms of abuses and entities that represent real-world actors and service that are part of a larger Darknet- and Cryptoasset Ecosystems. +[INTERPOL DWVA Taxonomy](https://www.misp-galaxy.org/interpol-dwva) - This taxonomy defines common forms of abuses and entities that represent real-world actors and service that are part of a larger Darknet- and Cryptoasset Ecosystems. Category: *dwva* - source: *https://interpol-innovation-centre.github.io/DW-VA-Taxonomy/* - total: *94* elements -[[HTML](https://www.misp-project.org/galaxy.html#_interpol_dwva_taxonomy)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/interpol-dwva.json)] +[[HTML](https://www.misp-galaxy.org/interpol-dwva)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/interpol-dwva.json)] ## Malpedia -[Malpedia](https://www.misp-project.org/galaxy.html#_malpedia) - Malware galaxy cluster based on Malpedia. +[Malpedia](https://www.misp-galaxy.org/malpedia) - Malware galaxy cluster based on Malpedia. Category: *tool* - source: *Malpedia* - total: *3039* elements -[[HTML](https://www.misp-project.org/galaxy.html#_malpedia)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/malpedia.json)] +[[HTML](https://www.misp-galaxy.org/malpedia)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/malpedia.json)] ## Microsoft Activity Group actor -[Microsoft Activity Group actor](https://www.misp-project.org/galaxy.html#_microsoft_activity_group_actor) - Activity groups as described by Microsoft +[Microsoft Activity Group actor](https://www.misp-galaxy.org/microsoft-activity-group) - Activity groups as described by Microsoft Category: *actor* - source: *MISP Project* - total: *79* elements -[[HTML](https://www.misp-project.org/galaxy.html#_microsoft_activity_group_actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/microsoft-activity-group.json)] +[[HTML](https://www.misp-galaxy.org/microsoft-activity-group)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/microsoft-activity-group.json)] ## Misinformation Pattern -[Misinformation Pattern](https://www.misp-project.org/galaxy.html#_misinformation_pattern) - AM!TT Technique +[Misinformation Pattern](https://www.misp-galaxy.org/misinfosec-amitt-misinformation-pattern) - AM!TT Technique Category: *misinformation-pattern* - source: *https://github.com/misinfosecproject/amitt_framework* - total: *61* elements -[[HTML](https://www.misp-project.org/galaxy.html#_misinformation_pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/misinfosec-amitt-misinformation-pattern.json)] +[[HTML](https://www.misp-galaxy.org/misinfosec-amitt-misinformation-pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/misinfosec-amitt-misinformation-pattern.json)] ## MITRE ATLAS Attack Pattern -[MITRE ATLAS Attack Pattern](https://www.misp-project.org/galaxy.html#_mitre_atlas_attack_pattern) - MITRE ATLAS Attack Pattern - Adversarial Threat Landscape for Artificial-Intelligence Systems +[MITRE ATLAS Attack Pattern](https://www.misp-galaxy.org/mitre-atlas-attack-pattern) - MITRE ATLAS Attack Pattern - Adversarial Threat Landscape for Artificial-Intelligence Systems Category: *attack-pattern* - source: *https://github.com/mitre-atlas/atlas-navigator-data* - total: *82* elements -[[HTML](https://www.misp-project.org/galaxy.html#_mitre_atlas_attack_pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-atlas-attack-pattern.json)] +[[HTML](https://www.misp-galaxy.org/mitre-atlas-attack-pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-atlas-attack-pattern.json)] ## MITRE ATLAS Course of Action -[MITRE ATLAS Course of Action](https://www.misp-project.org/galaxy.html#_mitre_atlas_course_of_action) - MITRE ATLAS Mitigation - Adversarial Threat Landscape for Artificial-Intelligence Systems +[MITRE ATLAS Course of Action](https://www.misp-galaxy.org/mitre-atlas-course-of-action) - MITRE ATLAS Mitigation - Adversarial Threat Landscape for Artificial-Intelligence Systems -Category: *course-of-action* - source: *https://github.com/mitre-atlas/atlas-navigator-data* - total: *19* elements +Category: *course-of-action* - source: *https://github.com/mitre-atlas/atlas-navigator-data* - total: *20* elements -[[HTML](https://www.misp-project.org/galaxy.html#_mitre_atlas_course_of_action)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-atlas-course-of-action.json)] +[[HTML](https://www.misp-galaxy.org/mitre-atlas-course-of-action)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-atlas-course-of-action.json)] ## Attack Pattern -[Attack Pattern](https://www.misp-project.org/galaxy.html#_attack_pattern) - ATT&CK tactic +[Attack Pattern](https://www.misp-galaxy.org/mitre-attack-pattern) - ATT&CK tactic Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *1141* elements -[[HTML](https://www.misp-project.org/galaxy.html#_attack_pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-attack-pattern.json)] +[[HTML](https://www.misp-galaxy.org/mitre-attack-pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-attack-pattern.json)] ## Course of Action -[Course of Action](https://www.misp-project.org/galaxy.html#_course_of_action) - ATT&CK Mitigation +[Course of Action](https://www.misp-galaxy.org/mitre-course-of-action) - ATT&CK Mitigation Category: *course-of-action* - source: *https://github.com/mitre/cti* - total: *281* elements -[[HTML](https://www.misp-project.org/galaxy.html#_course_of_action)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-course-of-action.json)] +[[HTML](https://www.misp-galaxy.org/mitre-course-of-action)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-course-of-action.json)] + +## MITRE D3FEND + +[MITRE D3FEND](https://www.misp-galaxy.org/mitre-d3fend) - A knowledge graph of cybersecurity countermeasures. + +Category: *d3fend* - source: *https://d3fend.mitre.org/* - total: *171* elements + +[[HTML](https://www.misp-galaxy.org/mitre-d3fend)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-d3fend.json)] ## mitre-data-component -[mitre-data-component](https://www.misp-project.org/galaxy.html#_mitre-data-component) - Data components are parts of data sources. +[mitre-data-component](https://www.misp-galaxy.org/mitre-data-component) - Data components are parts of data sources. Category: *data-component* - source: *https://github.com/mitre/cti* - total: *117* elements -[[HTML](https://www.misp-project.org/galaxy.html#_mitre-data-component)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-data-component.json)] +[[HTML](https://www.misp-galaxy.org/mitre-data-component)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-data-component.json)] ## mitre-data-source -[mitre-data-source](https://www.misp-project.org/galaxy.html#_mitre-data-source) - Data sources represent the various subjects/topics of information that can be collected by sensors/logs. +[mitre-data-source](https://www.misp-galaxy.org/mitre-data-source) - Data sources represent the various subjects/topics of information that can be collected by sensors/logs. Category: *data-source* - source: *https://github.com/mitre/cti* - total: *40* elements -[[HTML](https://www.misp-project.org/galaxy.html#_mitre-data-source)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-data-source.json)] +[[HTML](https://www.misp-galaxy.org/mitre-data-source)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-data-source.json)] ## Enterprise Attack - Attack Pattern -[Enterprise Attack - Attack Pattern](https://www.misp-project.org/galaxy.html#_enterprise_attack_-_attack_pattern) - ATT&CK tactic +[Enterprise Attack - Attack Pattern](https://www.misp-galaxy.org/mitre-enterprise-attack-attack-pattern) - ATT&CK tactic Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *219* elements -[[HTML](https://www.misp-project.org/galaxy.html#_enterprise_attack_-_attack_pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-enterprise-attack-attack-pattern.json)] +[[HTML](https://www.misp-galaxy.org/mitre-enterprise-attack-attack-pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-enterprise-attack-attack-pattern.json)] ## Enterprise Attack - Course of Action -[Enterprise Attack - Course of Action](https://www.misp-project.org/galaxy.html#_enterprise_attack_-_course_of_action) - ATT&CK Mitigation +[Enterprise Attack - Course of Action](https://www.misp-galaxy.org/mitre-enterprise-attack-course-of-action) - ATT&CK Mitigation Category: *course-of-action* - source: *https://github.com/mitre/cti* - total: *215* elements -[[HTML](https://www.misp-project.org/galaxy.html#_enterprise_attack_-_course_of_action)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-enterprise-attack-course-of-action.json)] +[[HTML](https://www.misp-galaxy.org/mitre-enterprise-attack-course-of-action)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-enterprise-attack-course-of-action.json)] ## Enterprise Attack - Intrusion Set -[Enterprise Attack - Intrusion Set](https://www.misp-project.org/galaxy.html#_enterprise_attack_-_intrusion_set) - Name of ATT&CK Group +[Enterprise Attack - Intrusion Set](https://www.misp-galaxy.org/mitre-enterprise-attack-intrusion-set) - Name of ATT&CK Group Category: *actor* - source: *https://github.com/mitre/cti* - total: *69* elements -[[HTML](https://www.misp-project.org/galaxy.html#_enterprise_attack_-_intrusion_set)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-enterprise-attack-intrusion-set.json)] +[[HTML](https://www.misp-galaxy.org/mitre-enterprise-attack-intrusion-set)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-enterprise-attack-intrusion-set.json)] ## Enterprise Attack - Malware -[Enterprise Attack - Malware](https://www.misp-project.org/galaxy.html#_enterprise_attack_-_malware) - Name of ATT&CK software +[Enterprise Attack - Malware](https://www.misp-galaxy.org/mitre-enterprise-attack-malware) - Name of ATT&CK software Category: *tool* - source: *https://github.com/mitre/cti* - total: *188* elements -[[HTML](https://www.misp-project.org/galaxy.html#_enterprise_attack_-_malware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-enterprise-attack-malware.json)] +[[HTML](https://www.misp-galaxy.org/mitre-enterprise-attack-malware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-enterprise-attack-malware.json)] ## Enterprise Attack - Tool -[Enterprise Attack - Tool](https://www.misp-project.org/galaxy.html#_enterprise_attack_-_tool) - Name of ATT&CK software +[Enterprise Attack - Tool](https://www.misp-galaxy.org/mitre-enterprise-attack-tool) - Name of ATT&CK software Category: *tool* - source: *https://github.com/mitre/cti* - total: *45* elements -[[HTML](https://www.misp-project.org/galaxy.html#_enterprise_attack_-_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-enterprise-attack-tool.json)] +[[HTML](https://www.misp-galaxy.org/mitre-enterprise-attack-tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-enterprise-attack-tool.json)] ## Assets -[Assets](https://www.misp-project.org/galaxy.html#_assets) - A list of asset categories that are commonly found in industrial control systems. +[Assets](https://www.misp-galaxy.org/mitre-ics-assets) - A list of asset categories that are commonly found in industrial control systems. Category: *asset* - source: *https://collaborate.mitre.org/attackics/index.php/All_Assets* - total: *7* elements -[[HTML](https://www.misp-project.org/galaxy.html#_assets)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-ics-assets.json)] +[[HTML](https://www.misp-galaxy.org/mitre-ics-assets)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-ics-assets.json)] ## Groups -[Groups](https://www.misp-project.org/galaxy.html#_groups) - Groups are sets of related intrusion activity that are tracked by a common name in the security community. Groups are also sometimes referred to as campaigns or intrusion sets. Some groups have multiple names associated with the same set of activities due to various organizations tracking the same set of activities by different names. Groups are mapped to publicly reported technique use and referenced in the ATT&CK for ICS knowledge base. Groups are also mapped to reported software used during intrusions. +[Groups](https://www.misp-galaxy.org/mitre-ics-groups) - Groups are sets of related intrusion activity that are tracked by a common name in the security community. Groups are also sometimes referred to as campaigns or intrusion sets. Some groups have multiple names associated with the same set of activities due to various organizations tracking the same set of activities by different names. Groups are mapped to publicly reported technique use and referenced in the ATT&CK for ICS knowledge base. Groups are also mapped to reported software used during intrusions. Category: *actor* - source: *https://collaborate.mitre.org/attackics/index.php/Groups* - total: *10* elements -[[HTML](https://www.misp-project.org/galaxy.html#_groups)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-ics-groups.json)] +[[HTML](https://www.misp-galaxy.org/mitre-ics-groups)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-ics-groups.json)] ## Levels -[Levels](https://www.misp-project.org/galaxy.html#_levels) - Based on the Purdue Model to aid ATT&CK for ICS users to understand which techniques are applicable to their environment. +[Levels](https://www.misp-galaxy.org/mitre-ics-levels) - Based on the Purdue Model to aid ATT&CK for ICS users to understand which techniques are applicable to their environment. Category: *level* - source: *https://collaborate.mitre.org/attackics/index.php/All_Levels* - total: *3* elements -[[HTML](https://www.misp-project.org/galaxy.html#_levels)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-ics-levels.json)] +[[HTML](https://www.misp-galaxy.org/mitre-ics-levels)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-ics-levels.json)] ## Software -[Software](https://www.misp-project.org/galaxy.html#_software) - Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK for ICS. +[Software](https://www.misp-galaxy.org/mitre-ics-software) - Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK for ICS. Category: *tool* - source: *https://collaborate.mitre.org/attackics/index.php/Software* - total: *17* elements -[[HTML](https://www.misp-project.org/galaxy.html#_software)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-ics-software.json)] +[[HTML](https://www.misp-galaxy.org/mitre-ics-software)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-ics-software.json)] ## Tactics -[Tactics](https://www.misp-project.org/galaxy.html#_tactics) - A list of all 11 tactics in ATT&CK for ICS +[Tactics](https://www.misp-galaxy.org/mitre-ics-tactics) - A list of all 11 tactics in ATT&CK for ICS Category: *tactic* - source: *https://collaborate.mitre.org/attackics/index.php/All_Tactics* - total: *9* elements -[[HTML](https://www.misp-project.org/galaxy.html#_tactics)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-ics-tactics.json)] +[[HTML](https://www.misp-galaxy.org/mitre-ics-tactics)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-ics-tactics.json)] ## Techniques -[Techniques](https://www.misp-project.org/galaxy.html#_techniques) - A list of Techniques in ATT&CK for ICS. +[Techniques](https://www.misp-galaxy.org/mitre-ics-techniques) - A list of Techniques in ATT&CK for ICS. Category: *attack-pattern* - source: *https://collaborate.mitre.org/attackics/index.php/All_Techniques* - total: *78* elements -[[HTML](https://www.misp-project.org/galaxy.html#_techniques)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-ics-techniques.json)] +[[HTML](https://www.misp-galaxy.org/mitre-ics-techniques)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-ics-techniques.json)] ## Intrusion Set -[Intrusion Set](https://www.misp-project.org/galaxy.html#_intrusion_set) - Name of ATT&CK Group +[Intrusion Set](https://www.misp-galaxy.org/mitre-intrusion-set) - Name of ATT&CK Group Category: *actor* - source: *https://github.com/mitre/cti* - total: *165* elements -[[HTML](https://www.misp-project.org/galaxy.html#_intrusion_set)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-intrusion-set.json)] +[[HTML](https://www.misp-galaxy.org/mitre-intrusion-set)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-intrusion-set.json)] ## Malware -[Malware](https://www.misp-project.org/galaxy.html#_malware) - Name of ATT&CK software +[Malware](https://www.misp-galaxy.org/mitre-malware) - Name of ATT&CK software Category: *tool* - source: *https://github.com/mitre/cti* - total: *705* elements -[[HTML](https://www.misp-project.org/galaxy.html#_malware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-malware.json)] +[[HTML](https://www.misp-galaxy.org/mitre-malware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-malware.json)] ## Mobile Attack - Attack Pattern -[Mobile Attack - Attack Pattern](https://www.misp-project.org/galaxy.html#_mobile_attack_-_attack_pattern) - ATT&CK tactic +[Mobile Attack - Attack Pattern](https://www.misp-galaxy.org/mitre-mobile-attack-attack-pattern) - ATT&CK tactic Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *76* elements -[[HTML](https://www.misp-project.org/galaxy.html#_mobile_attack_-_attack_pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-mobile-attack-attack-pattern.json)] +[[HTML](https://www.misp-galaxy.org/mitre-mobile-attack-attack-pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-mobile-attack-attack-pattern.json)] ## Mobile Attack - Course of Action -[Mobile Attack - Course of Action](https://www.misp-project.org/galaxy.html#_mobile_attack_-_course_of_action) - ATT&CK Mitigation +[Mobile Attack - Course of Action](https://www.misp-galaxy.org/mitre-mobile-attack-course-of-action) - ATT&CK Mitigation Category: *course-of-action* - source: *https://github.com/mitre/cti* - total: *14* elements -[[HTML](https://www.misp-project.org/galaxy.html#_mobile_attack_-_course_of_action)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-mobile-attack-course-of-action.json)] +[[HTML](https://www.misp-galaxy.org/mitre-mobile-attack-course-of-action)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-mobile-attack-course-of-action.json)] ## Mobile Attack - Intrusion Set -[Mobile Attack - Intrusion Set](https://www.misp-project.org/galaxy.html#_mobile_attack_-_intrusion_set) - Name of ATT&CK Group +[Mobile Attack - Intrusion Set](https://www.misp-galaxy.org/mitre-mobile-attack-intrusion-set) - Name of ATT&CK Group Category: *actor* - source: *https://github.com/mitre/cti* - total: *1* elements -[[HTML](https://www.misp-project.org/galaxy.html#_mobile_attack_-_intrusion_set)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-mobile-attack-intrusion-set.json)] +[[HTML](https://www.misp-galaxy.org/mitre-mobile-attack-intrusion-set)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-mobile-attack-intrusion-set.json)] ## Mobile Attack - Malware -[Mobile Attack - Malware](https://www.misp-project.org/galaxy.html#_mobile_attack_-_malware) - Name of ATT&CK software +[Mobile Attack - Malware](https://www.misp-galaxy.org/mitre-mobile-attack-malware) - Name of ATT&CK software Category: *tool* - source: *https://github.com/mitre/cti* - total: *35* elements -[[HTML](https://www.misp-project.org/galaxy.html#_mobile_attack_-_malware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-mobile-attack-malware.json)] +[[HTML](https://www.misp-galaxy.org/mitre-mobile-attack-malware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-mobile-attack-malware.json)] ## Mobile Attack - Tool -[Mobile Attack - Tool](https://www.misp-project.org/galaxy.html#_mobile_attack_-_tool) - Name of ATT&CK software +[Mobile Attack - Tool](https://www.misp-galaxy.org/mitre-mobile-attack-tool) - Name of ATT&CK software Category: *tool* - source: *https://github.com/mitre/cti* - total: *1* elements -[[HTML](https://www.misp-project.org/galaxy.html#_mobile_attack_-_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-mobile-attack-tool.json)] +[[HTML](https://www.misp-galaxy.org/mitre-mobile-attack-tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-mobile-attack-tool.json)] ## Pre Attack - Attack Pattern -[Pre Attack - Attack Pattern](https://www.misp-project.org/galaxy.html#_pre_attack_-_attack_pattern) - ATT&CK tactic +[Pre Attack - Attack Pattern](https://www.misp-galaxy.org/mitre-pre-attack-attack-pattern) - ATT&CK tactic Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *174* elements -[[HTML](https://www.misp-project.org/galaxy.html#_pre_attack_-_attack_pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-pre-attack-attack-pattern.json)] +[[HTML](https://www.misp-galaxy.org/mitre-pre-attack-attack-pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-pre-attack-attack-pattern.json)] ## Pre Attack - Intrusion Set -[Pre Attack - Intrusion Set](https://www.misp-project.org/galaxy.html#_pre_attack_-_intrusion_set) - Name of ATT&CK Group +[Pre Attack - Intrusion Set](https://www.misp-galaxy.org/mitre-pre-attack-intrusion-set) - Name of ATT&CK Group Category: *actor* - source: *https://github.com/mitre/cti* - total: *7* elements -[[HTML](https://www.misp-project.org/galaxy.html#_pre_attack_-_intrusion_set)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-pre-attack-intrusion-set.json)] +[[HTML](https://www.misp-galaxy.org/mitre-pre-attack-intrusion-set)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-pre-attack-intrusion-set.json)] ## mitre-tool -[mitre-tool](https://www.misp-project.org/galaxy.html#_mitre-tool) - Name of ATT&CK software +[mitre-tool](https://www.misp-galaxy.org/mitre-tool) - Name of ATT&CK software Category: *tool* - source: *https://github.com/mitre/cti* - total: *87* elements -[[HTML](https://www.misp-project.org/galaxy.html#_mitre-tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-tool.json)] +[[HTML](https://www.misp-galaxy.org/mitre-tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-tool.json)] ## NAICS -[NAICS](https://www.misp-project.org/galaxy.html#_naics) - The North American Industry Classification System or NAICS is a classification of business establishments by type of economic activity (the process of production). +[NAICS](https://www.misp-galaxy.org/naics) - The North American Industry Classification System or NAICS is a classification of business establishments by type of economic activity (the process of production). Category: *sector* - source: *North American Industry Classification System - NAICS* - total: *2125* elements -[[HTML](https://www.misp-project.org/galaxy.html#_naics)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/naics.json)] +[[HTML](https://www.misp-galaxy.org/naics)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/naics.json)] ## o365-exchange-techniques -[o365-exchange-techniques](https://www.misp-project.org/galaxy.html#_o365-exchange-techniques) - o365-exchange-techniques - Office365/Exchange related techniques by @johnLaTwC and @inversecos +[o365-exchange-techniques](https://www.misp-galaxy.org/o365-exchange-techniques) - o365-exchange-techniques - Office365/Exchange related techniques by @johnLaTwC and @inversecos Category: *guidelines* - source: *Open Sources, https://www.inversecos.com/2021/09/office365-attacks-bypassing-mfa.html* - total: *62* elements -[[HTML](https://www.misp-project.org/galaxy.html#_o365-exchange-techniques)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/o365-exchange-techniques.json)] +[[HTML](https://www.misp-galaxy.org/o365-exchange-techniques)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/o365-exchange-techniques.json)] ## online-service -[online-service](https://www.misp-project.org/galaxy.html#_online-service) - Known public online services. +[online-service](https://www.misp-galaxy.org/online-service) - Known public online services. Category: *tool* - source: *Open Sources* - total: *1* elements -[[HTML](https://www.misp-project.org/galaxy.html#_online-service)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/online-service.json)] +[[HTML](https://www.misp-galaxy.org/online-service)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/online-service.json)] ## Preventive Measure -[Preventive Measure](https://www.misp-project.org/galaxy.html#_preventive_measure) - Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures. +[Preventive Measure](https://www.misp-galaxy.org/preventive-measure) - Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures. Category: *measure* - source: *MISP Project* - total: *20* elements -[[HTML](https://www.misp-project.org/galaxy.html#_preventive_measure)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/preventive-measure.json)] +[[HTML](https://www.misp-galaxy.org/preventive-measure)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/preventive-measure.json)] ## Producer -[Producer](https://www.misp-project.org/galaxy.html#_producer) - List of threat intelligence producer from security vendors to CERTs including any producer of intelligence at large. +[Producer](https://www.misp-galaxy.org/producer) - List of threat intelligence producer from security vendors to CERTs including any producer of intelligence at large. -Category: *actor* - source: *MISP Project* - total: *15* elements +Category: *actor* - source: *MISP Project* - total: *21* elements -[[HTML](https://www.misp-project.org/galaxy.html#_producer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/producer.json)] +[[HTML](https://www.misp-galaxy.org/producer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/producer.json)] ## Ransomware -[Ransomware](https://www.misp-project.org/galaxy.html#_ransomware) - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar +[Ransomware](https://www.misp-galaxy.org/ransomware) - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar Category: *tool* - source: *Various* - total: *1706* elements -[[HTML](https://www.misp-project.org/galaxy.html#_ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)] +[[HTML](https://www.misp-galaxy.org/ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)] ## RAT -[RAT](https://www.misp-project.org/galaxy.html#_rat) - remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote "operator" to control a system as if they have physical access to that system. +[RAT](https://www.misp-galaxy.org/rat) - remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote "operator" to control a system as if they have physical access to that system. Category: *tool* - source: *MISP Project* - total: *266* elements -[[HTML](https://www.misp-project.org/galaxy.html#_rat)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/rat.json)] +[[HTML](https://www.misp-galaxy.org/rat)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/rat.json)] ## Regions UN M49 -[Regions UN M49](https://www.misp-project.org/galaxy.html#_regions_un_m49) - Regions based on UN M49. +[Regions UN M49](https://www.misp-galaxy.org/region) - Regions based on UN M49. Category: *location* - source: *https://unstats.un.org/unsd/methodology/m49/overview/* - total: *32* elements -[[HTML](https://www.misp-project.org/galaxy.html#_regions_un_m49)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/region.json)] +[[HTML](https://www.misp-galaxy.org/region)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/region.json)] ## rsit -[rsit](https://www.misp-project.org/galaxy.html#_rsit) - rsit +[rsit](https://www.misp-galaxy.org/rsit) - rsit Category: *rsit* - source: *https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force* - total: *39* elements -[[HTML](https://www.misp-project.org/galaxy.html#_rsit)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/rsit.json)] +[[HTML](https://www.misp-galaxy.org/rsit)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/rsit.json)] ## Sector -[Sector](https://www.misp-project.org/galaxy.html#_sector) - Activity sectors +[Sector](https://www.misp-galaxy.org/sector) - Activity sectors Category: *sector* - source: *CERT-EU* - total: *118* elements -[[HTML](https://www.misp-project.org/galaxy.html#_sector)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sector.json)] +[[HTML](https://www.misp-galaxy.org/sector)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sector.json)] ## Sigma-Rules -[Sigma-Rules](https://www.misp-project.org/galaxy.html#_sigma-rules) - MISP galaxy cluster based on Sigma Rules. +[Sigma-Rules](https://www.misp-galaxy.org/sigma-rules) - MISP galaxy cluster based on Sigma Rules. -Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2876* elements +Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2879* elements -[[HTML](https://www.misp-project.org/galaxy.html#_sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)] +[[HTML](https://www.misp-galaxy.org/sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)] ## Dark Patterns -[Dark Patterns](https://www.misp-project.org/galaxy.html#_dark_patterns) - Dark Patterns are user interface that tricks users into making decisions that benefit the interface's holder to the expense of the user. +[Dark Patterns](https://www.misp-galaxy.org/social-dark-patterns) - Dark Patterns are user interface that tricks users into making decisions that benefit the interface's holder to the expense of the user. Category: *dark-patterns* - source: *CIRCL* - total: *19* elements -[[HTML](https://www.misp-project.org/galaxy.html#_dark_patterns)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/social-dark-patterns.json)] +[[HTML](https://www.misp-galaxy.org/social-dark-patterns)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/social-dark-patterns.json)] ## SoD Matrix -[SoD Matrix](https://www.misp-project.org/galaxy.html#_sod_matrix) - SOD Matrix +[SoD Matrix](https://www.misp-galaxy.org/sod-matrix) - SOD Matrix Category: *sod-matrix* - source: *https://github.com/cudeso/SoD-Matrix* - total: *276* elements -[[HTML](https://www.misp-project.org/galaxy.html#_sod_matrix)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sod-matrix.json)] +[[HTML](https://www.misp-galaxy.org/sod-matrix)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sod-matrix.json)] ## Stealer -[Stealer](https://www.misp-project.org/galaxy.html#_stealer) - A list of malware stealer. +[Stealer](https://www.misp-galaxy.org/stealer) - A list of malware stealer. Category: *tool* - source: *Open Sources* - total: *16* elements -[[HTML](https://www.misp-project.org/galaxy.html#_stealer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/stealer.json)] +[[HTML](https://www.misp-galaxy.org/stealer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/stealer.json)] ## Surveillance Vendor -[Surveillance Vendor](https://www.misp-project.org/galaxy.html#_surveillance_vendor) - List of vendors selling surveillance technologies including malware, interception devices or computer exploitation services. +[Surveillance Vendor](https://www.misp-galaxy.org/surveillance-vendor) - List of vendors selling surveillance technologies including malware, interception devices or computer exploitation services. Category: *actor* - source: *MISP Project* - total: *50* elements -[[HTML](https://www.misp-project.org/galaxy.html#_surveillance_vendor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/surveillance-vendor.json)] +[[HTML](https://www.misp-galaxy.org/surveillance-vendor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/surveillance-vendor.json)] ## Target Information -[Target Information](https://www.misp-project.org/galaxy.html#_target_information) - Description of targets of threat actors. +[Target Information](https://www.misp-galaxy.org/target-information) - Description of targets of threat actors. Category: *target* - source: *Various* - total: *241* elements -[[HTML](https://www.misp-project.org/galaxy.html#_target_information)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/target-information.json)] +[[HTML](https://www.misp-galaxy.org/target-information)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/target-information.json)] ## TDS -[TDS](https://www.misp-project.org/galaxy.html#_tds) - TDS is a list of Traffic Direction System used by adversaries +[TDS](https://www.misp-galaxy.org/tds) - TDS is a list of Traffic Direction System used by adversaries Category: *tool* - source: *MISP Project* - total: *11* elements -[[HTML](https://www.misp-project.org/galaxy.html#_tds)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tds.json)] +[[HTML](https://www.misp-galaxy.org/tds)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tds.json)] ## Tea Matrix -[Tea Matrix](https://www.misp-project.org/galaxy.html#_tea_matrix) - Tea Matrix +[Tea Matrix](https://www.misp-galaxy.org/tea-matrix) - Tea Matrix Category: *tea-matrix* - source: ** - total: *7* elements -[[HTML](https://www.misp-project.org/galaxy.html#_tea_matrix)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tea-matrix.json)] +[[HTML](https://www.misp-galaxy.org/tea-matrix)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tea-matrix.json)] ## Threat Actor -[Threat Actor](https://www.misp-project.org/galaxy.html#_threat_actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. +[Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *671* elements +Category: *actor* - source: *MISP Project* - total: *675* elements -[[HTML](https://www.misp-project.org/galaxy.html#_threat_actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)] +[[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)] ## Tidal Campaigns -[Tidal Campaigns](https://www.misp-project.org/galaxy.html#_tidal_campaigns) - Tidal Campaigns Cluster +[Tidal Campaigns](https://www.misp-galaxy.org/tidal-campaigns) - Tidal Campaigns Cluster Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns/* - total: *41* elements -[[HTML](https://www.misp-project.org/galaxy.html#_tidal_campaigns)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-campaigns.json)] +[[HTML](https://www.misp-galaxy.org/tidal-campaigns)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-campaigns.json)] ## Tidal Groups -[Tidal Groups](https://www.misp-project.org/galaxy.html#_tidal_groups) - Tidal Groups Galaxy +[Tidal Groups](https://www.misp-galaxy.org/tidal-groups) - Tidal Groups Galaxy Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/groups/* - total: *163* elements -[[HTML](https://www.misp-project.org/galaxy.html#_tidal_groups)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-groups.json)] +[[HTML](https://www.misp-galaxy.org/tidal-groups)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-groups.json)] ## Tidal References -[Tidal References](https://www.misp-project.org/galaxy.html#_tidal_references) - Tidal References Cluster +[Tidal References](https://www.misp-galaxy.org/tidal-references) - Tidal References Cluster Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/references/* - total: *3872* elements -[[HTML](https://www.misp-project.org/galaxy.html#_tidal_references)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-references.json)] +[[HTML](https://www.misp-galaxy.org/tidal-references)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-references.json)] ## Tidal Software -[Tidal Software](https://www.misp-project.org/galaxy.html#_tidal_software) - Tidal Software Cluster +[Tidal Software](https://www.misp-galaxy.org/tidal-software) - Tidal Software Cluster Category: *Software* - source: *https://app-api.tidalcyber.com/api/v1/software/* - total: *931* elements -[[HTML](https://www.misp-project.org/galaxy.html#_tidal_software)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-software.json)] +[[HTML](https://www.misp-galaxy.org/tidal-software)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-software.json)] ## Tidal Tactic -[Tidal Tactic](https://www.misp-project.org/galaxy.html#_tidal_tactic) - Tidal Tactic Cluster +[Tidal Tactic](https://www.misp-galaxy.org/tidal-tactic) - Tidal Tactic Cluster Category: *Tactic* - source: *https://app-api.tidalcyber.com/api/v1/tactic/* - total: *14* elements -[[HTML](https://www.misp-project.org/galaxy.html#_tidal_tactic)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-tactic.json)] +[[HTML](https://www.misp-galaxy.org/tidal-tactic)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-tactic.json)] ## Tidal Technique -[Tidal Technique](https://www.misp-project.org/galaxy.html#_tidal_technique) - Tidal Technique Cluster +[Tidal Technique](https://www.misp-galaxy.org/tidal-technique) - Tidal Technique Cluster Category: *Technique* - source: *https://app-api.tidalcyber.com/api/v1/technique/* - total: *201* elements -[[HTML](https://www.misp-project.org/galaxy.html#_tidal_technique)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-technique.json)] +[[HTML](https://www.misp-galaxy.org/tidal-technique)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-technique.json)] ## Threat Matrix for storage services -[Threat Matrix for storage services](https://www.misp-project.org/galaxy.html#_threat_matrix_for_storage_services) - Microsoft Defender for Cloud threat matrix for storage services contains attack tactics, techniques and mitigations relevant storage services delivered by cloud providers. +[Threat Matrix for storage services](https://www.misp-galaxy.org/tmss) - Microsoft Defender for Cloud threat matrix for storage services contains attack tactics, techniques and mitigations relevant storage services delivered by cloud providers. Category: *tmss* - source: *https://github.com/microsoft/Threat-matrix-for-storage-services* - total: *40* elements -[[HTML](https://www.misp-project.org/galaxy.html#_threat_matrix_for_storage_services)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tmss.json)] +[[HTML](https://www.misp-galaxy.org/tmss)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tmss.json)] ## Tool -[Tool](https://www.misp-project.org/galaxy.html#_tool) - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries. +[Tool](https://www.misp-galaxy.org/tool) - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries. Category: *tool* - source: *MISP Project* - total: *603* elements -[[HTML](https://www.misp-project.org/galaxy.html#_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tool.json)] +[[HTML](https://www.misp-galaxy.org/tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tool.json)] ## UAVs/UCAVs -[UAVs/UCAVs](https://www.misp-project.org/galaxy.html#_uavs/ucavs) - Unmanned Aerial Vehicles / Unmanned Combat Aerial Vehicles +[UAVs/UCAVs](https://www.misp-galaxy.org/uavs) - Unmanned Aerial Vehicles / Unmanned Combat Aerial Vehicles Category: *military equipment* - source: *Popular Mechanics* - total: *36* elements -[[HTML](https://www.misp-project.org/galaxy.html#_uavs/ucavs)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/uavs.json)] +[[HTML](https://www.misp-galaxy.org/uavs)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/uavs.json)] ## UKHSA Culture Collections -[UKHSA Culture Collections](https://www.misp-project.org/galaxy.html#_ukhsa_culture_collections) - UK Health Security Agency Culture Collections represent deposits of cultures that consist of expertly preserved, authenticated cell lines and microbial strains of known provenance. +[UKHSA Culture Collections](https://www.misp-galaxy.org/ukhsa-culture-collections) - UK Health Security Agency Culture Collections represent deposits of cultures that consist of expertly preserved, authenticated cell lines and microbial strains of known provenance. Category: *virus* - source: *https://www.culturecollections.org.uk* - total: *6667* elements -[[HTML](https://www.misp-project.org/galaxy.html#_ukhsa_culture_collections)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ukhsa-culture-collections.json)] +[[HTML](https://www.misp-galaxy.org/ukhsa-culture-collections)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ukhsa-culture-collections.json)] # Online documentation diff --git a/tools/generate-index.py b/tools/generate-index.py index c163736..56bdc94 100755 --- a/tools/generate-index.py +++ b/tools/generate-index.py @@ -13,6 +13,7 @@ def gen_galaxy_tag(galaxy_name, cluster_name): # return 'misp-galaxy:{}="{}"'.format(galaxy_name, cluster_name) return '{}={}'.format(galaxy_name, cluster_name) + galaxies_fnames = [] files_to_ignore = ["cancer.json", "handicap.json"] pathClusters = '../clusters' @@ -28,10 +29,10 @@ for f in galaxies_fnames: with open(os.path.join(pathClusters, f)) as fr: cluster = json.load(fr) output = f'{output}\n## {cluster["name"]}\n\n' - link = cluster["name"].replace(" ", "_").lower() + link = f.split(".")[0] total = len(cluster["values"]) - output = f'{output}[{cluster["name"]}](https://www.misp-project.org/galaxy.html#_{link}) - {cluster["description"]}\n' + output = f'{output}[{cluster["name"]}](https://www.misp-galaxy.org/{link}) - {cluster["description"]}\n' output = f'{output}\nCategory: *{cluster["category"]}* - source: *{cluster["source"]}* - total: *{total}* elements\n' - output = f'{output}\n[[HTML](https://www.misp-project.org/galaxy.html#_{link})] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/{f})]\n' + output = f'{output}\n[[HTML](https://www.misp-galaxy.org/{link})] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/{f})]\n' print(output) From 20ff10b5b1741800a4b4cde397e9425df5143753 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Tue, 28 May 2024 10:09:11 +0200 Subject: [PATCH 6/9] fix: [readme] update index + hide deprecated galaxies --- README.md | 101 +---- tools/generate-index.py | 38 -- tools/index.txt | 689 ------------------------------ tools/update_README_with_index.py | 68 +++ 4 files changed, 71 insertions(+), 825 deletions(-) delete mode 100755 tools/generate-index.py delete mode 100644 tools/index.txt create mode 100755 tools/update_README_with_index.py diff --git a/README.md b/README.md index ebf48fe..efce81f 100644 --- a/README.md +++ b/README.md @@ -293,7 +293,7 @@ Category: *d3fend* - source: *https://d3fend.mitre.org/* - total: *171* elements ## mitre-data-component -[mitre-data-component](https://www.misp-galaxy.org/mitre-data-component) - Data components are parts of data sources. +[mitre-data-component](https://www.misp-galaxy.org/mitre-data-component) - Data components are parts of data sources. Category: *data-component* - source: *https://github.com/mitre/cti* - total: *117* elements @@ -301,52 +301,12 @@ Category: *data-component* - source: *https://github.com/mitre/cti* - total: *11 ## mitre-data-source -[mitre-data-source](https://www.misp-galaxy.org/mitre-data-source) - Data sources represent the various subjects/topics of information that can be collected by sensors/logs. +[mitre-data-source](https://www.misp-galaxy.org/mitre-data-source) - Data sources represent the various subjects/topics of information that can be collected by sensors/logs. Category: *data-source* - source: *https://github.com/mitre/cti* - total: *40* elements [[HTML](https://www.misp-galaxy.org/mitre-data-source)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-data-source.json)] -## Enterprise Attack - Attack Pattern - -[Enterprise Attack - Attack Pattern](https://www.misp-galaxy.org/mitre-enterprise-attack-attack-pattern) - ATT&CK tactic - -Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *219* elements - -[[HTML](https://www.misp-galaxy.org/mitre-enterprise-attack-attack-pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-enterprise-attack-attack-pattern.json)] - -## Enterprise Attack - Course of Action - -[Enterprise Attack - Course of Action](https://www.misp-galaxy.org/mitre-enterprise-attack-course-of-action) - ATT&CK Mitigation - -Category: *course-of-action* - source: *https://github.com/mitre/cti* - total: *215* elements - -[[HTML](https://www.misp-galaxy.org/mitre-enterprise-attack-course-of-action)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-enterprise-attack-course-of-action.json)] - -## Enterprise Attack - Intrusion Set - -[Enterprise Attack - Intrusion Set](https://www.misp-galaxy.org/mitre-enterprise-attack-intrusion-set) - Name of ATT&CK Group - -Category: *actor* - source: *https://github.com/mitre/cti* - total: *69* elements - -[[HTML](https://www.misp-galaxy.org/mitre-enterprise-attack-intrusion-set)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-enterprise-attack-intrusion-set.json)] - -## Enterprise Attack - Malware - -[Enterprise Attack - Malware](https://www.misp-galaxy.org/mitre-enterprise-attack-malware) - Name of ATT&CK software - -Category: *tool* - source: *https://github.com/mitre/cti* - total: *188* elements - -[[HTML](https://www.misp-galaxy.org/mitre-enterprise-attack-malware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-enterprise-attack-malware.json)] - -## Enterprise Attack - Tool - -[Enterprise Attack - Tool](https://www.misp-galaxy.org/mitre-enterprise-attack-tool) - Name of ATT&CK software - -Category: *tool* - source: *https://github.com/mitre/cti* - total: *45* elements - -[[HTML](https://www.misp-galaxy.org/mitre-enterprise-attack-tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-enterprise-attack-tool.json)] - ## Assets [Assets](https://www.misp-galaxy.org/mitre-ics-assets) - A list of asset categories that are commonly found in industrial control systems. @@ -411,62 +371,6 @@ Category: *tool* - source: *https://github.com/mitre/cti* - total: *705* element [[HTML](https://www.misp-galaxy.org/mitre-malware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-malware.json)] -## Mobile Attack - Attack Pattern - -[Mobile Attack - Attack Pattern](https://www.misp-galaxy.org/mitre-mobile-attack-attack-pattern) - ATT&CK tactic - -Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *76* elements - -[[HTML](https://www.misp-galaxy.org/mitre-mobile-attack-attack-pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-mobile-attack-attack-pattern.json)] - -## Mobile Attack - Course of Action - -[Mobile Attack - Course of Action](https://www.misp-galaxy.org/mitre-mobile-attack-course-of-action) - ATT&CK Mitigation - -Category: *course-of-action* - source: *https://github.com/mitre/cti* - total: *14* elements - -[[HTML](https://www.misp-galaxy.org/mitre-mobile-attack-course-of-action)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-mobile-attack-course-of-action.json)] - -## Mobile Attack - Intrusion Set - -[Mobile Attack - Intrusion Set](https://www.misp-galaxy.org/mitre-mobile-attack-intrusion-set) - Name of ATT&CK Group - -Category: *actor* - source: *https://github.com/mitre/cti* - total: *1* elements - -[[HTML](https://www.misp-galaxy.org/mitre-mobile-attack-intrusion-set)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-mobile-attack-intrusion-set.json)] - -## Mobile Attack - Malware - -[Mobile Attack - Malware](https://www.misp-galaxy.org/mitre-mobile-attack-malware) - Name of ATT&CK software - -Category: *tool* - source: *https://github.com/mitre/cti* - total: *35* elements - -[[HTML](https://www.misp-galaxy.org/mitre-mobile-attack-malware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-mobile-attack-malware.json)] - -## Mobile Attack - Tool - -[Mobile Attack - Tool](https://www.misp-galaxy.org/mitre-mobile-attack-tool) - Name of ATT&CK software - -Category: *tool* - source: *https://github.com/mitre/cti* - total: *1* elements - -[[HTML](https://www.misp-galaxy.org/mitre-mobile-attack-tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-mobile-attack-tool.json)] - -## Pre Attack - Attack Pattern - -[Pre Attack - Attack Pattern](https://www.misp-galaxy.org/mitre-pre-attack-attack-pattern) - ATT&CK tactic - -Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *174* elements - -[[HTML](https://www.misp-galaxy.org/mitre-pre-attack-attack-pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-pre-attack-attack-pattern.json)] - -## Pre Attack - Intrusion Set - -[Pre Attack - Intrusion Set](https://www.misp-galaxy.org/mitre-pre-attack-intrusion-set) - Name of ATT&CK Group - -Category: *actor* - source: *https://github.com/mitre/cti* - total: *7* elements - -[[HTML](https://www.misp-galaxy.org/mitre-pre-attack-intrusion-set)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-pre-attack-intrusion-set.json)] - ## mitre-tool [mitre-tool](https://www.misp-galaxy.org/mitre-tool) - Name of ATT&CK software @@ -707,6 +611,7 @@ Category: *virus* - source: *https://www.culturecollections.org.uk* - total: *66 [[HTML](https://www.misp-galaxy.org/ukhsa-culture-collections)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ukhsa-culture-collections.json)] + # Online documentation The [misp-galaxy.org](https://misp-galaxy.org) website provides an easily navigable resource for all MISP galaxy clusters. diff --git a/tools/generate-index.py b/tools/generate-index.py deleted file mode 100755 index 56bdc94..0000000 --- a/tools/generate-index.py +++ /dev/null @@ -1,38 +0,0 @@ -#!/usr/bin/env python3 -import json -import os -import argparse - - -parser = argparse.ArgumentParser(description='Generate a markdown index with all the galaxy available') -parser.add_argument("-v", "--verbose", action='store_true', help='Verbose output') -args = parser.parse_args() - - -def gen_galaxy_tag(galaxy_name, cluster_name): - # return 'misp-galaxy:{}="{}"'.format(galaxy_name, cluster_name) - return '{}={}'.format(galaxy_name, cluster_name) - - -galaxies_fnames = [] -files_to_ignore = ["cancer.json", "handicap.json"] -pathClusters = '../clusters' - -for f in os.listdir(pathClusters): - if '.json' in f and f not in files_to_ignore: - galaxies_fnames.append(f) - -galaxies_fnames.sort() -output = "" - -for f in galaxies_fnames: - with open(os.path.join(pathClusters, f)) as fr: - cluster = json.load(fr) - output = f'{output}\n## {cluster["name"]}\n\n' - link = f.split(".")[0] - total = len(cluster["values"]) - output = f'{output}[{cluster["name"]}](https://www.misp-galaxy.org/{link}) - {cluster["description"]}\n' - output = f'{output}\nCategory: *{cluster["category"]}* - source: *{cluster["source"]}* - total: *{total}* elements\n' - output = f'{output}\n[[HTML](https://www.misp-galaxy.org/{link})] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/{f})]\n' - -print(output) diff --git a/tools/index.txt b/tools/index.txt deleted file mode 100644 index a9eec7e..0000000 --- a/tools/index.txt +++ /dev/null @@ -1,689 +0,0 @@ - -## 360.net Threat Actors - -[360.net Threat Actors](https://www.misp-galaxy.org/360net) - Known or estimated adversary groups as identified by 360.net. - -Category: *actor* - source: *https://apt.360.net/aptlist* - total: *42* elements - -[[HTML](https://www.misp-galaxy.org/360net)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/360net.json)] - -## Ammunitions - -[Ammunitions](https://www.misp-galaxy.org/ammunitions) - Common ammunitions galaxy - -Category: *firearm* - source: *https://ammo.com/* - total: *410* elements - -[[HTML](https://www.misp-galaxy.org/ammunitions)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ammunitions.json)] - -## Android - -[Android](https://www.misp-galaxy.org/android) - Android malware galaxy based on multiple open sources. - -Category: *tool* - source: *Open Sources* - total: *433* elements - -[[HTML](https://www.misp-galaxy.org/android)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/android.json)] - -## Azure Threat Research Matrix - -[Azure Threat Research Matrix](https://www.misp-galaxy.org/atrm) - The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse. - -Category: *atrm* - source: *https://github.com/microsoft/Azure-Threat-Research-Matrix* - total: *90* elements - -[[HTML](https://www.misp-galaxy.org/atrm)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/atrm.json)] - -## attck4fraud - -[attck4fraud](https://www.misp-galaxy.org/attck4fraud) - attck4fraud - Principles of MITRE ATT&CK in the fraud domain - -Category: *guidelines* - source: *Open Sources* - total: *71* elements - -[[HTML](https://www.misp-galaxy.org/attck4fraud)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/attck4fraud.json)] - -## Backdoor - -[Backdoor](https://www.misp-galaxy.org/backdoor) - A list of backdoor malware. - -Category: *tool* - source: *Open Sources* - total: *28* elements - -[[HTML](https://www.misp-galaxy.org/backdoor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/backdoor.json)] - -## Banker - -[Banker](https://www.misp-galaxy.org/banker) - A list of banker malware. - -Category: *tool* - source: *Open Sources* - total: *53* elements - -[[HTML](https://www.misp-galaxy.org/banker)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/banker.json)] - -## Bhadra Framework - -[Bhadra Framework](https://www.misp-galaxy.org/bhadra-framework) - Bhadra Threat Modeling Framework - -Category: *mobile* - source: *https://arxiv.org/pdf/2005.05110.pdf* - total: *47* elements - -[[HTML](https://www.misp-galaxy.org/bhadra-framework)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/bhadra-framework.json)] - -## Botnet - -[Botnet](https://www.misp-galaxy.org/botnet) - botnet galaxy - -Category: *tool* - source: *MISP Project* - total: *130* elements - -[[HTML](https://www.misp-galaxy.org/botnet)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/botnet.json)] - -## Branded Vulnerability - -[Branded Vulnerability](https://www.misp-galaxy.org/branded_vulnerability) - List of known vulnerabilities and attacks with a branding - -Category: *vulnerability* - source: *Open Sources* - total: *14* elements - -[[HTML](https://www.misp-galaxy.org/branded_vulnerability)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/branded_vulnerability.json)] - -## Cert EU GovSector - -[Cert EU GovSector](https://www.misp-galaxy.org/cert-eu-govsector) - Cert EU GovSector - -Category: *sector* - source: *CERT-EU* - total: *6* elements - -[[HTML](https://www.misp-galaxy.org/cert-eu-govsector)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/cert-eu-govsector.json)] - -## China Defence Universities Tracker - -[China Defence Universities Tracker](https://www.misp-galaxy.org/china-defence-universities) - The China Defence Universities Tracker is a database of Chinese institutions engaged in military or security-related science and technology research. It was created by ASPI’s International Cyber Policy Centre. - -Category: *academic-institution* - source: *ASPI International Cyber Policy Centre* - total: *159* elements - -[[HTML](https://www.misp-galaxy.org/china-defence-universities)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/china-defence-universities.json)] - -## CONCORDIA Mobile Modelling Framework - Attack Pattern - -[CONCORDIA Mobile Modelling Framework - Attack Pattern](https://www.misp-galaxy.org/cmtmf-attack-pattern) - A list of Techniques in CONCORDIA Mobile Modelling Framework. - -Category: *cmtmf-attack-pattern* - source: *https://5g4iot.vlab.cs.hioa.no/* - total: *93* elements - -[[HTML](https://www.misp-galaxy.org/cmtmf-attack-pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/cmtmf-attack-pattern.json)] - -## Country - -[Country](https://www.misp-galaxy.org/country) - Country meta information based on the database provided by geonames.org. - -Category: *country* - source: *MISP Project* - total: *252* elements - -[[HTML](https://www.misp-galaxy.org/country)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/country.json)] - -## Cryptominers - -[Cryptominers](https://www.misp-galaxy.org/cryptominers) - A list of cryptominer and cryptojacker malware. - -Category: *Cryptominers* - source: *Open Source Intelligence* - total: *5* elements - -[[HTML](https://www.misp-galaxy.org/cryptominers)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/cryptominers.json)] - -## Actor Types - -[Actor Types](https://www.misp-galaxy.org/disarm-actortypes) - DISARM is a framework designed for describing and understanding disinformation incidents. - -Category: *disarm* - source: *https://github.com/DISARMFoundation/DISARMframeworks* - total: *33* elements - -[[HTML](https://www.misp-galaxy.org/disarm-actortypes)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/disarm-actortypes.json)] - -## Countermeasures - -[Countermeasures](https://www.misp-galaxy.org/disarm-countermeasures) - DISARM is a framework designed for describing and understanding disinformation incidents. - -Category: *disarm* - source: *https://github.com/DISARMFoundation/DISARMframeworks* - total: *139* elements - -[[HTML](https://www.misp-galaxy.org/disarm-countermeasures)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/disarm-countermeasures.json)] - -## Detections - -[Detections](https://www.misp-galaxy.org/disarm-detections) - DISARM is a framework designed for describing and understanding disinformation incidents. - -Category: *disarm* - source: *https://github.com/DISARMFoundation/DISARMframeworks* - total: *94* elements - -[[HTML](https://www.misp-galaxy.org/disarm-detections)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/disarm-detections.json)] - -## Techniques - -[Techniques](https://www.misp-galaxy.org/disarm-techniques) - DISARM is a framework designed for describing and understanding disinformation incidents. - -Category: *disarm* - source: *https://github.com/DISARMFoundation/DISARMframeworks* - total: *298* elements - -[[HTML](https://www.misp-galaxy.org/disarm-techniques)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/disarm-techniques.json)] - -## Election guidelines - -[Election guidelines](https://www.misp-galaxy.org/election-guidelines) - Universal Development and Security Guidelines as Applicable to Election Technology. - -Category: *guidelines* - source: *Open Sources* - total: *23* elements - -[[HTML](https://www.misp-galaxy.org/election-guidelines)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/election-guidelines.json)] - -## Entity - -[Entity](https://www.misp-galaxy.org/entity) - Description of entities that can be involved in events. - -Category: *actor* - source: *MISP Project* - total: *4* elements - -[[HTML](https://www.misp-galaxy.org/entity)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/entity.json)] - -## Exploit-Kit - -[Exploit-Kit](https://www.misp-galaxy.org/exploit-kit) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years - -Category: *tool* - source: *MISP Project* - total: *52* elements - -[[HTML](https://www.misp-galaxy.org/exploit-kit)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/exploit-kit.json)] - -## Firearms - -[Firearms](https://www.misp-galaxy.org/firearms) - Common firearms galaxy - -Category: *firearm* - source: *https://www.impactguns.com* - total: *5953* elements - -[[HTML](https://www.misp-galaxy.org/firearms)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/firearms.json)] - -## FIRST DNS Abuse Techniques Matrix - -[FIRST DNS Abuse Techniques Matrix](https://www.misp-galaxy.org/first-dns) - The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internet’s stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information. - -Category: *first-dns* - source: *https://www.first.org/global/sigs/dns/* - total: *21* elements - -[[HTML](https://www.misp-galaxy.org/first-dns)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/first-dns.json)] - -## Intelligence Agencies - -[Intelligence Agencies](https://www.misp-galaxy.org/intelligence-agencies) - List of intelligence agencies - -Category: *Intelligence Agencies* - source: *https://en.wikipedia.org/wiki/List_of_intelligence_agencies* - total: *436* elements - -[[HTML](https://www.misp-galaxy.org/intelligence-agencies)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/intelligence-agencies.json)] - -## INTERPOL DWVA Taxonomy - -[INTERPOL DWVA Taxonomy](https://www.misp-galaxy.org/interpol-dwva) - This taxonomy defines common forms of abuses and entities that represent real-world actors and service that are part of a larger Darknet- and Cryptoasset Ecosystems. - -Category: *dwva* - source: *https://interpol-innovation-centre.github.io/DW-VA-Taxonomy/* - total: *94* elements - -[[HTML](https://www.misp-galaxy.org/interpol-dwva)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/interpol-dwva.json)] - -## Malpedia - -[Malpedia](https://www.misp-galaxy.org/malpedia) - Malware galaxy cluster based on Malpedia. - -Category: *tool* - source: *Malpedia* - total: *3039* elements - -[[HTML](https://www.misp-galaxy.org/malpedia)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/malpedia.json)] - -## Microsoft Activity Group actor - -[Microsoft Activity Group actor](https://www.misp-galaxy.org/microsoft-activity-group) - Activity groups as described by Microsoft - -Category: *actor* - source: *MISP Project* - total: *79* elements - -[[HTML](https://www.misp-galaxy.org/microsoft-activity-group)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/microsoft-activity-group.json)] - -## Misinformation Pattern - -[Misinformation Pattern](https://www.misp-galaxy.org/misinfosec-amitt-misinformation-pattern) - AM!TT Technique - -Category: *misinformation-pattern* - source: *https://github.com/misinfosecproject/amitt_framework* - total: *61* elements - -[[HTML](https://www.misp-galaxy.org/misinfosec-amitt-misinformation-pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/misinfosec-amitt-misinformation-pattern.json)] - -## MITRE ATLAS Attack Pattern - -[MITRE ATLAS Attack Pattern](https://www.misp-galaxy.org/mitre-atlas-attack-pattern) - MITRE ATLAS Attack Pattern - Adversarial Threat Landscape for Artificial-Intelligence Systems - -Category: *attack-pattern* - source: *https://github.com/mitre-atlas/atlas-navigator-data* - total: *82* elements - -[[HTML](https://www.misp-galaxy.org/mitre-atlas-attack-pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-atlas-attack-pattern.json)] - -## MITRE ATLAS Course of Action - -[MITRE ATLAS Course of Action](https://www.misp-galaxy.org/mitre-atlas-course-of-action) - MITRE ATLAS Mitigation - Adversarial Threat Landscape for Artificial-Intelligence Systems - -Category: *course-of-action* - source: *https://github.com/mitre-atlas/atlas-navigator-data* - total: *20* elements - -[[HTML](https://www.misp-galaxy.org/mitre-atlas-course-of-action)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-atlas-course-of-action.json)] - -## Attack Pattern - -[Attack Pattern](https://www.misp-galaxy.org/mitre-attack-pattern) - ATT&CK tactic - -Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *1141* elements - -[[HTML](https://www.misp-galaxy.org/mitre-attack-pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-attack-pattern.json)] - -## Course of Action - -[Course of Action](https://www.misp-galaxy.org/mitre-course-of-action) - ATT&CK Mitigation - -Category: *course-of-action* - source: *https://github.com/mitre/cti* - total: *281* elements - -[[HTML](https://www.misp-galaxy.org/mitre-course-of-action)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-course-of-action.json)] - -## MITRE D3FEND - -[MITRE D3FEND](https://www.misp-galaxy.org/mitre-d3fend) - A knowledge graph of cybersecurity countermeasures. - -Category: *d3fend* - source: *https://d3fend.mitre.org/* - total: *171* elements - -[[HTML](https://www.misp-galaxy.org/mitre-d3fend)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-d3fend.json)] - -## mitre-data-component - -[mitre-data-component](https://www.misp-galaxy.org/mitre-data-component) - Data components are parts of data sources. - -Category: *data-component* - source: *https://github.com/mitre/cti* - total: *117* elements - -[[HTML](https://www.misp-galaxy.org/mitre-data-component)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-data-component.json)] - -## mitre-data-source - -[mitre-data-source](https://www.misp-galaxy.org/mitre-data-source) - Data sources represent the various subjects/topics of information that can be collected by sensors/logs. - -Category: *data-source* - source: *https://github.com/mitre/cti* - total: *40* elements - -[[HTML](https://www.misp-galaxy.org/mitre-data-source)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-data-source.json)] - -## Enterprise Attack - Attack Pattern - -[Enterprise Attack - Attack Pattern](https://www.misp-galaxy.org/mitre-enterprise-attack-attack-pattern) - ATT&CK tactic - -Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *219* elements - -[[HTML](https://www.misp-galaxy.org/mitre-enterprise-attack-attack-pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-enterprise-attack-attack-pattern.json)] - -## Enterprise Attack - Course of Action - -[Enterprise Attack - Course of Action](https://www.misp-galaxy.org/mitre-enterprise-attack-course-of-action) - ATT&CK Mitigation - -Category: *course-of-action* - source: *https://github.com/mitre/cti* - total: *215* elements - -[[HTML](https://www.misp-galaxy.org/mitre-enterprise-attack-course-of-action)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-enterprise-attack-course-of-action.json)] - -## Enterprise Attack - Intrusion Set - -[Enterprise Attack - Intrusion Set](https://www.misp-galaxy.org/mitre-enterprise-attack-intrusion-set) - Name of ATT&CK Group - -Category: *actor* - source: *https://github.com/mitre/cti* - total: *69* elements - -[[HTML](https://www.misp-galaxy.org/mitre-enterprise-attack-intrusion-set)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-enterprise-attack-intrusion-set.json)] - -## Enterprise Attack - Malware - -[Enterprise Attack - Malware](https://www.misp-galaxy.org/mitre-enterprise-attack-malware) - Name of ATT&CK software - -Category: *tool* - source: *https://github.com/mitre/cti* - total: *188* elements - -[[HTML](https://www.misp-galaxy.org/mitre-enterprise-attack-malware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-enterprise-attack-malware.json)] - -## Enterprise Attack - Tool - -[Enterprise Attack - Tool](https://www.misp-galaxy.org/mitre-enterprise-attack-tool) - Name of ATT&CK software - -Category: *tool* - source: *https://github.com/mitre/cti* - total: *45* elements - -[[HTML](https://www.misp-galaxy.org/mitre-enterprise-attack-tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-enterprise-attack-tool.json)] - -## Assets - -[Assets](https://www.misp-galaxy.org/mitre-ics-assets) - A list of asset categories that are commonly found in industrial control systems. - -Category: *asset* - source: *https://collaborate.mitre.org/attackics/index.php/All_Assets* - total: *7* elements - -[[HTML](https://www.misp-galaxy.org/mitre-ics-assets)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-ics-assets.json)] - -## Groups - -[Groups](https://www.misp-galaxy.org/mitre-ics-groups) - Groups are sets of related intrusion activity that are tracked by a common name in the security community. Groups are also sometimes referred to as campaigns or intrusion sets. Some groups have multiple names associated with the same set of activities due to various organizations tracking the same set of activities by different names. Groups are mapped to publicly reported technique use and referenced in the ATT&CK for ICS knowledge base. Groups are also mapped to reported software used during intrusions. - -Category: *actor* - source: *https://collaborate.mitre.org/attackics/index.php/Groups* - total: *10* elements - -[[HTML](https://www.misp-galaxy.org/mitre-ics-groups)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-ics-groups.json)] - -## Levels - -[Levels](https://www.misp-galaxy.org/mitre-ics-levels) - Based on the Purdue Model to aid ATT&CK for ICS users to understand which techniques are applicable to their environment. - -Category: *level* - source: *https://collaborate.mitre.org/attackics/index.php/All_Levels* - total: *3* elements - -[[HTML](https://www.misp-galaxy.org/mitre-ics-levels)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-ics-levels.json)] - -## Software - -[Software](https://www.misp-galaxy.org/mitre-ics-software) - Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK for ICS. - -Category: *tool* - source: *https://collaborate.mitre.org/attackics/index.php/Software* - total: *17* elements - -[[HTML](https://www.misp-galaxy.org/mitre-ics-software)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-ics-software.json)] - -## Tactics - -[Tactics](https://www.misp-galaxy.org/mitre-ics-tactics) - A list of all 11 tactics in ATT&CK for ICS - -Category: *tactic* - source: *https://collaborate.mitre.org/attackics/index.php/All_Tactics* - total: *9* elements - -[[HTML](https://www.misp-galaxy.org/mitre-ics-tactics)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-ics-tactics.json)] - -## Techniques - -[Techniques](https://www.misp-galaxy.org/mitre-ics-techniques) - A list of Techniques in ATT&CK for ICS. - -Category: *attack-pattern* - source: *https://collaborate.mitre.org/attackics/index.php/All_Techniques* - total: *78* elements - -[[HTML](https://www.misp-galaxy.org/mitre-ics-techniques)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-ics-techniques.json)] - -## Intrusion Set - -[Intrusion Set](https://www.misp-galaxy.org/mitre-intrusion-set) - Name of ATT&CK Group - -Category: *actor* - source: *https://github.com/mitre/cti* - total: *165* elements - -[[HTML](https://www.misp-galaxy.org/mitre-intrusion-set)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-intrusion-set.json)] - -## Malware - -[Malware](https://www.misp-galaxy.org/mitre-malware) - Name of ATT&CK software - -Category: *tool* - source: *https://github.com/mitre/cti* - total: *705* elements - -[[HTML](https://www.misp-galaxy.org/mitre-malware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-malware.json)] - -## Mobile Attack - Attack Pattern - -[Mobile Attack - Attack Pattern](https://www.misp-galaxy.org/mitre-mobile-attack-attack-pattern) - ATT&CK tactic - -Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *76* elements - -[[HTML](https://www.misp-galaxy.org/mitre-mobile-attack-attack-pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-mobile-attack-attack-pattern.json)] - -## Mobile Attack - Course of Action - -[Mobile Attack - Course of Action](https://www.misp-galaxy.org/mitre-mobile-attack-course-of-action) - ATT&CK Mitigation - -Category: *course-of-action* - source: *https://github.com/mitre/cti* - total: *14* elements - -[[HTML](https://www.misp-galaxy.org/mitre-mobile-attack-course-of-action)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-mobile-attack-course-of-action.json)] - -## Mobile Attack - Intrusion Set - -[Mobile Attack - Intrusion Set](https://www.misp-galaxy.org/mitre-mobile-attack-intrusion-set) - Name of ATT&CK Group - -Category: *actor* - source: *https://github.com/mitre/cti* - total: *1* elements - -[[HTML](https://www.misp-galaxy.org/mitre-mobile-attack-intrusion-set)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-mobile-attack-intrusion-set.json)] - -## Mobile Attack - Malware - -[Mobile Attack - Malware](https://www.misp-galaxy.org/mitre-mobile-attack-malware) - Name of ATT&CK software - -Category: *tool* - source: *https://github.com/mitre/cti* - total: *35* elements - -[[HTML](https://www.misp-galaxy.org/mitre-mobile-attack-malware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-mobile-attack-malware.json)] - -## Mobile Attack - Tool - -[Mobile Attack - Tool](https://www.misp-galaxy.org/mitre-mobile-attack-tool) - Name of ATT&CK software - -Category: *tool* - source: *https://github.com/mitre/cti* - total: *1* elements - -[[HTML](https://www.misp-galaxy.org/mitre-mobile-attack-tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-mobile-attack-tool.json)] - -## Pre Attack - Attack Pattern - -[Pre Attack - Attack Pattern](https://www.misp-galaxy.org/mitre-pre-attack-attack-pattern) - ATT&CK tactic - -Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *174* elements - -[[HTML](https://www.misp-galaxy.org/mitre-pre-attack-attack-pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-pre-attack-attack-pattern.json)] - -## Pre Attack - Intrusion Set - -[Pre Attack - Intrusion Set](https://www.misp-galaxy.org/mitre-pre-attack-intrusion-set) - Name of ATT&CK Group - -Category: *actor* - source: *https://github.com/mitre/cti* - total: *7* elements - -[[HTML](https://www.misp-galaxy.org/mitre-pre-attack-intrusion-set)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-pre-attack-intrusion-set.json)] - -## mitre-tool - -[mitre-tool](https://www.misp-galaxy.org/mitre-tool) - Name of ATT&CK software - -Category: *tool* - source: *https://github.com/mitre/cti* - total: *87* elements - -[[HTML](https://www.misp-galaxy.org/mitre-tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-tool.json)] - -## NAICS - -[NAICS](https://www.misp-galaxy.org/naics) - The North American Industry Classification System or NAICS is a classification of business establishments by type of economic activity (the process of production). - -Category: *sector* - source: *North American Industry Classification System - NAICS* - total: *2125* elements - -[[HTML](https://www.misp-galaxy.org/naics)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/naics.json)] - -## o365-exchange-techniques - -[o365-exchange-techniques](https://www.misp-galaxy.org/o365-exchange-techniques) - o365-exchange-techniques - Office365/Exchange related techniques by @johnLaTwC and @inversecos - -Category: *guidelines* - source: *Open Sources, https://www.inversecos.com/2021/09/office365-attacks-bypassing-mfa.html* - total: *62* elements - -[[HTML](https://www.misp-galaxy.org/o365-exchange-techniques)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/o365-exchange-techniques.json)] - -## online-service - -[online-service](https://www.misp-galaxy.org/online-service) - Known public online services. - -Category: *tool* - source: *Open Sources* - total: *1* elements - -[[HTML](https://www.misp-galaxy.org/online-service)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/online-service.json)] - -## Preventive Measure - -[Preventive Measure](https://www.misp-galaxy.org/preventive-measure) - Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures. - -Category: *measure* - source: *MISP Project* - total: *20* elements - -[[HTML](https://www.misp-galaxy.org/preventive-measure)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/preventive-measure.json)] - -## Producer - -[Producer](https://www.misp-galaxy.org/producer) - List of threat intelligence producer from security vendors to CERTs including any producer of intelligence at large. - -Category: *actor* - source: *MISP Project* - total: *21* elements - -[[HTML](https://www.misp-galaxy.org/producer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/producer.json)] - -## Ransomware - -[Ransomware](https://www.misp-galaxy.org/ransomware) - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar - -Category: *tool* - source: *Various* - total: *1706* elements - -[[HTML](https://www.misp-galaxy.org/ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)] - -## RAT - -[RAT](https://www.misp-galaxy.org/rat) - remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote "operator" to control a system as if they have physical access to that system. - -Category: *tool* - source: *MISP Project* - total: *266* elements - -[[HTML](https://www.misp-galaxy.org/rat)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/rat.json)] - -## Regions UN M49 - -[Regions UN M49](https://www.misp-galaxy.org/region) - Regions based on UN M49. - -Category: *location* - source: *https://unstats.un.org/unsd/methodology/m49/overview/* - total: *32* elements - -[[HTML](https://www.misp-galaxy.org/region)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/region.json)] - -## rsit - -[rsit](https://www.misp-galaxy.org/rsit) - rsit - -Category: *rsit* - source: *https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force* - total: *39* elements - -[[HTML](https://www.misp-galaxy.org/rsit)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/rsit.json)] - -## Sector - -[Sector](https://www.misp-galaxy.org/sector) - Activity sectors - -Category: *sector* - source: *CERT-EU* - total: *118* elements - -[[HTML](https://www.misp-galaxy.org/sector)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sector.json)] - -## Sigma-Rules - -[Sigma-Rules](https://www.misp-galaxy.org/sigma-rules) - MISP galaxy cluster based on Sigma Rules. - -Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2888* elements - -[[HTML](https://www.misp-galaxy.org/sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)] - -## Dark Patterns - -[Dark Patterns](https://www.misp-galaxy.org/social-dark-patterns) - Dark Patterns are user interface that tricks users into making decisions that benefit the interface's holder to the expense of the user. - -Category: *dark-patterns* - source: *CIRCL* - total: *19* elements - -[[HTML](https://www.misp-galaxy.org/social-dark-patterns)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/social-dark-patterns.json)] - -## SoD Matrix - -[SoD Matrix](https://www.misp-galaxy.org/sod-matrix) - SOD Matrix - -Category: *sod-matrix* - source: *https://github.com/cudeso/SoD-Matrix* - total: *276* elements - -[[HTML](https://www.misp-galaxy.org/sod-matrix)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sod-matrix.json)] - -## Stealer - -[Stealer](https://www.misp-galaxy.org/stealer) - A list of malware stealer. - -Category: *tool* - source: *Open Sources* - total: *16* elements - -[[HTML](https://www.misp-galaxy.org/stealer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/stealer.json)] - -## Surveillance Vendor - -[Surveillance Vendor](https://www.misp-galaxy.org/surveillance-vendor) - List of vendors selling surveillance technologies including malware, interception devices or computer exploitation services. - -Category: *actor* - source: *MISP Project* - total: *50* elements - -[[HTML](https://www.misp-galaxy.org/surveillance-vendor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/surveillance-vendor.json)] - -## Target Information - -[Target Information](https://www.misp-galaxy.org/target-information) - Description of targets of threat actors. - -Category: *target* - source: *Various* - total: *241* elements - -[[HTML](https://www.misp-galaxy.org/target-information)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/target-information.json)] - -## TDS - -[TDS](https://www.misp-galaxy.org/tds) - TDS is a list of Traffic Direction System used by adversaries - -Category: *tool* - source: *MISP Project* - total: *11* elements - -[[HTML](https://www.misp-galaxy.org/tds)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tds.json)] - -## Tea Matrix - -[Tea Matrix](https://www.misp-galaxy.org/tea-matrix) - Tea Matrix - -Category: *tea-matrix* - source: ** - total: *7* elements - -[[HTML](https://www.misp-galaxy.org/tea-matrix)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tea-matrix.json)] - -## Threat Actor - -[Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. - -Category: *actor* - source: *MISP Project* - total: *678* elements - -[[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)] - -## Tidal Campaigns - -[Tidal Campaigns](https://www.misp-galaxy.org/tidal-campaigns) - Tidal Campaigns Cluster - -Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns/* - total: *48* elements - -[[HTML](https://www.misp-galaxy.org/tidal-campaigns)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-campaigns.json)] - -## Tidal Groups - -[Tidal Groups](https://www.misp-galaxy.org/tidal-groups) - Tidal Groups Galaxy - -Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/groups/* - total: *172* elements - -[[HTML](https://www.misp-galaxy.org/tidal-groups)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-groups.json)] - -## Tidal References - -[Tidal References](https://www.misp-galaxy.org/tidal-references) - Tidal References Cluster - -Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/references/* - total: *4104* elements - -[[HTML](https://www.misp-galaxy.org/tidal-references)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-references.json)] - -## Tidal Software - -[Tidal Software](https://www.misp-galaxy.org/tidal-software) - Tidal Software Cluster - -Category: *Software* - source: *https://app-api.tidalcyber.com/api/v1/software/* - total: *961* elements - -[[HTML](https://www.misp-galaxy.org/tidal-software)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-software.json)] - -## Tidal Tactic - -[Tidal Tactic](https://www.misp-galaxy.org/tidal-tactic) - Tidal Tactic Cluster - -Category: *Tactic* - source: *https://app-api.tidalcyber.com/api/v1/tactic/* - total: *14* elements - -[[HTML](https://www.misp-galaxy.org/tidal-tactic)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-tactic.json)] - -## Tidal Technique - -[Tidal Technique](https://www.misp-galaxy.org/tidal-technique) - Tidal Technique Cluster - -Category: *Technique* - source: *https://app-api.tidalcyber.com/api/v1/technique/* - total: *202* elements - -[[HTML](https://www.misp-galaxy.org/tidal-technique)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-technique.json)] - -## Threat Matrix for storage services - -[Threat Matrix for storage services](https://www.misp-galaxy.org/tmss) - Microsoft Defender for Cloud threat matrix for storage services contains attack tactics, techniques and mitigations relevant storage services delivered by cloud providers. - -Category: *tmss* - source: *https://github.com/microsoft/Threat-matrix-for-storage-services* - total: *40* elements - -[[HTML](https://www.misp-galaxy.org/tmss)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tmss.json)] - -## Tool - -[Tool](https://www.misp-galaxy.org/tool) - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries. - -Category: *tool* - source: *MISP Project* - total: *603* elements - -[[HTML](https://www.misp-galaxy.org/tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tool.json)] - -## UAVs/UCAVs - -[UAVs/UCAVs](https://www.misp-galaxy.org/uavs) - Unmanned Aerial Vehicles / Unmanned Combat Aerial Vehicles - -Category: *military equipment* - source: *Popular Mechanics* - total: *36* elements - -[[HTML](https://www.misp-galaxy.org/uavs)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/uavs.json)] - -## UKHSA Culture Collections - -[UKHSA Culture Collections](https://www.misp-galaxy.org/ukhsa-culture-collections) - UK Health Security Agency Culture Collections represent deposits of cultures that consist of expertly preserved, authenticated cell lines and microbial strains of known provenance. - -Category: *virus* - source: *https://www.culturecollections.org.uk* - total: *6667* elements - -[[HTML](https://www.misp-galaxy.org/ukhsa-culture-collections)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ukhsa-culture-collections.json)] - diff --git a/tools/update_README_with_index.py b/tools/update_README_with_index.py new file mode 100755 index 0000000..145caaf --- /dev/null +++ b/tools/update_README_with_index.py @@ -0,0 +1,68 @@ +#!/usr/bin/env python3 +import json +import os +import argparse + + +parser = argparse.ArgumentParser(description='Generate a markdown index with all the galaxy available') +parser.add_argument("-v", "--verbose", action='store_true', help='Verbose output') +args = parser.parse_args() + + +def gen_galaxy_tag(galaxy_name, cluster_name): + # return 'misp-galaxy:{}="{}"'.format(galaxy_name, cluster_name) + return '{}={}'.format(galaxy_name, cluster_name) + + +galaxies_fnames = [] +files_to_ignore = ["cancer.json", "handicap.json"] +pathClusters = '../clusters' +pathGalaxies = '../galaxies' + +for f in os.listdir(pathClusters): + if '.json' in f and f not in files_to_ignore: + galaxies_fnames.append(f) + +galaxies_fnames.sort() +output = [] + +# generate the index +for f in galaxies_fnames: + with open(os.path.join(pathClusters, f)) as fr: + cluster = json.load(fr) + with open(os.path.join(pathGalaxies, f)) as fr: + galaxy = json.load(fr) + if galaxy.get('namespace') == 'deprecated': + continue + output.append(f"## {cluster['name']}\n\n") + link = f.split('.')[0] + total = len(cluster['values']) + output.append(f"[{cluster['name']}](https://www.misp-galaxy.org/{link}) - {cluster['description']}\n") + output.append(f"\nCategory: *{cluster['category']}* - source: *{cluster['source']}* - total: *{total}* elements\n") + output.append(f"\n[[HTML](https://www.misp-galaxy.org/{link})] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/{f})]\n\n") + +# update the README.md +readme_out = [] +readme_marker_start = '# Available Galaxy - clusters' +readme_marker_end = '# Online documentation' +with open('../README.md', 'r') as f: + skip = False + for line in f: + if not skip: + readme_out.append(line) + if line.strip() == readme_marker_start: + skip = True + if line.strip() == readme_marker_end: + # append the index + readme_out.append("\n") + readme_out += output + readme_out.append("\n") + readme_out.append(line) + # stop skipping + skip = False + + +with open('../README.md', 'w') as f: + f.write(''.join(readme_out)) + +print("README.md updated with the index of the galaxies.") From 07514f97fda0209d74c319a5f75c49c14a53330a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 28 May 2024 10:23:07 +0200 Subject: [PATCH 7/9] chg: [misp-galaxy] version updated --- clusters/sector.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/sector.json b/clusters/sector.json index f9a65b3..a4e0991 100644 --- a/clusters/sector.json +++ b/clusters/sector.json @@ -1044,5 +1044,5 @@ "value": "Non-profit organisation" } ], - "version": 5 + "version": 6 } From f3b93a6bef7bc0cefee513e53de70a4963b542d9 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 28 May 2024 11:35:39 +0200 Subject: [PATCH 8/9] chg: [threat-actor] version updated --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7970ccc..6be3054 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15996,5 +15996,5 @@ "value": "Alpha Spider" } ], - "version": 309 + "version": 310 } From e60b629cd3239ec4bbf89388597b0e22cbadc3f4 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 28 May 2024 11:51:40 +0200 Subject: [PATCH 9/9] chg: [sigma] updated --- clusters/sigma-rules.json | 3054 +++++++++++++++++++------------------ 1 file changed, 1598 insertions(+), 1456 deletions(-) diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index 786e098..95493a2 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -23,10 +23,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" ], "tags": [ @@ -127,8 +127,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", + "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml" ], "tags": [ @@ -149,9 +149,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.sans.org/cyber-security-summit/archives", "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", "https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling", + "https://www.sans.org/cyber-security-summit/archives", "https://twitter.com/jamieantisocial/status/1304520651248668673", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" ], @@ -188,9 +188,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" ], "tags": [ @@ -223,8 +223,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml" ], "tags": [ @@ -258,10 +258,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" ], "tags": [ @@ -294,8 +294,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/991447379864932352", "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", + "https://twitter.com/Hexacorn/status/991447379864932352", "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" ], @@ -420,11 +420,11 @@ "logsource.product": "windows", "refs": [ "https://www.attackiq.com/2023/09/20/emulating-rhysida/", - "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior", - "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/", - "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", - "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", + "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior", + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", + "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/", + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml" ], "tags": [ @@ -466,11 +466,11 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6", "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/", + "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml" ], "tags": [ @@ -540,8 +540,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", + "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml" ], "tags": [ @@ -682,8 +682,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", + "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml" ], "tags": [ @@ -717,8 +717,8 @@ "logsource.product": "windows", "refs": [ "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" ], "tags": [ @@ -751,9 +751,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html", "https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials", "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", - "https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml" ], "tags": [ @@ -786,9 +786,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" ], "tags": [ @@ -864,8 +864,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/1", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml" ], "tags": [ @@ -1065,9 +1065,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" ], "tags": [ @@ -1169,8 +1169,8 @@ "refs": [ "https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection", "https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html", - "https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine", "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html", + "https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml" ], "tags": [ @@ -1236,8 +1236,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml" ], "tags": [ @@ -1294,8 +1294,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://labs.f-secure.com/blog/scheduled-task-tampering/", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml" ], "tags": [ @@ -1336,9 +1336,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml" ], "tags": [ @@ -1404,8 +1404,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll", "https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/", + "https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml" ], "tags": [ @@ -1472,9 +1472,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" ], "tags": [ @@ -1507,8 +1507,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml" ], "tags": [ @@ -1558,9 +1558,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/", + "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml" ], "tags": [ @@ -1593,9 +1593,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://twitter.com/inversecos/status/1494174785621819397", + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml" ], "tags": [ @@ -1669,8 +1669,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", + "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" ], @@ -1823,9 +1823,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", "https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise", "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", - "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml" ], "tags": [ @@ -1871,10 +1871,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/gtworek/PSBits/tree/master/IFilter", + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", "https://persistence-info.github.io/Data/ifilters.html", "https://twitter.com/0gtweet/status/1468548924600459267", - "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", - "https://github.com/gtworek/PSBits/tree/master/IFilter", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], "tags": [ @@ -1897,10 +1897,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", - "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", "https://twitter.com/M_haggis/status/1699056847154725107", "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", + "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", + "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml" ], "tags": [ @@ -1990,8 +1990,8 @@ "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/", - "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks", "https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md", + "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks", "https://twitter.com/nas_bench/status/1626648985824788480", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml" ], @@ -2148,8 +2148,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml" ], "tags": [ @@ -2184,17 +2184,17 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://bunnyinside.com/?term=f71e8cb9c76a", "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://twitter.com/_xpn_/status/1268712093928378368", "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], "tags": [ @@ -2292,8 +2292,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", + "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml" ], "tags": [ @@ -2350,8 +2350,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll", "https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/", + "https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml" ], "tags": [ @@ -2417,8 +2417,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", + "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml" ], "tags": [ @@ -2451,8 +2451,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://youtu.be/zSihR3lTf7g", "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650", + "https://youtu.be/zSihR3lTf7g", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml" ], "tags": [ @@ -2543,15 +2543,15 @@ "logsource.product": "windows", "refs": [ "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry", - "https://blog.sekoia.io/darkgate-internals/", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", - "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "https://blog.sekoia.io/darkgate-internals/", + "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], "tags": [ @@ -2686,9 +2686,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" ], "tags": [ @@ -2755,13 +2755,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", + "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", + "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], "tags": [ @@ -2831,9 +2831,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" ], "tags": [ @@ -2889,9 +2889,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" ], "tags": [ @@ -2914,9 +2914,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", - "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", "https://unit42.paloaltonetworks.com/ransomware-families/", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" ], "tags": [ @@ -2949,8 +2949,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13", + "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml" ], "tags": [ @@ -2975,9 +2975,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" ], "tags": [ @@ -3010,8 +3010,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", + "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml" ], @@ -3082,9 +3082,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" ], "tags": [ @@ -3174,10 +3174,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", - "https://github.com/elastic/detection-rules/issues/1371", "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", + "https://github.com/elastic/detection-rules/issues/1371", "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", + "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" ], "tags": [ @@ -3342,9 +3342,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" ], "tags": [ @@ -3450,9 +3450,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://twitter.com/inversecos/status/1494174785621819397", + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml" ], "tags": [ @@ -3553,10 +3553,10 @@ "logsource.product": "windows", "refs": [ "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", - "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" @@ -3626,8 +3626,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml" ], "tags": [ @@ -3717,8 +3717,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://vanmieghem.io/stealth-outlook-persistence/", "https://twitter.com/_vivami/status/1347925307643355138", + "https://vanmieghem.io/stealth-outlook-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml" ], "tags": [ @@ -3751,8 +3751,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01", "Internal Research", + "https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml" ], "tags": [ @@ -3852,10 +3852,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps", - "https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/", "https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1", "https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware", + "https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps", + "https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml" ], "tags": [ @@ -3912,9 +3912,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" ], "tags": [ @@ -4073,8 +4073,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5", "https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior", + "https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml" ], "tags": [ @@ -4107,8 +4107,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", "https://www.exploit-db.com/exploits/47696", + "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml" ], "tags": [ @@ -4308,8 +4308,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/", "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass", + "https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml" ], "tags": [ @@ -4551,8 +4551,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml" ], "tags": [ @@ -4676,8 +4676,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", + "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" ], @@ -4925,8 +4925,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", "https://twitter.com/WhichbufferArda/status/1543900539280293889", + "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml" ], "tags": [ @@ -5027,8 +5027,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml" ], "tags": [ @@ -5061,9 +5061,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://twitter.com/VakninHai/status/1517027824984547329", "https://twitter.com/pabraeken/status/998627081360695297", - "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" ], "tags": [ @@ -5161,11 +5161,11 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl", - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", "https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" ], "tags": [ @@ -5399,9 +5399,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" ], "tags": [ @@ -5469,10 +5469,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://persistence-info.github.io/Data/userinitmprlogonscript.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" ], "tags": [ @@ -5506,9 +5506,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" ], "tags": [ @@ -5583,9 +5583,9 @@ "logsource.product": "windows", "refs": [ "https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview", - "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml" ], "tags": [ @@ -5798,8 +5798,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1674399582162153472", "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", + "https://twitter.com/0gtweet/status/1674399582162153472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml" ], "tags": [ @@ -5866,8 +5866,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/wer_debugger.html", "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/", + "https://persistence-info.github.io/Data/wer_debugger.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml" ], "tags": [ @@ -6131,8 +6131,8 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", + "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "http://woshub.com/how-to-clear-rdp-connections-history/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" ], @@ -6174,11 +6174,11 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", - "https://docs.microsoft.com/en-us/windows/win32/shell/launch", - "https://github.com/OTRF/detection-hackathon-apt29/issues/7", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", + "https://docs.microsoft.com/en-us/windows/win32/shell/launch", "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", + "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://github.com/OTRF/detection-hackathon-apt29/issues/7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], "tags": [ @@ -6323,8 +6323,8 @@ "logsource.product": "windows", "refs": [ "https://adepts.of0x.cc/netsh-portproxy-code/", - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://www.dfirnotes.net/portproxy_detection/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" ], "tags": [ @@ -6359,8 +6359,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html", + "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml" ], "tags": [ @@ -6393,8 +6393,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", + "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", "https://twitter.com/inversecos/status/1494174785621819397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml" ], @@ -6428,11 +6428,11 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", - "https://nvd.nist.gov/vuln/detail/cve-2021-34527", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", "https://nvd.nist.gov/vuln/detail/cve-2021-1675", + "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", + "https://nvd.nist.gov/vuln/detail/cve-2021-34527", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" ], "tags": [ @@ -6468,8 +6468,8 @@ "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", - "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", "https://persistence-info.github.io/Data/recyclebin.html", + "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" ], "tags": [ @@ -6502,8 +6502,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", "https://github.com/eset/malware-ioc/tree/master/oceanlotus", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml" ], "tags": [ @@ -6536,9 +6536,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", - "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", + "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", + "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], @@ -6581,8 +6581,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://twitter.com/pabraeken/status/990717080805789697", + "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml" ], "tags": [ @@ -6882,8 +6882,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml" ], "tags": [ @@ -7122,8 +7122,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml" ], "tags": [ @@ -7263,8 +7263,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://wikileaks.org/vault7/#Pandemic", "https://twitter.com/MalwareJake/status/870349480356454401", + "https://wikileaks.org/vault7/#Pandemic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml" ], "tags": [ @@ -7428,8 +7428,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1183745981189427200", "https://blog.xpnsec.com/exploring-mimikatz-part-1/", + "https://twitter.com/SBousseaden/status/1183745981189427200", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml" ], "tags": [ @@ -7639,11 +7639,11 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", - "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", - "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", + "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", + "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", + "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_netwire.yml" ], "tags": [ @@ -7743,8 +7743,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", "https://persistence-info.github.io/Data/amsi.html", + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml" ], "tags": [ @@ -7859,8 +7859,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/xmrig/xmrig/tree/master/bin/WinRing0", "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/xmrig/xmrig/tree/master/bin/WinRing0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml" ], "tags": [ @@ -7961,8 +7961,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://systeminformer.sourceforge.io/", "https://github.com/winsiderss/systeminformer", + "https://systeminformer.sourceforge.io/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_pua_system_informer.yml" ], "tags": [ @@ -8237,8 +8237,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml" ], "tags": [ @@ -8259,7 +8259,7 @@ "value": "Suspicious Cobalt Strike DNS Beaconing - Sysmon" }, { - "description": "Detects DNS query requests to Cloudflared tunnels domains.", + "description": "Detects DNS requests to Cloudflared tunnels domains.\nAttackers can abuse that feature to establish a reverse shell or persistence on a machine.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/12/20", @@ -8271,8 +8271,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "Internal Research", + "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml" ], "tags": [ @@ -8305,8 +8305,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", "https://twitter.com/notwhickey/status/1333900137232523264", + "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_appinstaller.yml" ], "tags": [ @@ -8339,8 +8339,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://twitter.com/neonprimetime/status/1436376497980428318", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://twitter.com/neonprimetime/status/1436376497980428318", "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml" ], @@ -8408,8 +8408,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04", + "https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml" ], "tags": [ @@ -8442,8 +8442,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security", "https://cydefops.com/devtunnels-unleashed", + "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security", "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml" ], @@ -8643,8 +8643,8 @@ "logsource.product": "windows", "refs": [ "https://ipfyx.fr/post/visual-studio-code-tunnel/", - "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://cydefops.com/vscode-data-exfiltration", + "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml" ], "tags": [ @@ -8712,8 +8712,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", + "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_dns_query.yml" ], "tags": [ @@ -8755,10 +8755,10 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml" ], @@ -8792,18 +8792,18 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://www.us-cert.gov/ncas/alerts/TA17-117A", "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", + "https://securelist.com/faq-the-projectsauron-apt/75533/", + "https://www.us-cert.gov/ncas/alerts/TA17-117A", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/RiccardoAncarani/LiquidSnake", - "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", - "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", - "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://securelist.com/faq-the-projectsauron-apt/75533/", "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", + "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml" ], "tags": [ @@ -8874,8 +8874,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/kavika13/RemCom", "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://github.com/kavika13/RemCom", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_pua_remcom_default_pipe.yml" ], "tags": [ @@ -8917,9 +8917,9 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://github.com/Azure/SimuLand", "https://o365blog.com/post/adfs/", - "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml" ], "tags": [ @@ -8987,8 +8987,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/poweradminllc/PAExec", "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Command%20and%20Control/C2-NamedPipe.md", + "https://github.com/poweradminllc/PAExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_pua_paexec_default_pipe.yml" ], "tags": [ @@ -9021,8 +9021,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/malcomvetter/CSExec", "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://github.com/malcomvetter/CSExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_pua_csexec_default_pipe.yml" ], "tags": [ @@ -9099,8 +9099,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1429530155291193354?s=20", "https://github.com/zcgonvh/EfsPotato", + "https://twitter.com/SBousseaden/status/1429530155291193354?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml" ], "tags": [ @@ -9199,11 +9199,11 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", - "https://github.com/SigmaHQ/sigma/issues/253", "https://twitter.com/d4rksystem/status/1357010969264873472", - "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", + "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", + "https://github.com/SigmaHQ/sigma/issues/253", + "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml" ], "tags": [ @@ -9237,8 +9237,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", + "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml" ], "tags": [ @@ -9339,8 +9339,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml" ], "tags": [ @@ -9397,8 +9397,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", + "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml" ], "tags": [ @@ -9431,8 +9431,8 @@ "logsource.category": "sysmon_status", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml" ], "tags": [ @@ -9511,8 +9511,8 @@ "logsource.category": "sysmon_error", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_error.yml" ], "tags": [ @@ -9627,9 +9627,9 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", - "https://github.com/GhostPack/KeeThief", "https://github.com/denandz/KeeFarce", + "https://github.com/GhostPack/KeeThief", + "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml" ], "tags": [ @@ -9704,8 +9704,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1090588499517079552", "https://github.com/mdsecactivebreach/CACTUSTORCH", + "https://twitter.com/SBousseaden/status/1090588499517079552", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml" ], "tags": [ @@ -9763,8 +9763,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", + "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml" ], "tags": [ @@ -10380,8 +10380,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63", "https://github.com/GhostPack/SafetyKatz", + "https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml" ], "tags": [ @@ -10539,8 +10539,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Internal Research", "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml" ], "tags": [ @@ -10597,9 +10597,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" ], "tags": [ @@ -10816,11 +10816,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], "tags": [ @@ -10853,9 +10853,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", - "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml" ], "tags": [ @@ -10968,8 +10968,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", + "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml" ], "tags": [ @@ -11161,10 +11161,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks", "https://github.com/Yaxser/Backstab", - "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/", "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer", + "https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks", + "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml" ], "tags": [ @@ -11298,8 +11298,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/12", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml" ], "tags": [ @@ -11367,8 +11367,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Internal Research", "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", + "Internal Research", "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml" ], @@ -11426,10 +11426,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", - "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" ], "tags": [ @@ -11551,8 +11551,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/wpbbin.html", "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", + "https://persistence-info.github.io/Data/wpbbin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml" ], "tags": [ @@ -11586,8 +11586,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Internal Research", "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml" ], "tags": [ @@ -11793,8 +11793,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "http://www.irongeek.com/homoglyph-attack-generator.php", "https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish", + "http://www.irongeek.com/homoglyph-attack-generator.php", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml" ], "tags": [ @@ -11901,8 +11901,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", "https://adsecurity.org/?p=2398", + "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml" ], "tags": [ @@ -12052,8 +12052,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/Porchetta-Industries/CrackMapExec", "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", + "https://github.com/Porchetta-Industries/CrackMapExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml" ], "tags": [ @@ -12199,10 +12199,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", - "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", "http://addbalance.com/word/startup.htm", + "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", "https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions", + "https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml" ], "tags": [ @@ -12235,8 +12235,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/", "https://cobalt.io/blog/kerberoast-attack-techniques", + "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml" ], "tags": [ @@ -12293,26 +12293,26 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/besimorhino/powercat", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/adrecon/ADRecon", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/PowerShellMafia/PowerSploit", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/Kevin-Robertson/Powermad", "https://github.com/samratashok/nishang", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/adrecon/AzureADRecon", - "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/besimorhino/powercat", "https://github.com/CsEnox/EventViewer-UACBypass", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/adrecon/ADRecon", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/AlsidOfficial/WSUSpendu/", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/NetSPI/PowerUpSQL", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/adrecon/AzureADRecon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], "tags": [ @@ -12411,8 +12411,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/davisrichardg/status/1616518800584704028", "https://aboutdfir.com/the-key-to-identify-psexec/", + "https://twitter.com/davisrichardg/status/1616518800584704028", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml" ], "tags": [ @@ -12465,11 +12465,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/CCob/MirrorDump", - "https://www.google.com/search?q=procdump+lsass", - "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", - "https://github.com/helpsystems/nanodump", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://github.com/CCob/MirrorDump", + "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://www.google.com/search?q=procdump+lsass", + "https://github.com/helpsystems/nanodump", "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml" ], @@ -12571,10 +12571,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", - "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", + "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" ], "tags": [ @@ -12805,8 +12805,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Internal Research", "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml" ], "tags": [ @@ -12829,8 +12829,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "PT ESC rule and personal experience", "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md", + "PT ESC rule and personal experience", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml" ], "tags": [ @@ -12991,10 +12991,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76", - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79", "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79", "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml" ], "tags": [ @@ -13325,10 +13325,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", - "https://liberty-shell.com/sec/2020/02/25/shim-persistence/", - "https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory", + "https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence", + "https://liberty-shell.com/sec/2020/02/25/shim-persistence/", + "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml" ], "tags": [ @@ -13494,9 +13494,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml" ], "tags": [ @@ -13586,11 +13586,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/luc4m/status/1073181154126254080", - "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://twitter.com/luc4m/status/1073181154126254080", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], "tags": [ @@ -13624,9 +13624,9 @@ "logsource.product": "windows", "refs": [ "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://pentestlab.blog/tag/ntds-dit/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml" ], "tags": [ @@ -13755,6 +13755,30 @@ "uuid": "736ffa74-5f6f-44ca-94ef-1c0df4f51d2a", "value": "CrackMapExec File Indicators" }, + { + "description": "Detects the creation of files with scripting or executable extensions by Mysql daemon.\nWhich could be an indicator of \"User Defined Functions\" abuse to download malware.\n", + "meta": { + "author": "Joseph Kamau", + "creation_date": "2024/05/27", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_mysqld_uncommon_file_creation.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/", + "https://asec.ahnlab.com/en/58878/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "c61daa90-3c1e-4f18-af62-8f288b5c9aaf", + "value": "Uncommon File Creation By Mysql Daemon Process" + }, { "description": "Detects files written by the different tools that exploit HiveNightmare", "meta": { @@ -13769,8 +13793,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/cube0x0/status/1418920190759378944", - "https://github.com/FireFart/hivenightmare/", "https://github.com/WiredPulse/Invoke-HiveNightmare", + "https://github.com/FireFart/hivenightmare/", "https://github.com/GossiTheDog/HiveNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml" ], @@ -13805,8 +13829,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml" ], @@ -13891,8 +13915,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets", "https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/", + "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml" ], "tags": [ @@ -13950,8 +13974,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py", "https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/", + "https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml" ], "tags": [ @@ -13984,9 +14008,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", "https://twitter.com/Sam0x90/status/1552011547974696960", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" ], "tags": [ @@ -14042,9 +14066,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" ], "tags": [ @@ -14110,8 +14134,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", "https://github.com/outflanknl/Dumpert", + "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml" ], "tags": [ @@ -14144,9 +14168,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/fox-it/LDAPFragger", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", - "https://github.com/fox-it/LDAPFragger", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml" ], "tags": [ @@ -14213,8 +14237,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/binderlabs/DirCreate2System", "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", + "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml" ], "tags": [ @@ -14239,11 +14263,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", "https://twitter.com/pfiatde/status/1681977680688738305", "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", - "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml" ], "tags": [ @@ -14360,11 +14384,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/luc4m/status/1073181154126254080", - "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://twitter.com/luc4m/status/1073181154126254080", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], "tags": [ @@ -14397,8 +14421,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", + "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml" ], "tags": [ @@ -14457,12 +14481,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/MaD_c4t/status/1623414582382567424", + "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://labs.withsecure.com/publications/detecting-onenote-abuse", "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/", + "https://twitter.com/MaD_c4t/status/1623414582382567424", "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/", - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", - "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml" ], "tags": [ @@ -14844,12 +14868,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://github.com/Wh04m1001/SysmonEoP", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", - "https://github.com/Wh04m1001/SysmonEoP", - "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], "tags": [ @@ -14892,8 +14916,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "Internal Research", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml" ], "tags": [ @@ -14992,8 +15016,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" ], @@ -15027,11 +15051,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/cube0x0/CVE-2021-36934", + "https://github.com/FireFart/hivenightmare", + "https://github.com/HuskyHacks/ShadowSteal", "https://www.google.com/search?q=%22reg.exe+save%22+sam", "https://github.com/search?q=CVE-2021-36934", - "https://github.com/HuskyHacks/ShadowSteal", - "https://github.com/FireFart/hivenightmare", - "https://github.com/cube0x0/CVE-2021-36934", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], "tags": [ @@ -15064,8 +15088,8 @@ "logsource.category": "file_rename", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", + "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml" ], "tags": [ @@ -15235,8 +15259,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", "http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml" ], "tags": [ @@ -15272,8 +15296,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/58496ee3306e6e42a7054d36a94e6eb561ee3081/atomics/T1070.008/T1070.008.md#atomic-test-4---copy-and-modify-mailbox-data-on-windows", "https://darkdefender.medium.com/windows-10-mail-app-forensics-39025f5418d2", + "https://github.com/redcanaryco/atomic-red-team/blob/58496ee3306e6e42a7054d36a94e6eb561ee3081/atomics/T1070.008/T1070.008.md#atomic-test-4---copy-and-modify-mailbox-data-on-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_outlook_mail_credential_access.yml" ], "tags": [ @@ -15406,8 +15430,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/", "Internal Research", + "https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml" ], "tags": [ @@ -15540,8 +15564,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "Internal Research", "https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml" ], "tags": [ @@ -15607,8 +15631,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", "https://github.com/cube0x0/CVE-2021-1675", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml" ], "tags": [ @@ -15711,8 +15735,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "Internal Research", "https://linuxhint.com/view-tomcat-logs-windows/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml" ], "tags": [ @@ -15847,8 +15871,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/PhilipTsukerman/status/992021361106268161", "https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/", + "https://twitter.com/PhilipTsukerman/status/992021361106268161", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml" ], "tags": [ @@ -15972,8 +15996,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", + "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" ], @@ -16007,9 +16031,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", - "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" ], "tags": [ @@ -16259,9 +16283,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/threat-detection-report/threats/qbot/", - "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", + "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://redcanary.com/threat-detection-report/threats/qbot/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" ], "tags": [ @@ -16295,9 +16319,9 @@ "logsource.product": "windows", "refs": [ "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", + "https://twitter.com/splinter_code/status/1483815103279603714", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://twitter.com/splinter_code/status/1483815103279603714", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml" ], "tags": [ @@ -16414,9 +16438,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_JohnHammond/status/1531672601067675648", - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/_JohnHammond/status/1531672601067675648", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml" ], "tags": [ @@ -16482,8 +16506,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/Rubeus", "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", + "https://github.com/GhostPack/Rubeus", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml" ], @@ -16534,12 +16558,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/", "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", - "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", "https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/", "https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior", + "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic", - "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml" ], "tags": [ @@ -16573,12 +16597,12 @@ "logsource.product": "windows", "refs": [ "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", - "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml" ], "tags": [ @@ -16611,9 +16635,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", + "https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml" ], "tags": [ @@ -16655,8 +16679,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml" ], "tags": [ @@ -16984,10 +17008,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/", - "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", - "https://en.wikipedia.org/wiki/IExpress", "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", + "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", + "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/", + "https://en.wikipedia.org/wiki/IExpress", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml" ], "tags": [ @@ -17053,10 +17077,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml" ], "tags": [ @@ -17171,9 +17195,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -17243,8 +17267,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://mobile.twitter.com/0gtweet/status/1564131230941122561", + "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml" ], "tags": [ @@ -17389,8 +17413,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/SharpHound", "https://github.com/BloodHoundAD/BloodHound", + "https://github.com/BloodHoundAD/SharpHound", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml" ], "tags": [ @@ -17515,8 +17539,8 @@ "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf", - "https://lolbas-project.github.io/lolbas/Binaries/Psr/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://lolbas-project.github.io/lolbas/Binaries/Psr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml" ], "tags": [ @@ -17738,13 +17762,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://github.com/zcgonvh/NTDSDumpEx", - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://pentestlab.blog/tag/ntds-dit/", - "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", + "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", + "https://github.com/zcgonvh/NTDSDumpEx", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], "tags": [ @@ -17844,8 +17868,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml" ], "tags": [ @@ -17880,8 +17904,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/", "https://dtm.uk/wuauclt/", + "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml" ], "tags": [ @@ -18214,8 +18238,8 @@ "logsource.product": "windows", "refs": [ "https://adepts.of0x.cc/netsh-portproxy-code/", - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://www.dfirnotes.net/portproxy_detection/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml" ], "tags": [ @@ -18324,8 +18348,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml" @@ -18437,9 +18461,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", - "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", "https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", + "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml" ], @@ -18507,9 +18531,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cloudflare/cloudflared", "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://blog.reconinfosec.com/emergence-of-akira-ransomware-group", + "https://github.com/cloudflare/cloudflared", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml" ], "tags": [ @@ -18736,8 +18760,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36", "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", + "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml" ], "tags": [ @@ -18804,8 +18828,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2", + "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml" ], "tags": [ @@ -18940,8 +18964,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", "https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462", + "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml" ], "tags": [ @@ -19016,8 +19040,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" ], @@ -19076,11 +19100,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/885570278637678592", "https://twitter.com/Hexacorn/status/885553465417756673", - "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", "https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques", "https://twitter.com/vysecurity/status/885545634958385153", + "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", + "https://twitter.com/Hexacorn/status/885570278637678592", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml" ], "tags": [ @@ -19146,8 +19170,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/6", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml" ], "tags": [ @@ -19180,8 +19204,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://www.echotrail.io/insights/search/wusa.exe/", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" ], "tags": [ @@ -19204,8 +19228,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://redcanary.com/blog/raspberry-robin/", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml" ], "tags": [ @@ -19354,8 +19378,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" ], "tags": [ @@ -19446,8 +19470,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.localpotato.com/localpotato_html/LocalPotato.html", "https://github.com/decoder-it/LocalPotato", + "https://www.localpotato.com/localpotato_html/LocalPotato.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml" ], "tags": [ @@ -19647,8 +19671,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/wpbbin.html", "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", + "https://persistence-info.github.io/Data/wpbbin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml" ], "tags": [ @@ -19756,8 +19780,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/tag/svchost/", "https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/", + "https://pentestlab.blog/tag/svchost/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml" ], "tags": [ @@ -19790,8 +19814,8 @@ "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/chromeloader/", - "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://emkc.org/s/RJjuLa", + "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml" ], "tags": [ @@ -19824,8 +19848,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml" ], "tags": [ @@ -19925,8 +19949,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Bash/", - "Internal Research", "https://linux.die.net/man/1/bash", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml" ], "tags": [ @@ -20027,8 +20051,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/swagkarna/Defeat-Defender-V1.2.0", "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", + "https://github.com/swagkarna/Defeat-Defender-V1.2.0", "https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml" ], @@ -20062,8 +20086,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml" ], "tags": [ @@ -20129,8 +20153,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml" ], @@ -20187,10 +20211,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsi_fsharp_code_execution.yml" ], "tags": [ @@ -20274,8 +20298,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", + "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml" ], "tags": [ @@ -20349,11 +20373,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/", "https://twitter.com/aceresponder/status/1636116096506818562", - "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/", - "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png", + "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/", "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/", + "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png", + "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml" ], "tags": [ @@ -20387,8 +20411,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/netero1010/TrustedPath-UACBypass-BOF", "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", + "https://github.com/netero1010/TrustedPath-UACBypass-BOF", "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml" ], @@ -20498,9 +20522,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.yeahhub.com/list-installed-programs-version-path-windows/", "https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product", "https://thedfirreport.com/2023/03/06/2022-year-in-review/", + "https://www.yeahhub.com/list-installed-programs-version-path-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml" ], "tags": [ @@ -20533,11 +20557,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", - "https://twitter.com/egre55/status/1087685529016193025", + "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://twitter.com/egre55/status/1087685529016193025", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml" ], "tags": [ @@ -20570,8 +20594,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_change.yml" ], "tags": [ @@ -20606,8 +20630,8 @@ "refs": [ "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", - "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup", + "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml" ], "tags": [ @@ -20640,8 +20664,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml" ], @@ -20675,8 +20699,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Replace/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace", + "https://lolbas-project.github.io/lolbas/Binaries/Replace/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml" ], "tags": [ @@ -20709,9 +20733,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", - "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", + "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", + "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml" ], "tags": [ @@ -20746,9 +20770,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml" ], "tags": [ @@ -20891,8 +20915,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml" ], "tags": [ @@ -20926,9 +20950,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", + "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml" ], @@ -20953,8 +20977,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml" ], "tags": [ @@ -21076,8 +21100,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml" ], "tags": [ @@ -21144,8 +21168,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1550836225652686848", "https://persistence-info.github.io/Data/windowsterminalprofile.html", + "https://twitter.com/nas_bench/status/1550836225652686848", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml" ], "tags": [ @@ -21245,9 +21269,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", - "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", + "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml" ], @@ -21337,9 +21361,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md", - "https://github.com/dsnezhkov/TruffleSnout", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", + "https://github.com/dsnezhkov/TruffleSnout", + "https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml" ], "tags": [ @@ -21407,8 +21431,8 @@ "logsource.product": "windows", "refs": [ "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", - "https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html", "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", + "https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html", "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml" ], @@ -21692,8 +21716,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" @@ -21738,9 +21762,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.intrinsec.com/apt27-analysis/", - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.intrinsec.com/apt27-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" ], "tags": [ @@ -22014,8 +22038,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml" ], @@ -22117,8 +22141,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", "https://twitter.com/med0x2e/status/1520402518685200384", + "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml" ], "tags": [ @@ -22194,8 +22218,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", + "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml" ], "tags": [ @@ -22228,8 +22252,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/kmkz_security/status/1220694202301976576", "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", + "https://twitter.com/kmkz_security/status/1220694202301976576", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml" ], "tags": [ @@ -22372,10 +22396,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/msix-installers/", "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms", "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://redcanary.com/blog/msix-installers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csvde_export.yml" ], "tags": [ @@ -22409,9 +22433,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", - "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml" ], "tags": [ @@ -22444,8 +22468,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks", "https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/", + "https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml" ], "tags": [ @@ -22545,8 +22569,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml" ], "tags": [ @@ -22836,8 +22860,8 @@ "logsource.product": "windows", "refs": [ "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml" ], "tags": [ @@ -22906,11 +22930,11 @@ "refs": [ "https://taggart-tech.com/quasar-electron/", "https://positive.security/blog/ms-officecmd-rce", - "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", - "https://github.com/mttaggart/quasar", - "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", - "https://lolbas-project.github.io/lolbas/Binaries/Teams/", "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", + "https://github.com/mttaggart/quasar", + "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", + "https://lolbas-project.github.io/lolbas/Binaries/Teams/", + "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml" ], "tags": [ @@ -22966,9 +22990,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/frack113/status/1555830623633375232", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://twitter.com/frack113/status/1555830623633375232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml" ], "tags": [ @@ -23058,11 +23082,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", - "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", + "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml" ], "tags": [ @@ -23140,9 +23164,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", + "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" ], "tags": [ @@ -23266,8 +23290,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml" ], "tags": [ @@ -23368,8 +23392,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml" ], "tags": [ @@ -23443,9 +23467,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml" ], "tags": [ @@ -23511,8 +23535,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", "https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/", + "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml" ], "tags": [ @@ -23546,11 +23570,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://twitter.com/cglyer/status/1355171195654709249", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://twitter.com/cglyer/status/1355171195654709249", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml" ], "tags": [ @@ -23725,8 +23749,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", + "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_download.yml" ], @@ -23761,8 +23785,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", + "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml" ], @@ -23831,8 +23855,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", - "https://www.fortiguard.com/threat-signal-report/4718?s=09", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", + "https://www.fortiguard.com/threat-signal-report/4718?s=09", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml" ], "tags": [ @@ -23907,8 +23931,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/", "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml" ], "tags": [ @@ -24076,13 +24100,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", - "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", - "https://github.com/vletoux/pingcastle", "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8", + "https://github.com/vletoux/pingcastle", + "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", "https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450", "https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680", + "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml" ], "tags": [ @@ -24116,8 +24140,8 @@ "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/chromeloader/", - "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://emkc.org/s/RJjuLa", + "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml" ], "tags": [ @@ -24150,11 +24174,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", + "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml" ], "tags": [ @@ -24196,8 +24220,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html", + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml" ], "tags": [ @@ -24230,11 +24254,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/CCob/MirrorDump", - "https://github.com/Hackndo/lsassy", - "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", - "https://github.com/helpsystems/nanodump", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://github.com/CCob/MirrorDump", + "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://github.com/Hackndo/lsassy", + "https://github.com/helpsystems/nanodump", "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml" ], @@ -24351,9 +24375,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.php.net/manual/en/features.commandline.php", - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.php.net/manual/en/features.commandline.php", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml" ], "tags": [ @@ -24445,8 +24469,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", + "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml" ], "tags": [ @@ -24512,9 +24536,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml" ], "tags": [ @@ -24590,9 +24614,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml" ], "tags": [ @@ -24658,10 +24682,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Max_Mal_/status/1633863678909874176", - "Internal Research", "https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465", "https://twitter.com/_JohnHammond/status/1588155401752788994", + "Internal Research", + "https://twitter.com/Max_Mal_/status/1633863678909874176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml" ], "tags": [ @@ -24851,9 +24875,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", - "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md", + "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", + "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml" ], "tags": [ @@ -24956,9 +24980,9 @@ "logsource.product": "windows", "refs": [ "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", - "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", "https://github.com/defaultnamehere/cookie_crimes/", "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", + "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml" ], "tags": [ @@ -25057,8 +25081,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", "https://twitter.com/0gtweet/status/1457676633809330184", + "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml" ], "tags": [ @@ -25092,8 +25116,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regini/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_execution.yml" ], "tags": [ @@ -25126,8 +25150,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1674399582162153472", "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", + "https://twitter.com/0gtweet/status/1674399582162153472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml" ], "tags": [ @@ -25227,9 +25251,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", - "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml" ], "tags": [ @@ -25252,8 +25276,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1465058133303246867", "https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps", + "https://twitter.com/mrd0x/status/1465058133303246867", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml" ], "tags": [ @@ -25287,8 +25311,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", + "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://lolbas-project.github.io/lolbas/Binaries/Winget/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml" ], @@ -25643,8 +25667,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1674399582162153472", "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", + "https://twitter.com/0gtweet/status/1674399582162153472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml" ], "tags": [ @@ -25677,10 +25701,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1211636381086339073", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", - "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "https://twitter.com/SBousseaden/status/1211636381086339073", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" ], "tags": [ @@ -25765,12 +25789,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", - "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://redcanary.com/blog/raspberry-robin/", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", + "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml" ], "tags": [ @@ -25836,9 +25860,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://www.gpg4win.de/documentation.html", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml" ], "tags": [ @@ -25863,8 +25887,8 @@ "refs": [ "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", - "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup", + "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml" ], "tags": [ @@ -25897,8 +25921,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps", "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml" ], "tags": [ @@ -26487,11 +26511,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", - "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", "https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841", - "https://github.com/S3cur3Th1sSh1t/WinPwn", "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", + "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml" ], "tags": [ @@ -26584,9 +26608,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/antonioCoco/RogueWinRM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], @@ -26620,8 +26644,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml" ], "tags": [ @@ -26695,8 +26719,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation", "https://github.com/carlospolop/PEASS-ng", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml" ], "tags": [ @@ -26768,8 +26792,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml" ], "tags": [ @@ -26858,8 +26882,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", "https://twitter.com/mrd0x/status/1478116126005641220", + "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml" ], "tags": [ @@ -26892,8 +26916,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5", "https://twitter.com/mrd0x/status/1463526834918854661", + "https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml" ], "tags": [ @@ -27001,12 +27025,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://www.joeware.net/freetools/tools/adfind/", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://www.joeware.net/freetools/tools/adfind/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml" ], "tags": [ @@ -27137,8 +27161,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml" ], "tags": [ @@ -27205,10 +27229,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/cloudflare/cloudflared", - "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", "https://www.intrinsec.com/akira_ransomware/", - "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://github.com/cloudflare/cloudflared/releases", + "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", + "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml" ], "tags": [ @@ -27319,9 +27343,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://www.gpg4win.de/documentation.html", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml" ], "tags": [ @@ -27481,8 +27505,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", - "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", + "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" ], "tags": [ @@ -27664,9 +27688,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" ], "tags": [ @@ -27732,8 +27756,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1638069413717975046", "https://docs.microsoft.com/en-us/sysinternals/downloads/pssuspend", + "https://twitter.com/0gtweet/status/1638069413717975046", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml" ], "tags": [ @@ -27766,8 +27790,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", + "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml" ], "tags": [ @@ -27892,9 +27916,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html", "https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing", "https://reaqta.com/2017/11/short-journey-darkvnc/", - "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml" ], "tags": [ @@ -27987,11 +28011,11 @@ "logsource.product": "windows", "refs": [ "https://www.attackiq.com/2023/09/20/emulating-rhysida/", - "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior", - "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/", - "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", - "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", + "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior", + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", + "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/", + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml" ], "tags": [ @@ -28033,10 +28057,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", - "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", + "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], "tags": [ @@ -28126,8 +28150,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/", "https://github.com/sensepost/impersonate", + "https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml" ], "tags": [ @@ -28305,11 +28329,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gtfobins.github.io/gtfobins/ssh/", - "https://man.openbsd.org/ssh_config#LocalCommand", - "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", + "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", + "https://gtfobins.github.io/gtfobins/ssh/", "https://man.openbsd.org/ssh_config#ProxyCommand", + "https://man.openbsd.org/ssh_config#LocalCommand", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml" ], "tags": [ @@ -28377,12 +28401,12 @@ "logsource.product": "windows", "refs": [ "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", - "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml" ], "tags": [ @@ -28415,8 +28439,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", "https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/", + "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml" ], "tags": [ @@ -28720,8 +28744,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/", "https://pentestlab.blog/2020/07/06/indirect-command-execution/", + "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml" ], "tags": [ @@ -28789,10 +28813,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://twitter.com/EricaZelic/status/1614075109827874817", "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", - "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml" ], "tags": [ @@ -28842,8 +28866,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml" ], "tags": [ @@ -28945,14 +28969,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://github.com/SigmaHQ/sigma/issues/3742", "https://twitter.com/Hexacorn/status/776122138063409152", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://github.com/SigmaHQ/sigma/issues/3742", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], "tags": [ @@ -29027,8 +29051,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://twitter.com/bopin2020/status/1366400799199272960", + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml" ], "tags": [ @@ -29093,8 +29117,8 @@ "logsource.product": "windows", "refs": [ "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", - "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", "https://twitter.com/Hexacorn/status/1420053502554951689", + "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml" ], "tags": [ @@ -29172,8 +29196,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml" ], "tags": [ @@ -29207,9 +29231,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], "tags": [ @@ -29253,7 +29277,7 @@ "value": "Execution Of Non-Existing File" }, { - "description": "Detects calls to base64 encoded WMI class such as \"Win32_Shadowcopy\", \"Win32_ScheduledJob\", etc.", + "description": "Detects calls to base64 encoded WMI class such as \"Win32_ShadowCopy\", \"Win32_ScheduledJob\", etc.", "meta": { "author": "Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/30", @@ -29308,8 +29332,8 @@ "logsource.product": "windows", "refs": [ "https://www.nirsoft.net/utils/nircmd.html", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml" ], "tags": [ @@ -29366,9 +29390,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", - "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" ], "tags": [ @@ -29401,8 +29425,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" ], @@ -29461,9 +29485,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", - "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml" ], "tags": [ @@ -29505,9 +29529,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf", "https://redcanary.com/blog/child-processes/", - "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml" ], "tags": [ @@ -29540,8 +29564,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/RedDrip7/status/1506480588827467785", "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", + "https://twitter.com/RedDrip7/status/1506480588827467785", "https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml" ], @@ -29575,8 +29599,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/999090532839313408", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", + "https://twitter.com/pabraeken/status/999090532839313408", "https://twitter.com/pabraeken/status/995837734379032576", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml" ], @@ -29610,9 +29634,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html", - "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist", "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist", + "https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml" ], "tags": [ @@ -29686,9 +29710,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", - "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", + "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml" ], "tags": [ @@ -29789,16 +29813,16 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", + "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", + "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", - "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", - "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", - "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml" ], @@ -29849,8 +29873,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cloudflare/cloudflared", "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", + "https://github.com/cloudflare/cloudflared", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml" ], "tags": [ @@ -30033,8 +30057,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa", "https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml" ], "tags": [ @@ -30091,9 +30115,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://www.cobaltstrike.com/help-windows-executable", "https://redcanary.com/threat-detection-report/", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" ], "tags": [ @@ -30126,10 +30150,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml", "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", - "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml" ], "tags": [ @@ -30172,8 +30196,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml" ], "tags": [ @@ -30478,13 +30502,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/", "https://www.protect.airbus.com/blog/uncovering-cyber-intruders-netscan/", "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf", - "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", - "https://www.softperfect.com/products/networkscanner/", - "https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/", - "https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue", + "https://www.softperfect.com/products/networkscanner/", + "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", + "https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netscan.yml" ], "tags": [ @@ -30626,8 +30650,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" ], @@ -30704,8 +30728,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-", + "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml" ], "tags": [ @@ -30891,8 +30915,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.d7xtech.com/free-software/runx/", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.d7xtech.com/free-software/runx/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_runxcmd.yml" ], "tags": [ @@ -31026,8 +31050,8 @@ "refs": [ "https://twitter.com/ForensicITGuy/status/1334734244120309760", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml" ], "tags": [ @@ -31077,9 +31101,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", - "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey", "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", + "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey", + "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" ], "tags": [ @@ -31112,8 +31136,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/Winrm/", "https://twitter.com/bohops/status/994405551751815170", + "https://lolbas-project.github.io/lolbas/Scripts/Winrm/", "https://redcanary.com/blog/lateral-movement-winrm-wmi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml" ], @@ -31181,10 +31205,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", - "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", + "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", + "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" ], "tags": [ @@ -31249,8 +31273,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", + "https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml" ], "tags": [ @@ -31382,8 +31406,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66", + "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml" ], "tags": [ @@ -31477,8 +31501,8 @@ "logsource.product": "windows", "refs": [ "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", - "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", + "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml" ], "tags": [ @@ -31554,8 +31578,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml" ], "tags": [ @@ -31597,8 +31621,8 @@ "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", - "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", + "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml" ], "tags": [ @@ -31632,9 +31656,9 @@ "logsource.product": "windows", "refs": [ "https://youtu.be/5mqid-7zp8k?t=2481", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml" ], "tags": [ @@ -31658,8 +31682,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html", + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml" ], "tags": [ @@ -31759,8 +31783,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml" @@ -31805,8 +31829,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1182389676876980224", "https://twitter.com/cglyer/status/1182391019633029120", + "https://twitter.com/cglyer/status/1182389676876980224", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" ], "tags": [ @@ -31862,12 +31886,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://isc.sans.edu/diary/22264", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml" ], "tags": [ @@ -31911,8 +31935,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", - "https://www.fortiguard.com/threat-signal-report/4718?s=09", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", + "https://www.fortiguard.com/threat-signal-report/4718?s=09", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml" ], "tags": [ @@ -31946,8 +31970,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/DissectMalware/status/998797808907046913", - "https://lolbas-project.github.io/lolbas/Binaries/Jsc/", "https://www.phpied.com/make-your-javascript-a-windows-exe/", + "https://lolbas-project.github.io/lolbas/Binaries/Jsc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_jsc_execution.yml" ], "tags": [ @@ -32166,8 +32190,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication", "https://github.com/grayhatkiller/SharpExShell", + "https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication", "https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml" ], @@ -32202,8 +32226,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml" ], "tags": [ @@ -32439,9 +32463,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/nas_bench/status/1535322450858233858", - "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://twitter.com/bohops/status/1276357235954909188?s=12", + "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml" ], "tags": [ @@ -32474,9 +32498,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", - "https://lolbas-project.github.io/lolbas/Binaries/Tar/", "https://unit42.paloaltonetworks.com/chromeloader-malware/", + "https://lolbas-project.github.io/lolbas/Binaries/Tar/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tar_extraction.yml" ], "tags": [ @@ -32518,10 +32542,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml" ], "tags": [ @@ -32612,9 +32636,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml" ], "tags": [ @@ -32648,14 +32672,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://github.com/SigmaHQ/sigma/issues/3742", "https://twitter.com/Hexacorn/status/776122138063409152", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://github.com/SigmaHQ/sigma/issues/3742", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], "tags": [ @@ -32779,8 +32803,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compress_data.yml" ], "tags": [ @@ -32837,8 +32861,8 @@ "logsource.product": "windows", "refs": [ "https://www.scythe.io/library/threat-emulation-qakbot", - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/", + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml" ], "tags": [ @@ -32931,8 +32955,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml" ], @@ -33000,9 +33024,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", - "https://twitter.com/pabraeken/status/990717080805789697", "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", + "https://twitter.com/pabraeken/status/990717080805789697", + "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_runonce_execution.yml" ], "tags": [ @@ -33036,8 +33060,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/sensepost/ruler", - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml" ], "tags": [ @@ -33078,8 +33102,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo", "https://www.echotrail.io/insights/search/regsvr32.exe", + "https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo", "https://redcanary.com/blog/intelligence-insights-april-2022/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml" ], @@ -33238,8 +33262,8 @@ "refs": [ "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", - "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://twitter.com/lefterispan/status/1286259016436514816", + "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml" ], "tags": [ @@ -33272,8 +33296,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/3proxy/3proxy", "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/3proxy/3proxy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml" ], "tags": [ @@ -33341,9 +33365,9 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", + "https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f", "https://twitter.com/mrd0x/status/1511415432888131586", "https://twitter.com/mrd0x/status/1511489821247684615", - "https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml" ], "tags": [ @@ -33385,8 +33409,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://www.uptycs.com/blog/lolbins-are-no-laughing-matter", + "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml" ], "tags": [ @@ -33419,9 +33443,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml" ], "tags": [ @@ -33454,10 +33478,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", - "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", + "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" ], "tags": [ @@ -33498,8 +33522,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml", "https://docs.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-", + "https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml" ], "tags": [ @@ -33599,9 +33623,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.exploit-db.com/exploits/37525", "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", - "https://www.exploit-db.com/exploits/37525", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" ], "tags": [ @@ -33701,8 +33725,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/child-processes/", "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", + "https://redcanary.com/blog/child-processes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yml" ], "tags": [ @@ -33869,8 +33893,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md", + "https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml" ], "tags": [ @@ -33937,10 +33961,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", + "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml" ], "tags": [ @@ -34007,8 +34031,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", "https://ss64.com/nt/mklink.html", + "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml" ], "tags": [ @@ -34087,8 +34111,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml" @@ -34234,11 +34258,11 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", - "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml" ], "tags": [ @@ -34347,10 +34371,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", - "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", "https://github.com/defaultnamehere/cookie_crimes/", + "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", "https://github.com/wunderwuzzi23/firefox-cookiemonster", + "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml" ], "tags": [ @@ -34417,8 +34441,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.autoitscript.com/site/", "https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w", + "https://www.autoitscript.com/site/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml" ], "tags": [ @@ -34632,8 +34656,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml" ], "tags": [ @@ -34715,8 +34739,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows", + "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml" ], "tags": [ @@ -34791,8 +34815,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml" ], @@ -34850,10 +34874,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.alyac.co.kr/1901", "https://twitter.com/cyberwar_15/status/1187287262054076416", - "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", + "https://blog.alyac.co.kr/1901", "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", + "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], @@ -34905,10 +34929,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/0gtweet/status/1299071304805560321?s=21", + "https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/", "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/", "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", - "https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/", - "https://twitter.com/0gtweet/status/1299071304805560321?s=21", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml" ], "tags": [ @@ -34974,8 +34998,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", + "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml" ], "tags": [ @@ -35008,8 +35032,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_export.yml" ], @@ -35066,8 +35090,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml" ], "tags": [ @@ -35100,8 +35124,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/n1nj4sec/status/1421190238081277959", "http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt", + "https://twitter.com/n1nj4sec/status/1421190238081277959", "https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" ], @@ -35126,8 +35150,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vysecurity/status/977198418354491392", "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", + "https://twitter.com/vysecurity/status/977198418354491392", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml" ], "tags": [ @@ -35168,8 +35192,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml" ], @@ -35386,8 +35410,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", + "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml" ], @@ -35421,12 +35445,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", - "https://twitter.com/nas_bench/status/1433344116071583746", - "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", - "https://twitter.com/eral4m/status/1479080793003671557", "https://twitter.com/Hexacorn/status/885258886428725250", + "https://twitter.com/nas_bench/status/1433344116071583746", + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", "https://twitter.com/eral4m/status/1479106975967240209", + "https://twitter.com/eral4m/status/1479080793003671557", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml" ], "tags": [ @@ -35526,8 +35550,8 @@ "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", - "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", "https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors", + "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml" ], "tags": [ @@ -35560,8 +35584,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml" ], "tags": [ @@ -35652,10 +35676,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", - "https://lolbas-project.github.io/lolbas/Binaries/Setres/", - "https://twitter.com/0gtweet/status/1583356502340870144", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", + "https://lolbas-project.github.io/lolbas/Binaries/Setres/", + "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", + "https://twitter.com/0gtweet/status/1583356502340870144", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml" ], "tags": [ @@ -35698,11 +35722,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", - "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], "tags": [ @@ -35810,8 +35834,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/", "https://twitter.com/Hexacorn/status/1224848930795552769", + "http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml" ], "tags": [ @@ -35834,8 +35858,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", "https://github.com/quarkslab/quarkspwdump", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml" ], "tags": [ @@ -35910,8 +35934,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml" ], @@ -36111,8 +36135,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", "https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/", + "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml" ], "tags": [ @@ -36284,8 +36308,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/shantanu561993/SharpChisel", "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", + "https://github.com/shantanu561993/SharpChisel", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml" ], "tags": [ @@ -36351,8 +36375,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/ber_m1ng/status/1397948048135778309", "https://www.cobaltstrike.com/help-opsec", + "https://twitter.com/ber_m1ng/status/1397948048135778309", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml" ], "tags": [ @@ -36451,11 +36475,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://twitter.com/0gtweet/status/1628720819537936386", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://twitter.com/0gtweet/status/1628720819537936386", - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml" ], "tags": [ @@ -36490,9 +36514,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.python.org/3/using/cmdline.html#cmdoption-c", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", - "https://docs.python.org/3/using/cmdline.html#cmdoption-c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml" ], "tags": [ @@ -36684,8 +36708,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", + "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" ], "tags": [ @@ -36766,9 +36790,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html", "https://lab52.io/blog/winter-vivern-all-summer/", "https://hatching.io/blog/powershell-analysis/", - "https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml" ], "tags": [ @@ -36901,10 +36925,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", + "https://twitter.com/Z3Jpa29z/status/1317545798981324801", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", - "https://twitter.com/Z3Jpa29z/status/1317545798981324801", - "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csi_execution.yml" ], "tags": [ @@ -37091,8 +37115,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", - "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", + "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml" ], "tags": [ @@ -37141,8 +37165,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", "https://twitter.com/nas_bench/status/1534957360032120833", + "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cdb_arbitrary_command_execution.yml" ], @@ -37226,8 +37250,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml" ], "tags": [ @@ -37396,8 +37420,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", + "https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml" ], "tags": [ @@ -37473,8 +37497,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/byt3bl33d3r/CrackMapExec", "https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242", + "https://github.com/byt3bl33d3r/CrackMapExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml" ], "tags": [ @@ -37841,9 +37865,9 @@ "logsource.product": "windows", "refs": [ "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", "https://nodejs.org/api/cli.html", + "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], "tags": [ @@ -37876,9 +37900,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", - "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml" ], "tags": [ @@ -37901,9 +37925,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", - "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml" ], "tags": [ @@ -38029,24 +38053,24 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/HarmJ0y/DAMP", - "https://github.com/besimorhino/powercat", - "https://github.com/Kevin-Robertson/Powermad", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/samratashok/nishang", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/adrecon/AzureADRecon", - "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/samratashok/nishang", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/Kevin-Robertson/Powermad", "https://github.com/adrecon/ADRecon", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/besimorhino/powercat", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/calebstewart/CVE-2021-1675", "https://adsecurity.org/?p=2921", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml" ], "tags": [ @@ -38225,6 +38249,40 @@ "uuid": "dec44ca7-61ad-493c-bfd7-8819c5faa09b", "value": "Arbitrary Command Execution Using WSL" }, + { + "description": "Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.\n", + "meta": { + "author": "Joseph Kamau", + "creation_date": "2024/05/27", + "falsepositive": [ + "Unlikely in most cases, further investigation should be done in the commandline of the browser process to determine the context of the URL accessed." + ], + "filename": "proc_creation_win_susp_browser_launch_from_document_reader_process.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/", + "https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ] + }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1193d960-2369-499f-a158-7b50a31df682", + "value": "Potential Suspicious Browser Launch From Document Reader Process" + }, { "description": "Detects the execution of Xwizard tool with the \"RunWizard\" flag and a GUID like argument.\nThis utility can be abused in order to run custom COM object created in the registry.\n", "meta": { @@ -38238,9 +38296,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", "https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html", + "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml" ], "tags": [ @@ -38341,8 +38399,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", + "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml" ], "tags": [ @@ -38483,9 +38541,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", + "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml" ], "tags": [ @@ -38628,10 +38686,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/cloudflare/cloudflared", - "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", "https://www.intrinsec.com/akira_ransomware/", - "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://github.com/cloudflare/cloudflared/releases", + "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", + "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml" ], "tags": [ @@ -38814,9 +38872,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", "https://twitter.com/pabraeken/status/990758590020452353", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" ], "tags": [ @@ -38849,8 +38907,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", + "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrecorder_audio_capture.yml" ], "tags": [ @@ -38908,8 +38966,8 @@ "refs": [ "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", - "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://twitter.com/lefterispan/status/1286259016436514816", + "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml" ], "tags": [ @@ -39009,8 +39067,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5", "https://twitter.com/mrd0x/status/1463526834918854661", + "https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml" ], "tags": [ @@ -39080,9 +39138,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_output.yml" ], "tags": [ @@ -39116,8 +39174,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml" ], "tags": [ @@ -39173,11 +39231,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", - "https://pentestlab.blog/2017/04/13/hot-potato/", - "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", - "https://github.com/ohpe/juicy-potato", "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://pentestlab.blog/2017/04/13/hot-potato/", + "https://github.com/ohpe/juicy-potato", + "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", + "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", "https://www.localpotato.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml" ], @@ -39279,12 +39337,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml" ], "tags": [ @@ -39325,9 +39383,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml" ], "tags": [ @@ -39426,8 +39484,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", "https://www.pdq.com/pdq-deploy/", + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml" ], "tags": [ @@ -39495,9 +39553,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", - "https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml" ], "tags": [ @@ -39539,8 +39597,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/samratashok/ADModule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml" ], @@ -39635,13 +39693,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", - "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", - "https://twitter.com/xorJosh/status/1598646907802451969", "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", "https://ngrok.com/docs", + "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "https://www.softwaretestinghelp.com/how-to-use-ngrok/", + "https://twitter.com/xorJosh/status/1598646907802451969", + "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml" ], "tags": [ @@ -39777,8 +39835,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", + "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml" ], "tags": [ @@ -39811,8 +39869,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://pentestlab.blog/2017/03/30/weak-service-permissions/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" ], "tags": [ @@ -39847,8 +39905,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://twitter.com/0gtweet/status/1628720819537936386", + "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml" ], @@ -39959,9 +40017,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/shell/csidl", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military", "https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f", - "https://learn.microsoft.com/en-us/windows/win32/shell/csidl", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml" ], "tags": [ @@ -40196,8 +40254,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode.yml" ], @@ -40231,12 +40289,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", - "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", - "https://twitter.com/egre55/status/1087685529016193025", + "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://twitter.com/egre55/status/1087685529016193025", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml" ], "tags": [ @@ -40269,10 +40327,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", "https://twitter.com/hFireF0X/status/897640081053364225", + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml" ], "tags": [ @@ -40317,8 +40375,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", + "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml" ], "tags": [ @@ -40360,8 +40418,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/danielbohannon/Invoke-DOSfuscation", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf", + "https://github.com/danielbohannon/Invoke-DOSfuscation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml" ], "tags": [ @@ -40395,15 +40453,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", - "https://blog.talosintelligence.com/2017/05/wannacry.html", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", - "https://github.com/Neo23x0/Raccine#the-process", "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", + "https://blog.talosintelligence.com/2017/05/wannacry.html", + "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", + "https://github.com/Neo23x0/Raccine#the-process", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml" ], "tags": [ @@ -40665,9 +40723,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], "tags": [ @@ -40700,10 +40758,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", - "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", "https://adsecurity.org/?p=2604", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", + "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -40844,8 +40902,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", + "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml" ], "tags": [ @@ -40935,8 +40993,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", "https://twitter.com/0gtweet/status/1474899714290208777?s=12", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml" ], "tags": [ @@ -40969,12 +41027,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", - "https://twitter.com/JohnLaTwC/status/835149808817991680", - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://twitter.com/JohnLaTwC/status/835149808817991680", + "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml" ], "tags": [ @@ -41007,10 +41065,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", + "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", - "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml" ], "tags": [ @@ -41102,10 +41160,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", - "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", "https://twitter.com/M_haggis/status/1699056847154725107", "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", + "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", + "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml" ], "tags": [ @@ -41129,9 +41187,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", - "https://en.wikipedia.org/wiki/HTML_Application", "https://www.echotrail.io/insights/search/mshta.exe", + "https://en.wikipedia.org/wiki/HTML_Application", + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml" ], "tags": [ @@ -41165,8 +41223,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/fireeye/DueDLLigence", - "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", + "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], "tags": [ @@ -41242,10 +41300,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", + "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", - "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", - "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml" ], "tags": [ @@ -41311,16 +41369,16 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://bunnyinside.com/?term=f71e8cb9c76a", "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml" ], "tags": [ @@ -41377,10 +41435,10 @@ "logsource.product": "windows", "refs": [ "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", - "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", - "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", "http://blog.sevagas.com/?Hacking-around-HTA-files", + "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", "https://twitter.com/mattifestation/status/1326228491302563846", + "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml" ], "tags": [ @@ -41431,15 +41489,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", - "http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/", - "https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1", - "https://www.group-ib.com/blog/apt41-world-tour-2021/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3", + "https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", + "http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/", + "https://www.group-ib.com/blog/apt41-world-tour-2021/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml" ], "tags": [ @@ -41643,9 +41701,9 @@ "logsource.product": "windows", "refs": [ "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml" ], "tags": [ @@ -41704,8 +41762,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", + "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml" ], @@ -41740,8 +41798,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" @@ -41852,13 +41910,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", - "https://twitter.com/CyberRaiju/status/1251492025678983169", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", "https://www.cobaltstrike.com/help-opsec", + "https://twitter.com/CyberRaiju/status/1251492025678983169", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" ], "tags": [ @@ -41947,9 +42005,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml" ], "tags": [ @@ -42048,8 +42106,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml" ], "tags": [ @@ -42085,8 +42143,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/991335019833708544", "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", + "https://twitter.com/pabraeken/status/991335019833708544", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml" ], "tags": [ @@ -42187,8 +42245,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml" ], "tags": [ @@ -42211,8 +42269,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", "https://github.com/outflanknl/Dumpert", + "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml" ], "tags": [ @@ -42286,8 +42344,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/gootloader/", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "https://redcanary.com/blog/gootloader/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml" ], "tags": [ @@ -42328,8 +42386,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml" ], "tags": [ @@ -42386,8 +42444,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/", "https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/", + "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml" ], "tags": [ @@ -42546,11 +42604,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", "https://twitter.com/pfiatde/status/1681977680688738305", "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", - "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml" ], "tags": [ @@ -42583,8 +42641,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_clip_execution.yml" ], "tags": [ @@ -42785,8 +42843,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.activecyber.us/activelabs/windows-uac-bypass", "https://twitter.com/ReaQta/status/1222548288731217921", + "https://www.activecyber.us/activelabs/windows-uac-bypass", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" @@ -42947,10 +43005,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/cyb3rops/status/1186631731543236608", "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", "https://github.com/Neo23x0/DLLRunner", "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", - "https://twitter.com/cyb3rops/status/1186631731543236608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml" ], "tags": [ @@ -43245,8 +43303,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets", "https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/", + "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml" ], "tags": [ @@ -43437,8 +43495,8 @@ "logsource.product": "windows", "refs": [ "https://www.nirsoft.net/utils/nircmd.html", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml" ], "tags": [ @@ -43629,8 +43687,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/993298228840992768", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", + "https://twitter.com/pabraeken/status/993298228840992768", "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" ], @@ -43773,9 +43831,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/livekd", - "https://kb.acronis.com/content/60892", "https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/", + "https://kb.acronis.com/content/60892", + "https://learn.microsoft.com/en-us/sysinternals/downloads/livekd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml" ], "tags": [ @@ -43840,8 +43898,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/threat-detection-report/threats/qbot/", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://redcanary.com/threat-detection-report/threats/qbot/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml" ], "tags": [ @@ -43874,8 +43932,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/", "https://www.echotrail.io/insights/search/defaultpack.exe", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_defaultpack_uncommon_child_process.yml" ], "tags": [ @@ -43909,8 +43967,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml" ], @@ -43944,8 +44002,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1477925112561209344", "https://twitter.com/wdormann/status/1478011052130459653?s=20", + "https://twitter.com/0gtweet/status/1477925112561209344", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml" ], "tags": [ @@ -44205,10 +44263,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml" ], @@ -44259,10 +44317,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml" ], "tags": [ @@ -44444,13 +44502,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", - "https://twitter.com/shantanukhande/status/1229348874298388484", - "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", - "https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py", - "https://twitter.com/SBousseaden/status/1167417096374050817", "https://twitter.com/Hexacorn/status/1224848930795552769", + "https://twitter.com/shantanukhande/status/1229348874298388484", + "https://twitter.com/SBousseaden/status/1167417096374050817", + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", "https://twitter.com/Wietze/status/1542107456507203586", + "https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml" ], "tags": [ @@ -44493,9 +44551,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml" ], "tags": [ @@ -44528,8 +44586,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/6", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml" ], "tags": [ @@ -44563,9 +44621,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process", "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", - "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml" ], "tags": [ @@ -44598,9 +44656,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://ss64.com/ps/foreach-object.html", "https://ss64.com/nt/for.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", - "https://ss64.com/ps/foreach-object.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml" ], "tags": [ @@ -44677,8 +44735,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_restore_file.yml" ], "tags": [ @@ -44931,8 +44989,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://h.43z.one/ipconverter/", "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://h.43z.one/ipconverter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml" ], "tags": [ @@ -45094,11 +45152,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" ], "tags": [ @@ -45224,8 +45282,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/iagox86/dnscat2", "https://github.com/yarrick/iodine", + "https://github.com/iagox86/dnscat2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml" ], "tags": [ @@ -45309,11 +45367,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", - "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", + "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml" ], "tags": [ @@ -45347,9 +45405,9 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", - "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://atomicredteam.io/defense-evasion/T1220/", "https://twitter.com/mattifestation/status/986280382042595328", + "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml" ], "tags": [ @@ -45407,8 +45465,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://abuse.io/lockergoga.txt", "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", + "https://abuse.io/lockergoga.txt", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml" ], @@ -45451,8 +45509,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md", "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml" ], "tags": [ @@ -45572,13 +45630,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", - "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", - "https://github.com/vletoux/pingcastle", "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8", + "https://github.com/vletoux/pingcastle", + "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", "https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450", "https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680", + "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml" ], "tags": [ @@ -45611,8 +45669,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml" ], "tags": [ @@ -45721,8 +45779,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", "https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml" ], "tags": [ @@ -45755,8 +45813,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml" ], "tags": [ @@ -45789,8 +45847,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/skelsec/pypykatz", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", + "https://github.com/skelsec/pypykatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml" ], "tags": [ @@ -45899,8 +45957,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows", "https://nmap.org/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml" ], "tags": [ @@ -45934,10 +45992,10 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", - "https://twitter.com/bohops/status/980659399495741441", "https://twitter.com/JohnLaTwC/status/1223292479270600706", "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", + "https://twitter.com/bohops/status/980659399495741441", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml" ], "tags": [ @@ -46072,8 +46130,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regini/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" ], "tags": [ @@ -46106,8 +46164,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", + "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml" ], "tags": [ @@ -46157,8 +46215,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/WindowsDocs/status/1620078135080325122", "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package", + "https://twitter.com/WindowsDocs/status/1620078135080325122", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml" ], "tags": [ @@ -46248,12 +46306,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_JohnHammond/status/1708910264261980634", - "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", - "https://twitter.com/egre55/status/1087685529016193025", + "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", + "https://twitter.com/_JohnHammond/status/1708910264261980634", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://twitter.com/egre55/status/1087685529016193025", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml" ], "tags": [ @@ -46328,11 +46386,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", + "https://twitter.com/christophetd/status/1164506034720952320", + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", - "https://twitter.com/christophetd/status/1164506034720952320", + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" ], "tags": [ @@ -46465,9 +46523,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", - "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml" ], "tags": [ @@ -46490,8 +46548,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml" ], @@ -46661,8 +46719,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnx_execute_csharp_code.yml" ], "tags": [ @@ -46703,8 +46761,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://tools.thehacker.recipes/mimikatz/modules", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml" ], "tags": [ @@ -47013,12 +47071,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", "https://positive.security/blog/ms-officecmd-rce", "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc", "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", - "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", "https://lolbas-project.github.io/lolbas/Binaries/Teams/", - "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", + "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml" ], "tags": [ @@ -47083,8 +47141,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", + "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml" ], "tags": [ @@ -47330,10 +47388,10 @@ "logsource.product": "windows", "refs": [ "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file", - "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", - "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", "https://twitter.com/max_mal_/status/1542461200797163522", + "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", + "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml" ], "tags": [ @@ -47366,9 +47424,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/bryon_/status/975835709587075072", "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", - "https://twitter.com/bryon_/status/975835709587075072", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml" ], "tags": [ @@ -47526,9 +47584,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml" ], "tags": [ @@ -47692,9 +47750,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a", "https://securelist.com/locked-out/68960/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md", - "https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml" ], "tags": [ @@ -47760,10 +47818,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", - "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", + "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml" ], "tags": [ @@ -48035,9 +48093,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/frack113/status/1555830623633375232", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://twitter.com/frack113/status/1555830623633375232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml" ], "tags": [ @@ -48169,8 +48227,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/harleyQu1nn/AggressorScripts", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", + "https://github.com/harleyQu1nn/AggressorScripts", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml" ], "tags": [ @@ -48203,8 +48261,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/180", "https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/", + "https://github.com/LOLBAS-Project/LOLBAS/pull/180", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml" ], "tags": [ @@ -48271,8 +48329,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://twitter.com/bopin2020/status/1366400799199272960", + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml" ], "tags": [ @@ -48315,8 +48373,8 @@ "refs": [ "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", - "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", + "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml" ], "tags": [ @@ -48349,14 +48407,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", - "https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest", + "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -48575,8 +48633,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", + "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml" ], @@ -48612,9 +48670,9 @@ "logsource.product": "windows", "refs": [ "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt", - "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", + "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml" ], @@ -48693,9 +48751,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://attack.mitre.org/software/S0404/", "https://twitter.com/vxunderground/status/1423336151860002816", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", - "https://attack.mitre.org/software/S0404/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_params.yml" ], "tags": [ @@ -48876,8 +48934,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "https://processhacker.sourceforge.io/", + "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml" ], "tags": [ @@ -48929,8 +48987,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", + "https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml" ], "tags": [ @@ -48963,10 +49021,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/nas_bench/status/1537896324837781506", + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", - "https://twitter.com/nas_bench/status/1537896324837781506", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml" ], "tags": [ @@ -49033,8 +49091,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", "https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt", + "Internal Research", "https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml" ], @@ -49259,8 +49317,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml" ], "tags": [ @@ -49328,8 +49386,8 @@ "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", - "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" ], "tags": [ @@ -49371,8 +49429,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml" ], "tags": [ @@ -49488,9 +49546,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://h.43z.one/ipconverter/", - "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://twitter.com/fr0s7_/status/1712780207105404948", + "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://h.43z.one/ipconverter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml" ], "tags": [ @@ -49513,9 +49571,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml" ], @@ -49624,8 +49682,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml" ], "tags": [ @@ -49737,8 +49795,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", "https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs", + "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml" ], "tags": [ @@ -49771,8 +49829,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", + "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" ], @@ -49848,8 +49906,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blackpointcyber.com/resources/blog/breaking-through-the-screen/", "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8", + "https://blackpointcyber.com/resources/blog/breaking-through-the-screen/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml" ], "tags": [ @@ -49882,9 +49940,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], "tags": [ @@ -49984,9 +50042,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/", + "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml" ], "tags": [ @@ -50129,9 +50187,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/electron/rcedit", "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915", "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", + "https://github.com/electron/rcedit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml" ], "tags": [ @@ -50222,13 +50280,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects", "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", "https://www.joeware.net/freetools/tools/adfind/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml" ], "tags": [ @@ -50321,9 +50379,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/0gtweet/status/1564968845726580736", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", - "https://twitter.com/0gtweet/status/1564968845726580736", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" ], "tags": [ @@ -50398,8 +50456,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.irongeek.com/homoglyph-attack-generator.php", "https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish", + "http://www.irongeek.com/homoglyph-attack-generator.php", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml" ], "tags": [ @@ -50441,11 +50499,11 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", - "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_delete_backups.yml" ], "tags": [ @@ -50554,9 +50612,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/jpillora/chisel/", "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", + "https://github.com/jpillora/chisel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_chisel.yml" ], "tags": [ @@ -50622,9 +50680,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_felamos/status/1204705548668555264", "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", + "https://twitter.com/_felamos/status/1204705548668555264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml" ], "tags": [ @@ -50657,8 +50715,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_download.yml" ], @@ -50716,10 +50774,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", - "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", + "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", + "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml" ], "tags": [ @@ -50785,9 +50843,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", - "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", + "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", + "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml" ], "tags": [ @@ -50904,8 +50962,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml" ], "tags": [ @@ -50973,8 +51031,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml" ], @@ -51109,8 +51167,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", "https://twitter.com/1ZRR4H/status/1534259727059787783", + "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml" ], "tags": [ @@ -51143,9 +51201,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", "http://www.xuetr.com/", "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", - "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml" ], "tags": [ @@ -51244,8 +51302,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.autohotkey.com/download/", "https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/", + "https://www.autohotkey.com/download/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml" ], "tags": [ @@ -51301,8 +51359,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", + "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml" ], @@ -51413,8 +51471,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/outflanknl/NetshHelperBeacon", - "https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", + "https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml" ], "tags": [ @@ -51728,10 +51786,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", "https://twitter.com/vysecurity/status/873181705024266241", - "https://twitter.com/vysecurity/status/974806438316072960", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", + "https://twitter.com/vysecurity/status/974806438316072960", + "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml" ], "tags": [ @@ -51764,8 +51822,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml" ], "tags": [ @@ -51933,8 +51991,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", + "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_w32tm.yml" ], "tags": [ @@ -52033,8 +52091,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", + "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml" @@ -52069,9 +52127,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml" ], "tags": [ @@ -52366,9 +52424,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", - "https://lolbas-project.github.io/lolbas/Binaries/Tar/", "https://unit42.paloaltonetworks.com/chromeloader-malware/", + "https://lolbas-project.github.io/lolbas/Binaries/Tar/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tar_compression.yml" ], "tags": [ @@ -52545,9 +52603,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", "https://twitter.com/bohops/status/1477717351017680899?s=12", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml" ], "tags": [ @@ -52605,9 +52663,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/tevora-threat/SharpView/", - "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", + "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", + "https://github.com/tevora-threat/SharpView/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml" ], "tags": [ @@ -52748,8 +52806,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://nsudo.m2team.org/en-us/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml" ], "tags": [ @@ -52783,8 +52841,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/17", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml" ], "tags": [ @@ -52887,8 +52945,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", + "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml" ], "tags": [ @@ -52921,8 +52979,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml" ], "tags": [ @@ -52998,8 +53056,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hostname_execution.yml" ], "tags": [ @@ -53033,9 +53091,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml" ], "tags": [ @@ -53111,8 +53169,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", - "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" ], "tags": [ @@ -53145,8 +53203,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1674399582162153472", "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", + "https://twitter.com/0gtweet/status/1674399582162153472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml" ], "tags": [ @@ -53213,10 +53271,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html", "https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior", - "https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode", + "https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", + "https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml" ], "tags": [ @@ -53249,9 +53307,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/countuponsec/status/910977826853068800", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", "https://twitter.com/countuponsec/status/910969424215232518", - "https://twitter.com/countuponsec/status/910977826853068800", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" ], "tags": [ @@ -53285,9 +53343,9 @@ "logsource.product": "windows", "refs": [ "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", + "https://twitter.com/splinter_code/status/1483815103279603714", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://twitter.com/splinter_code/status/1483815103279603714", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml" ], "tags": [ @@ -53356,8 +53414,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/tag/svchost/", "https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/", + "https://pentestlab.blog/tag/svchost/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml" ], "tags": [ @@ -53462,8 +53520,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1206692239839289344", "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/", + "https://twitter.com/0gtweet/status/1206692239839289344", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml" ], "tags": [ @@ -53595,8 +53653,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/S3cur3Th1sSh1t/SharpImpersonation", "https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/", + "https://github.com/S3cur3Th1sSh1t/SharpImpersonation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml" ], "tags": [ @@ -53638,9 +53696,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://www.joeware.net/freetools/tools/adfind/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml" ], "tags": [ @@ -53673,8 +53731,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nsudo.m2team.org/en-us/", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://nsudo.m2team.org/en-us/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml" ], "tags": [ @@ -53708,8 +53766,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml", "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_email_exfil.yml" ], "tags": [ @@ -53733,12 +53791,12 @@ "logsource.product": "windows", "refs": [ "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", - "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml" ], "tags": [ @@ -53773,11 +53831,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe", - "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", - "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", - "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", "https://twitter.com/gN3mes1s/status/1206874118282448897", + "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", + "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", + "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml" ], "tags": [ @@ -53810,8 +53868,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virusradar.com/en/Win32_Kasidet.AD/description", "https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100", + "https://www.virusradar.com/en/Win32_Kasidet.AD/description", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml" ], "tags": [ @@ -53914,8 +53972,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/logman.html", "https://twitter.com/0gtweet/status/1359039665232306183?s=21", + "https://ss64.com/nt/logman.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml" ], "tags": [ @@ -53956,8 +54014,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml" ], "tags": [ @@ -54081,9 +54139,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", - "https://github.com/LOLBAS-Project/LOLBAS/pull/151", "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", + "https://github.com/LOLBAS-Project/LOLBAS/pull/151", + "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdl32_arbitrary_file_download.yml" ], "tags": [ @@ -54193,8 +54251,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", "https://twitter.com/Moriarty_Meng/status/984380793383370752", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml" ], "tags": [ @@ -54328,9 +54386,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", - "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" ], "tags": [ @@ -54565,10 +54623,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/yellow-cockatoo/", - "https://zero2auto.com/2020/05/19/netwalker-re/", "https://mez0.cc/posts/cobaltstrike-powershell-exec/", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", + "https://zero2auto.com/2020/05/19/netwalker-re/", + "https://redcanary.com/blog/yellow-cockatoo/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml" ], "tags": [ @@ -54696,8 +54754,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/RiccardoAncarani/LiquidSnake", - "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", + "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" ], "tags": [ @@ -54730,8 +54788,8 @@ "logsource.category": "process_tampering", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/", "https://twitter.com/SecurePeacock/status/1486054048390332423?s=20", + "https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml" ], "tags": [ @@ -54765,8 +54823,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", + "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml" ], "tags": [ @@ -54808,8 +54866,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/russian-targeting-gov-business", "https://megatools.megous.com/", + "https://www.mandiant.com/resources/russian-targeting-gov-business", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_mega_nz.yml" ], "tags": [ @@ -54986,10 +55044,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a", - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md", + "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml" ], "tags": [ @@ -55064,8 +55122,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security", "https://cydefops.com/devtunnels-unleashed", + "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security", "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_devtunnel_connection.yml" ], @@ -55132,11 +55190,11 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", - "https://github.com/looCiprian/GC2-sheet", - "https://youtu.be/n2dFlSaBBKo", - "https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/", "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/", + "https://github.com/looCiprian/GC2-sheet", + "https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/", + "https://youtu.be/n2dFlSaBBKo", + "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_google_api_non_browser_access.yml" ], "tags": [ @@ -55405,8 +55463,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling", + "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_to_http.yml" ], "tags": [ @@ -55436,6 +55494,42 @@ "uuid": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", "value": "RDP to HTTP or HTTPS Target Ports" }, + { + "description": "Detects network connections to Cloudflared tunnels domains initiated by a process on the system.\nAttackers can abuse that feature to establish a reverse shell or persistence on a machine.\n", + "meta": { + "author": "Kamran Saifullah, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2024/05/27", + "falsepositive": [ + "Legitimate use of cloudflare tunnels will also trigger this." + ], + "filename": "net_connection_win_cloudflared_communication.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/", + "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_cloudflared_communication.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.command_and_control", + "attack.t1567.001" + ] + }, + "related": [ + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7cd1dcdc-6edf-4896-86dc-d1f19ad64903", + "value": "Network Connection Initiated To Cloudflared Tunnels Domains" + }, { "description": "Detects dllhost initiating a network connection to a non-local IP address.\nAside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL.\nAn initial baseline is recommended before deployment.\n", "meta": { @@ -55449,8 +55543,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/child-processes/", "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", + "https://redcanary.com/blog/child-processes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml" ], "tags": [ @@ -55517,10 +55611,10 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/M_haggis/status/1032799638213066752", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://twitter.com/M_haggis/status/900741347035889665", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml" ], "tags": [ @@ -55622,8 +55716,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/", "https://app.any.run/tasks/ec207948-4916-47eb-a0f4-4c6abb2e7668/", + "https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regasm_network_activity.yml" ], @@ -55724,9 +55818,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/", "hhttps://tria.ge/240301-rk34sagf5x/behavioral2", "https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d", + "https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/", "https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml" ], @@ -55794,8 +55888,8 @@ "logsource.product": "windows", "refs": [ "https://ipfyx.fr/post/visual-studio-code-tunnel/", - "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://cydefops.com/vscode-data-exfiltration", + "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_vscode_tunnel_connection.yml" ], "tags": [ @@ -55851,9 +55945,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://www.poolwatch.io/coin/monero", "https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt", "https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files", - "https://www.poolwatch.io/coin/monero", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_crypto_mining_pools.yml" ], "tags": [ @@ -55887,9 +55981,9 @@ "logsource.product": "windows", "refs": [ "https://ngrok.com/blog-post/new-ngrok-domains", - "https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf", "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", "https://ngrok.com/", + "https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_ngrok.yml" ], "tags": [ @@ -55924,10 +56018,10 @@ "logsource.product": "windows", "refs": [ "https://content.fireeye.com/apt-41/rpt-apt41", - "https://github.com/kleiton0x00/RedditC2", "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al", - "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", + "https://github.com/kleiton0x00/RedditC2", "https://twitter.com/kleiton0x7e/status/1600567316810551296", + "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dead_drop_resolvers.yml" ], @@ -56045,8 +56139,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", + "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_ngrok_tunnel.yml" ], "tags": [ @@ -56224,8 +56318,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", + "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml" ], "tags": [ @@ -56480,8 +56574,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://ngrok.com/", + "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml" ], "tags": [ @@ -56582,8 +56676,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://twitter.com/malmoeb/status/1535142803075960832", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml" ], "tags": [ @@ -56617,10 +56711,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://twitter.com/malmoeb/status/1535142803075960832", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml" ], "tags": [ @@ -56722,8 +56816,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml" @@ -56760,8 +56854,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", - "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", + "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" ], "tags": [ @@ -56834,8 +56928,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://twitter.com/mattifestation/status/899646620148539397", + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml" ], "tags": [ @@ -56993,9 +57087,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/", "https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule", + "https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml" ], "tags": [ @@ -57148,8 +57242,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://twitter.com/mattifestation/status/899646620148539397", + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml" ], "tags": [ @@ -57183,8 +57277,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", "https://twitter.com/SBousseaden/status/1096148422984384514", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml" ], "tags": [ @@ -57412,9 +57506,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://twitter.com/_dirkjan/status/1309214379003588608", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://twitter.com/_dirkjan/status/1309214379003588608", + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -57614,8 +57708,8 @@ "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", - "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html", + "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml" ], "tags": [ @@ -57683,8 +57777,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=3458", "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", + "https://adsecurity.org/?p=3458", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml" ], "tags": [ @@ -57844,9 +57938,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1490608838701166596", - "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", "https://www.x86matthew.com/view_post?id=create_svc_rpc", + "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", + "https://twitter.com/SBousseaden/status/1490608838701166596", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml" ], "tags": [ @@ -57879,8 +57973,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://twitter.com/SBousseaden/status/1101431884540710913", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml" ], "tags": [ @@ -57916,8 +58010,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" ], "tags": [ @@ -58094,8 +58188,8 @@ "refs": [ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" ], "tags": [ @@ -58118,10 +58212,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", - "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", + "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" ], "tags": [ @@ -58262,8 +58356,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_replay_attack_detected.yml" ], "tags": [ @@ -58567,16 +58661,16 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://bunnyinside.com/?term=f71e8cb9c76a", "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ @@ -58659,8 +58753,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/menasec1/status/1106899890377052160", "https://www.secureworks.com/blog/ransomware-as-a-distraction", + "https://twitter.com/menasec1/status/1106899890377052160", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" ], "tags": [ @@ -58736,8 +58830,8 @@ "logsource.product": "windows", "refs": [ "https://adsecurity.org/?p=3466", - "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", "https://msdn.microsoft.com/en-us/library/cc220234.aspx", + "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" ], "tags": [ @@ -58878,9 +58972,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://www.sans.org/webcasts/119395", - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" ], "tags": [ @@ -58931,9 +59025,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", - "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", + "https://twitter.com/gentilkiwi/status/1003236624925413376", + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" ], "tags": [ @@ -58966,10 +59060,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", - "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://twitter.com/MsftSecIntel/status/1257324139515269121", + "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" ], "tags": [ @@ -59144,9 +59238,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" ], "tags": [ @@ -59206,8 +59300,8 @@ "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", - "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", + "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" ], "tags": [ @@ -59343,8 +59437,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", - "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", "Live environment caused by malware", + "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" ], "tags": [ @@ -59411,9 +59505,9 @@ "logsource.product": "windows", "refs": [ "https://x.com/_st0pp3r_/status/1742203752361128162?s=20", - "https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp", - "https://github.com/deepinstinct/NoFilter", "https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation", + "https://github.com/deepinstinct/NoFilter", + "https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hktl_nofilter.yml" ], "tags": [ @@ -59570,9 +59664,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml", "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", - "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_audit_log_cleared.yml" ], "tags": [ @@ -59606,10 +59700,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/Flangvik/status/1283054508084473861", - "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", + "https://twitter.com/SecurityJosh/status/1283027365770276866", + "https://twitter.com/Flangvik/status/1283054508084473861", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], "tags": [ @@ -59718,8 +59812,8 @@ "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", - "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html", + "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml" ], "tags": [ @@ -59753,8 +59847,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743", - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" ], "tags": [ @@ -59787,8 +59881,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", "https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml" ], "tags": [ @@ -60142,9 +60236,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/fox-it/LDAPFragger", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", - "https://github.com/fox-it/LDAPFragger", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" ], "tags": [ @@ -60518,10 +60612,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://twitter.com/gentilkiwi/status/1003236624925413376", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" ], "tags": [ @@ -61102,9 +61196,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", "https://twitter.com/malmoeb/status/1511760068743766026", "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", + "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" ], "tags": [ @@ -61241,9 +61335,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/sensepost/ruler", "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", + "https://github.com/sensepost/ruler", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", "https://github.com/sensepost/ruler/issues/47", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" @@ -61419,8 +61513,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml" ], "tags": [ @@ -62049,9 +62143,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", - "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", + "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", + "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml" ], "tags": [ @@ -62084,11 +62178,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml" ], "tags": [ @@ -62172,8 +62266,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", + "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_krbrelayup.yml" ], "tags": [ @@ -62231,11 +62325,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml" ], "tags": [ @@ -62269,10 +62363,10 @@ "logsource.product": "windows", "refs": [ "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", - "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml" ], "tags": [ @@ -62305,8 +62399,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983", "https://github.com/amjcyber/EDRNoiseMaker", + "https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983", "https://github.com/netero1010/EDRSilencer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml" ], @@ -62340,9 +62434,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml" ], "tags": [ @@ -62365,9 +62459,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml" ], "tags": [ @@ -62390,9 +62484,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml" ], "tags": [ @@ -62415,9 +62509,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml" ], "tags": [ @@ -62440,9 +62534,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml" ], "tags": [ @@ -62465,9 +62559,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml" ], "tags": [ @@ -62490,9 +62584,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml" ], "tags": [ @@ -62525,9 +62619,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml" ], "tags": [ @@ -62550,10 +62644,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://twitter.com/SBousseaden/status/1483810148602814466", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" ], "tags": [ @@ -62577,8 +62671,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://twitter.com/wdormann/status/1590434950335320065", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml" ], "tags": [ @@ -62679,8 +62773,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://goo.gl/PsqrhT", "https://twitter.com/JohnLaTwC/status/1004895028995477505", + "https://goo.gl/PsqrhT", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml" ], "tags": [ @@ -63175,8 +63269,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/afwu/PrintNightmare", "https://github.com/hhlxf/PrintNightmare", + "https://github.com/afwu/PrintNightmare", "https://twitter.com/KevTheHermit/status/1410203844064301056", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml" ], @@ -63243,8 +63337,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml" ], "tags": [ @@ -63278,9 +63372,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", - "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml" ], "tags": [ @@ -63424,8 +63518,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012", "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml" ], "tags": [ @@ -63458,8 +63552,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus", "https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_history_delete.yml" ], "tags": [ @@ -63515,9 +63609,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010", - "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml" ], "tags": [ @@ -63616,9 +63710,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101", "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml" ], "tags": [ @@ -63651,9 +63745,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346", "Internal Research", - "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml" ], "tags": [ @@ -63686,8 +63780,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml" ], "tags": [ @@ -63720,8 +63814,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml" ], "tags": [ @@ -63754,8 +63848,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies", + "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml" ], "tags": [ @@ -63789,8 +63883,8 @@ "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", - "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", + "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/Other/win_av_relevant_match.yml" ], "tags": [ @@ -63866,8 +63960,8 @@ "logsource.product": "windows", "refs": [ "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml" ], "tags": [ @@ -64000,11 +64094,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/FlemmingRiis/status/1217147415482060800", - "https://twitter.com/DidierStevens/status/1217533958096924676", "https://twitter.com/VM_vivisector/status/1217190929330655232", "https://www.youtube.com/watch?v=ebmW42YYveI", "https://nullsec.us/windows-event-log-audit-cve/", + "https://twitter.com/DidierStevens/status/1217533958096924676", + "https://twitter.com/FlemmingRiis/status/1217147415482060800", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml" ], "tags": [ @@ -64083,8 +64177,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml" ], "tags": [ @@ -64154,9 +64248,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml" ], "tags": [ @@ -64179,8 +64273,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml" ], "tags": [ @@ -64401,8 +64495,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml" ], "tags": [ @@ -64501,11 +64595,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", - "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", - "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", + "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", + "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", + "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -64777,8 +64871,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", "https://www.secura.com/blog/zero-logon", + "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" ], "tags": [ @@ -65020,8 +65114,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60", "https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/", + "https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60", "https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml" ], @@ -65525,9 +65619,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://www.sans.org/webcasts/119395", - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml" ], "tags": [ @@ -66106,8 +66200,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" ], "tags": [ @@ -66474,9 +66568,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/wdormann/status/1347958161609809921", "https://twitter.com/jonasLyk/status/1347900440000811010", "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", - "https://twitter.com/wdormann/status/1347958161609809921", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml" ], "tags": [ @@ -66577,9 +66671,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml" ], "tags": [ @@ -66612,9 +66706,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml" ], "tags": [ @@ -66866,8 +66960,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/gentilkiwi/status/861641945944391680", "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://twitter.com/gentilkiwi/status/861641945944391680", "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml" ], @@ -66934,8 +67028,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml" ], "tags": [ @@ -66983,11 +67077,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", - "https://winaero.com/enable-openssh-server-windows-10/", - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", + "https://winaero.com/enable-openssh-server-windows-10/", + "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" ], "tags": [ @@ -67020,9 +67114,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml", - "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", + "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", + "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml" ], "tags": [ @@ -67079,8 +67173,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml" ], "tags": [ @@ -67268,8 +67362,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml" ], "tags": [ @@ -67317,8 +67411,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml" ], "tags": [ @@ -67341,9 +67435,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml" ], @@ -67367,9 +67461,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml" ], @@ -67393,9 +67487,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml" ], @@ -67419,9 +67513,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml" ], @@ -67672,8 +67766,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://mobile.twitter.com/0gtweet/status/1564131230941122561", + "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml" ], "tags": [ @@ -67717,10 +67811,10 @@ "logsource.product": "windows", "refs": [ "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", - "https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/", - "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", "https://hijacklibs.net/", + "https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/", + "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" ], "tags": [ @@ -68104,8 +68198,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html", + "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://twitter.com/dez_/status/986614411711442944", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" ], @@ -68214,12 +68308,12 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://decoded.avast.io/martinchlumecky/png-steganography/", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://github.com/Wh04m1001/SysmonEoP", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", - "https://github.com/Wh04m1001/SysmonEoP", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ @@ -68264,9 +68358,9 @@ "logsource.product": "windows", "refs": [ "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html", - "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/", "https://www.swascan.com/cactus-ransomware-malware-analysis/", "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", + "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml" ], "tags": [ @@ -68374,9 +68468,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", - "https://github.com/tyranid/DotNetToJScript", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://github.com/tyranid/DotNetToJScript", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://thewover.github.io/Introducing-Donut/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" ], @@ -68454,8 +68548,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/", "https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html", + "https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml" ], "tags": [ @@ -68564,8 +68658,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", + "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml" ], "tags": [ @@ -68608,11 +68702,11 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/Max_Mal_/status/1775222576639291859", - "https://twitter.com/DTCERT/status/1712785426895839339", "https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/", + "https://twitter.com/Max_Mal_/status/1775222576639291859", "https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/", "https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html", + "https://twitter.com/DTCERT/status/1712785426895839339", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_keyscrambler.yml" ], "tags": [ @@ -68654,10 +68748,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://github.com/bohops/WSMan-WinRM", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://twitter.com/chadtilbury/status/1275851297770610688", "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", - "https://github.com/bohops/WSMan-WinRM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" ], "tags": [ @@ -68776,8 +68870,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/WhichbufferArda/status/1658829954182774784", - "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/", "https://securelist.com/apt-luminousmoth/103332/", + "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_wwlib.yml" ], "tags": [ @@ -69185,8 +69279,8 @@ "logsource.product": "windows", "refs": [ "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", - "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", "https://twitter.com/HunterPlaybook/status/1301207718355759107", + "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml" ], "tags": [ @@ -69366,8 +69460,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2921", "https://github.com/p3nt4/PowerShdll", + "https://adsecurity.org/?p=2921", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml" ], "tags": [ @@ -69400,8 +69494,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/ly4k/SpoolFool", "https://github.com/hhlxf/PrintNightmare", + "https://github.com/ly4k/SpoolFool", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml" ], "tags": [ @@ -69481,9 +69575,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion", "https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true", "https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql", - "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_unsigned_dll.yml" ], "tags": [ @@ -69610,8 +69704,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/StopMalvertisin/status/1648604148848549888", "https://www.roboform.com/", + "https://twitter.com/StopMalvertisin/status/1648604148848549888", "https://twitter.com/t3ft3lb/status/1656194831830401024", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_robform.yml" ], @@ -69696,10 +69790,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", + "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", "https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html", "https://github.com/S12cybersecurity/RDPCredentialStealer", - "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml" ], "tags": [ @@ -69800,8 +69894,8 @@ "logsource.product": "windows", "refs": [ "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", - "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", + "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml" ], "tags": [ @@ -70128,8 +70222,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/binderlabs/DirCreate2System", "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", + "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_comctl32.yml" ], "tags": [ @@ -70208,9 +70302,9 @@ "logsource.product": "windows", "refs": [ "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html", - "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/", "https://www.swascan.com/cactus-ransomware-malware-analysis/", "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", + "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml" ], "tags": [ @@ -70381,8 +70475,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/", + "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml" ], "tags": [ @@ -70693,8 +70787,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets", "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/", + "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_classicexplorer32.yml" ], "tags": [ @@ -70956,8 +71050,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://github.com/besimorhino/powercat", "https://nmap.org/ncat/", + "https://github.com/besimorhino/powercat", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" ], @@ -71091,9 +71185,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/chadtilbury/status/1275851297770610688", "https://github.com/bohops/WSMan-WinRM", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://twitter.com/chadtilbury/status/1275851297770610688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" ], "tags": [ @@ -71310,8 +71404,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml" ], "tags": [ @@ -71411,8 +71505,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml" ], "tags": [ @@ -71613,8 +71707,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml" ], "tags": [ @@ -71713,9 +71807,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://adsecurity.org/?p=2604", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -71748,11 +71842,11 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", - "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", - "http://woshub.com/manage-windows-firewall-powershell/", "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", + "http://woshub.com/manage-windows-firewall-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], "tags": [ @@ -71819,8 +71913,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2", "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml" ], "tags": [ @@ -71886,8 +71980,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml" ], "tags": [ @@ -71920,8 +72014,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/samratashok/ADModule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml" ], @@ -72124,8 +72218,8 @@ "logsource.product": "windows", "refs": [ "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", - "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", + "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml" ], "tags": [ @@ -72248,8 +72342,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0", "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0", + "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml" ], "tags": [ @@ -72380,24 +72474,24 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/HarmJ0y/DAMP", - "https://github.com/besimorhino/powercat", - "https://github.com/Kevin-Robertson/Powermad", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/samratashok/nishang", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/adrecon/AzureADRecon", - "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/samratashok/nishang", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/Kevin-Robertson/Powermad", "https://github.com/adrecon/ADRecon", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/besimorhino/powercat", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/calebstewart/CVE-2021-1675", "https://adsecurity.org/?p=2921", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ @@ -72629,8 +72723,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml" ], "tags": [ @@ -72696,8 +72790,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", + "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml" ], "tags": [ @@ -72731,8 +72825,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml" ], "tags": [ @@ -73020,8 +73114,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml" ], "tags": [ @@ -73054,8 +73148,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/Rubeus", "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", + "https://github.com/GhostPack/Rubeus", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml" ], @@ -73384,8 +73478,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml" ], "tags": [ @@ -73418,8 +73512,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml" ], "tags": [ @@ -73442,8 +73536,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", + "https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml" ], "tags": [ @@ -73643,8 +73737,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/850381440629981184", "https://t.co/ezOTGy1a1G", + "https://twitter.com/JohnLaTwC/status/850381440629981184", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml" ], "tags": [ @@ -73679,8 +73773,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml" ], "tags": [ @@ -73867,9 +73961,9 @@ "logsource.product": "windows", "refs": [ "https://youtu.be/5mqid-7zp8k?t=2481", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" ], "tags": [ @@ -74153,8 +74247,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://www.fortypoundhead.com/showcontent.asp?artid=24022", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml" ], "tags": [ @@ -74222,8 +74316,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/harleyQu1nn/AggressorScripts", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", + "https://github.com/harleyQu1nn/AggressorScripts", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml" ], "tags": [ @@ -74524,8 +74618,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml" ], "tags": [ @@ -74560,8 +74654,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml" ], "tags": [ @@ -74748,9 +74842,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" ], "tags": [ @@ -74816,8 +74910,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml" ], "tags": [ @@ -74884,8 +74978,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml" ], "tags": [ @@ -74926,8 +75020,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", "https://www.offensive-security.com/metasploit-unleashed/timestomp/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml" ], "tags": [ @@ -75027,11 +75121,11 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", - "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", "https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841", - "https://github.com/S3cur3Th1sSh1t/WinPwn", "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", + "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml" ], "tags": [ @@ -75148,8 +75242,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", "https://www.shellhacks.com/clear-history-powershell/", + "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" ], @@ -75191,8 +75285,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml" ], "tags": [ @@ -75225,9 +75319,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -75384,8 +75478,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml" ], "tags": [ @@ -75418,8 +75512,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps", "https://twitter.com/NathanMcNulty/status/1569497348841287681", + "https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml" ], "tags": [ @@ -75493,8 +75587,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml" ], "tags": [ @@ -75528,8 +75622,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/WindowsDocs/status/1620078135080325122", "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package", + "https://twitter.com/WindowsDocs/status/1620078135080325122", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml" ], "tags": [ @@ -75587,8 +75681,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", "https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml" ], "tags": [ @@ -75663,8 +75757,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml" ], "tags": [ @@ -75730,8 +75824,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml" ], "tags": [ @@ -75868,9 +75962,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", - "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml" ], "tags": [ @@ -76060,8 +76154,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", + "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml" ], "tags": [ @@ -76094,8 +76188,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml" ], "tags": [ @@ -76128,8 +76222,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://techgenix.com/malicious-powershell-scripts-evade-detection/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", + "https://techgenix.com/malicious-powershell-scripts-evade-detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml" ], "tags": [ @@ -76640,8 +76734,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml" ], "tags": [ @@ -76675,8 +76769,8 @@ "logsource.product": "windows", "refs": [ "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml" ], "tags": [ @@ -76742,10 +76836,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", - "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", - "https://twitter.com/ScumBots/status/1610626724257046529", "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", + "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", + "https://twitter.com/ScumBots/status/1610626724257046529", + "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], "tags": [ @@ -76779,8 +76873,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml" ], "tags": [ @@ -77248,8 +77342,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/samratashok/ADModule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml" ], @@ -77568,23 +77662,23 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/HarmJ0y/DAMP", - "https://github.com/besimorhino/powercat", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/PowerShellMafia/PowerSploit", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/samratashok/nishang", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/CsEnox/EventViewer-UACBypass", "https://github.com/AlsidOfficial/WSUSpendu/", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/samratashok/nishang", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/besimorhino/powercat", + "https://github.com/CsEnox/EventViewer-UACBypass", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/S3cur3Th1sSh1t/WinPwn", "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml" ], "tags": [ @@ -77693,8 +77787,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml" ], "tags": [ @@ -77727,24 +77821,24 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/HarmJ0y/DAMP", - "https://github.com/besimorhino/powercat", - "https://github.com/Kevin-Robertson/Powermad", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/samratashok/nishang", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/adrecon/AzureADRecon", - "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/samratashok/nishang", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/Kevin-Robertson/Powermad", "https://github.com/adrecon/ADRecon", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/besimorhino/powercat", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/calebstewart/CVE-2021-1675", "https://adsecurity.org/?p=2921", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml" ], "tags": [ @@ -77834,8 +77928,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0", "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0", + "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml" ], "tags": [ @@ -78093,9 +78187,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ + "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://www.mdeditor.tw/pl/pgRt", - "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml" ], "tags": [ @@ -78128,8 +78222,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml" ], "tags": [ @@ -78321,8 +78415,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/16", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml" ], "tags": [ @@ -78355,8 +78449,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1659175181695287297", "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", + "https://twitter.com/cyb3rops/status/1659175181695287297", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml" ], "tags": [ @@ -78415,17 +78509,17 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://github.com/xuanxuan0/DripLoader", - "https://github.com/topotam/PetitPotam", - "https://github.com/hfiref0x/UACME", - "https://github.com/wavestone-cdt/EDRSandblast", "https://github.com/fortra/nanodump", - "https://github.com/outflanknl/Dumpert", - "https://github.com/gentilkiwi/mimikatz", - "https://github.com/antonioCoco/RoguePotato", - "https://www.tarasco.org/security/pwdump_7/", "https://github.com/codewhitesec/HandleKatz", + "https://www.tarasco.org/security/pwdump_7/", + "https://github.com/outflanknl/Dumpert", "https://github.com/ohpe/juicy-potato", + "https://github.com/antonioCoco/RoguePotato", + "https://github.com/hfiref0x/UACME", + "https://github.com/topotam/PetitPotam", + "https://github.com/wavestone-cdt/EDRSandblast", + "https://github.com/xuanxuan0/DripLoader", + "https://github.com/gentilkiwi/mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml" ], "tags": [ @@ -78575,8 +78669,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml" @@ -78612,8 +78706,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/detecting-onenote-abuse", "https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md", + "https://labs.withsecure.com/publications/detecting-onenote-abuse", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml" ], "tags": [ @@ -78647,8 +78741,8 @@ "logsource.product": "windows", "refs": [ "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", - "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", "https://github.com/codewhitesec/SysmonEnte/", + "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml" ], "tags": [ @@ -78726,8 +78820,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/skelsec/pypykatz", "https://twitter.com/bh4b3sh/status/1303674603819081728", + "https://github.com/skelsec/pypykatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml" ], "tags": [ @@ -78761,10 +78855,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], "tags": [ @@ -78831,8 +78925,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/", "https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611", + "https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml" ], "tags": [ @@ -78854,38 +78948,38 @@ "value": "Function Call From Undocumented COM Interface EditionUpgradeManager" }, { - "description": "Detects potential NT API stub patching as seen used by the project PatchingAPI", + "description": "Detects process access request to uncommon target images with a \"PROCESS_ALL_ACCESS\" access mask.\n", "meta": { - "author": "frack113", - "creation_date": "2023/01/07", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "creation_date": "2024/05/27", "falsepositive": [ "Unknown" ], - "filename": "proc_access_win_susp_invoke_patchingapi.yml", - "level": "medium", + "filename": "proc_access_win_susp_all_access_uncommon_target.yml", + "level": "low", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/D1rkMtr/status/1611471891193298944?s=20", - "https://github.com/D1rkMtr/UnhookingPatch", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_invoke_patchingapi.yml" + "https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_all_access_uncommon_target.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.privilege_escalation", + "attack.t1055.011" ] }, "related": [ { - "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "dest-uuid": "0042a9f5-f053-4769-b3ef-9ad018dfa298", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "b916cba1-b38a-42da-9223-17114d846fd6", - "value": "Potential NT API Stub Patching" + "uuid": "a24e5861-c6ca-4fde-a93c-ba9256feddf0", + "value": "Uncommon Process Access Rights For Target Image" }, { "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", @@ -78935,8 +79029,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158", + "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_generic_access.yml" ], "tags": [ @@ -78970,9 +79064,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", "https://twitter.com/SBousseaden/status/1541920424635912196", + "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml" ], "tags": [ @@ -79005,8 +79099,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://twitter.com/_xpn_/status/1491557187168178176", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml" ], "tags": [ @@ -79310,8 +79404,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/mrd0x/status/1460597833917251595", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://twitter.com/_xpn_/status/1491557187168178176", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml" ], "tags": [ @@ -79379,11 +79473,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml" ], "tags": [ @@ -79417,8 +79511,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/boku7/injectAmsiBypass", "https://github.com/boku7/spawn", + "https://github.com/boku7/injectAmsiBypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml" ], "tags": [ @@ -79665,8 +79759,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html", "https://github.com/OTRF/detection-hackathon-apt29", + "http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_executable_download_from_webdav.yml" ], "tags": [ @@ -79732,9 +79826,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", - "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", "https://threatpost.com/microsoft-petitpotam-poc/168163/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" ], @@ -79775,9 +79869,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/nknorg/nkn-sdk-go", "https://github.com/Maka8ka/NGLite", + "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" ], "tags": [ @@ -79904,8 +79998,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://twitter.com/neu5ron/status/1438987292971053057?s=20", "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://twitter.com/neu5ron/status/1438987292971053057?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml" ], "tags": [ @@ -80022,12 +80116,12 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", + "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", + "https://github.com/corelight/CVE-2021-1675", "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", - "https://github.com/corelight/CVE-2021-1675", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], "tags": [ @@ -80055,8 +80149,8 @@ "logsource.product": "zeek", "refs": [ "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", - "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", "https://tools.ietf.org/html/rfc2929#section-2.1", + "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", "https://twitter.com/neu5ron/status/1346245602502443009", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" ], @@ -80214,9 +80308,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://twitter.com/_dirkjan/status/1309214379003588608", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://twitter.com/_dirkjan/status/1309214379003588608", + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -80343,9 +80437,9 @@ "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ - "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html", "https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm", "https://blog.router-switch.com/2013/11/show-running-config/", + "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml" ], "tags": [ @@ -80438,8 +80532,8 @@ "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ - "https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609", "https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html", + "https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_clear_logs.yml" ], "tags": [ @@ -81055,8 +81149,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_mal_cobaltstrike.yml" ], "tags": [ @@ -81164,9 +81258,9 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://core.telegram.org/bots/faq", - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" ], @@ -81389,8 +81483,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile", "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile", "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile", "https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/", "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", @@ -81427,8 +81521,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html", "https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462", + "https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html", "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", "https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_webdav_external_execution.yml" @@ -81505,10 +81599,10 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", - "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", - "https://www.spamhaus.org/statistics/tlds/", "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", + "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", + "https://www.spamhaus.org/statistics/tlds/", + "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml" ], "tags": [ @@ -81669,13 +81763,13 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", - "http://www.botopedia.org/search?searchword=scan&searchphrase=all", - "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", - "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", - "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", - "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large", "https://twitter.com/crep1x/status/1635034100213112833", + "http://www.botopedia.org/search?searchword=scan&searchphrase=all", + "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", + "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", + "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", + "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large", "https://perishablepress.com/blacklist/ua-2013.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_malware.yml" ], @@ -81743,8 +81837,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://blogs.jpcert.or.jp/en/2022/07/yamabot.html", "https://deviceatlas.com/blog/list-of-user-agent-strings#desktop", + "https://blogs.jpcert.or.jp/en/2022/07/yamabot.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_susp_base64.yml" ], "tags": [ @@ -81846,8 +81940,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11", "https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638", + "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11", "https://blog.talosintelligence.com/ipfs-abuse/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml" ], @@ -81931,9 +82025,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516", "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", - "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml" ], "tags": [ @@ -82203,8 +82297,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", + "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_hacktool.yml" ], "tags": [ @@ -82379,8 +82473,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_telegram_api.yml" ], @@ -82423,8 +82517,8 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", + "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/product/nginx/web_nginx_core_dump.yml" ], "tags": [ @@ -82566,11 +82660,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", "https://twitter.com/httpvoid0x2f/status/1532924261035384832", + "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", - "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", - "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_java_payload_in_access_logs.yml" ], "tags": [ @@ -82639,8 +82733,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://githubmemory.com/repo/FunctFan/JNDIExploit", "https://github.com/pimps/JNDI-Exploit-Kit", + "https://githubmemory.com/repo/FunctFan/JNDIExploit", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_jndi_exploit.yml" ], "tags": [ @@ -82779,9 +82873,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516", "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", - "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml" ], "tags": [ @@ -82851,11 +82945,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", "https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection", "https://brightsec.com/blog/sql-injection-payloads/", "https://github.com/payloadbox/sql-injection-payload-list", + "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml" ], "tags": [ @@ -82889,8 +82983,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/projectdiscovery/nuclei-templates", "https://book.hacktricks.xyz/pentesting-web/file-inclusion", + "https://github.com/projectdiscovery/nuclei-templates", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_path_traversal_exploitation_attempt.yml" ], "tags": [ @@ -83025,8 +83119,8 @@ "logsource.category": "application", "logsource.product": "jvm", "refs": [ - "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0", + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml" ], "tags": [ @@ -83092,9 +83186,9 @@ "logsource.category": "application", "logsource.product": "jvm", "refs": [ + "https://rules.sonarsource.com/java/RSPEC-2755", "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", - "https://rules.sonarsource.com/java/RSPEC-2755", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_xxe_exploitation_attempt.yml" ], "tags": [ @@ -83195,8 +83289,8 @@ "logsource.category": "application", "logsource.product": "spring", "refs": [ - "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection", + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/spring_spel_injection.yml" ], "tags": [ @@ -83262,10 +83356,10 @@ "logsource.category": "application", "logsource.product": "ruby_on_rails", "refs": [ - "http://edgeguides.rubyonrails.org/security.html", - "http://guides.rubyonrails.org/action_controller_overview.html", "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", + "http://edgeguides.rubyonrails.org/security.html", + "http://guides.rubyonrails.org/action_controller_overview.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], "tags": [ @@ -83299,8 +83393,8 @@ "logsource.category": "application", "logsource.product": "velocity", "refs": [ - "https://antgarsil.github.io/posts/velocity/", "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", + "https://antgarsil.github.io/posts/velocity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/velocity/velocity_ssti_injection.yml" ], "tags": [ @@ -83366,8 +83460,8 @@ "logsource.category": "application", "logsource.product": "django", "refs": [ - "https://docs.djangoproject.com/en/1.11/ref/exceptions/", "https://docs.djangoproject.com/en/1.11/topics/logging/#django-security", + "https://docs.djangoproject.com/en/1.11/ref/exceptions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/django/appframework_django_exceptions.yml" ], "tags": [ @@ -84322,8 +84416,8 @@ "logsource.category": "application", "logsource.product": "kubernetes", "refs": [ - "https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216", "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/", + "https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml" ], "tags": [ @@ -84387,10 +84481,10 @@ "logsource.category": "application", "logsource.product": "kubernetes", "refs": [ - "https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html", - "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/", "https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer", + "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/", + "https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml" ], "tags": [ @@ -84454,8 +84548,8 @@ "logsource.category": "application", "logsource.product": "kubernetes", "refs": [ - "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/", "https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch", + "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml" ], "tags": [ @@ -84487,8 +84581,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml" ], "tags": [ @@ -84511,9 +84605,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" ], @@ -84537,10 +84631,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], "tags": [ @@ -84563,9 +84657,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" ], "tags": [ @@ -84606,9 +84700,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" ], @@ -84650,9 +84744,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" ], @@ -84694,10 +84788,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], "tags": [ @@ -84730,11 +84824,11 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], @@ -84758,9 +84852,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" ], @@ -84802,10 +84896,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" ], "tags": [ @@ -84839,9 +84933,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" ], "tags": [ @@ -84874,9 +84968,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" ], @@ -84900,10 +84994,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" ], "tags": [ @@ -84936,9 +85030,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" ], @@ -84962,10 +85056,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" ], "tags": [ @@ -84988,10 +85082,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], "tags": [ @@ -85014,10 +85108,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], "tags": [ @@ -85118,8 +85212,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/1fed40dc7e48f16ed44dcdd9c73b9222a70cca85/atomics/T1553.001/T1553.001.md", "https://www.loobins.io/binaries/xattr/", + "https://github.com/redcanaryco/atomic-red-team/blob/1fed40dc7e48f16ed44dcdd9c73b9222a70cca85/atomics/T1553.001/T1553.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml" ], "tags": [ @@ -85153,9 +85247,9 @@ "logsource.product": "macos", "refs": [ "https://ss64.com/osx/csrutil.html", - "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", "https://objective-see.org/blog/blog_0x6D.html", + "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml" ], "tags": [ @@ -85221,8 +85315,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/osx/osacompile.html", "https://redcanary.com/blog/applescript/", + "https://ss64.com/osx/osacompile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml" ], "tags": [ @@ -85330,9 +85424,9 @@ "logsource.product": "macos", "refs": [ "https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", - "https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior", "https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior", "https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior", + "https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml" ], "tags": [ @@ -85365,9 +85459,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" ], "tags": [ @@ -85424,9 +85518,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://github.com/MythicAgents/typhon/", "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", - "https://github.com/MythicAgents/typhon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml" ], "tags": [ @@ -85484,11 +85578,11 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md", - "https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html", "https://www.loobins.io/binaries/launchctl/", - "https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md", "https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/", + "https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/", + "https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml" ], "tags": [ @@ -85538,8 +85632,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos", "https://ss64.com/osx/sysadminctl.html", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml" ], "tags": [ @@ -85607,8 +85701,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior", "https://ss64.com/osx/sw_vers.html", + "https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior", "https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml" ], @@ -85642,9 +85736,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://github.com/MythicAgents/typhon/", "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", - "https://github.com/MythicAgents/typhon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml" ], "tags": [ @@ -85667,8 +85761,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/osx/dscl.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos", + "https://ss64.com/osx/dscl.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml" ], "tags": [ @@ -85702,9 +85796,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml", "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md", "https://ss64.com/osx/dsenableroot.html", - "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml" ], "tags": [ @@ -85932,6 +86026,54 @@ "uuid": "88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0", "value": "File Time Attribute Change" }, + { + "description": "Detects the execution of \"sysctl\" with specific arguments that have been used by threat actors and malware. It provides system hardware information.\nThis process is primarily used to detect and avoid virtualization and analysis environments.\n", + "meta": { + "author": "Pratinav Chandra", + "creation_date": "2024/05/27", + "falsepositive": [ + "Legitimate administrative activities" + ], + "filename": "proc_creation_macos_sysctl_discovery.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://www.loobins.io/binaries/sysctl/#", + "https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior", + "https://evasions.checkpoint.com/techniques/macos.html", + "https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior", + "https://objective-see.org/blog/blog_0x1E.html", + "https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/", + "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1497.001", + "attack.discovery", + "attack.t1082" + ] + }, + "related": [ + { + "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "6ff08e55-ea53-4f27-94a1-eff92e6d9d5c", + "value": "System Information Discovery Via Sysctl - MacOS" + }, { "description": "Detects enumeration of local or remote network services.", "meta": { @@ -85978,9 +86120,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", "https://linux.die.net/man/1/truncate", "https://linux.die.net/man/1/dd", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml" ], "tags": [ @@ -86274,9 +86416,9 @@ "logsource.product": "macos", "refs": [ "https://ss64.com/osx/csrutil.html", - "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", "https://objective-see.org/blog/blog_0x6D.html", + "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml" ], "tags": [ @@ -86342,8 +86484,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml" ], "tags": [ @@ -86479,8 +86621,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml", + "https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml" ], "tags": [ @@ -86538,8 +86680,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior", "https://www.virustotal.com/gui/file/16bafdf741e7a13137c489f3c8db1334f171c7cb13b62617d691b0a64783cc48/behavior", + "https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml" ], "tags": [ @@ -86647,8 +86789,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08", + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml" ], "tags": [ @@ -86788,8 +86930,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/osx/sysadminctl.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", + "https://ss64.com/osx/sysadminctl.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_create_account.yml" ], "tags": [ @@ -86822,8 +86964,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md", "https://gist.github.com/Capybara/6228955", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml" ], "tags": [ @@ -86889,11 +87031,11 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf", + "https://ss64.com/mac/system_profiler.html", "https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", "https://objective-see.org/blog/blog_0x62.html", - "https://ss64.com/mac/system_profiler.html", "https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af", - "https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf", "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml" ], @@ -87332,8 +87474,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", "https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml" ], "tags": [ @@ -87366,9 +87508,9 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", - "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", + "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disable_high_risk_configuration.yml" ], "tags": [ @@ -87650,8 +87792,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" ], "tags": [ @@ -87708,8 +87850,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" ], "tags": [ @@ -87742,9 +87884,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ + "https://www.beyondtrust.com/blog/entry/okta-support-unit-breach", "https://dataconomy.com/2023/10/23/okta-data-breach/", "https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/", - "https://www.beyondtrust.com/blog/entry/okta-support-unit-breach", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml" ], "tags": [ @@ -87790,9 +87932,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm", - "https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data", "https://developer.okta.com/docs/reference/api/system-log/", + "https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data", + "https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_password_in_alternateid_field.yml" ], "tags": [ @@ -87825,8 +87967,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" ], "tags": [ @@ -87849,8 +87991,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" ], "tags": [ @@ -87873,8 +88015,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md", "https://developer.okta.com/docs/reference/api/system-log/", + "https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml" ], "tags": [ @@ -87932,8 +88074,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" ], "tags": [ @@ -87956,8 +88098,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" ], "tags": [ @@ -87980,8 +88122,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" ], "tags": [ @@ -88014,8 +88156,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" ], "tags": [ @@ -88072,9 +88214,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", "https://sec.okta.com/fastpassphishingdetection", "https://developer.okta.com/docs/reference/api/event-types/", - "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_fastpass_phishing_detection.yml" ], "tags": [ @@ -88107,8 +88249,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assignment_created.yml" ], "tags": [ @@ -88131,8 +88273,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" ], "tags": [ @@ -88157,8 +88299,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" ], "tags": [ @@ -88181,8 +88323,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" ], "tags": [ @@ -88251,8 +88393,8 @@ "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ - "https://help.duo.com/s/article/6327?language=en_US", "https://duo.com/docs/adminapi#logs", + "https://help.duo.com/s/article/6327?language=en_US", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/cisco/duo/cisco_duo_mfa_bypass_via_bypass_code.yml" ], "tags": [ @@ -88376,8 +88518,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/elastic/detection-rules/pull/1213", "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", + "https://github.com/elastic/detection-rules/pull/1213", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml" ], "tags": [ @@ -88555,8 +88697,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml" ], "tags": [ @@ -88615,9 +88757,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", + "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml" ], "tags": [ @@ -88767,9 +88909,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml" ], "tags": [ @@ -88946,8 +89088,8 @@ "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html", - "https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html", "https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html", + "https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml" ], "tags": [ @@ -89346,13 +89488,13 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", "https://github.com/elastic/detection-rules/pull/1145/files", - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_s3_data_management_tampering.yml" ], "tags": [ @@ -89699,9 +89841,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog", - "https://cloud.google.com/logging/docs/audit/understanding-audit-logs", "https://cloud.google.com/access-context-manager/docs/audit-logging", + "https://cloud.google.com/logging/docs/audit/understanding-audit-logs", + "https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml" ], "tags": [ @@ -89929,10 +90071,10 @@ "logsource.product": "gcp", "refs": [ "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", - "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", - "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", - "https://github.com/elastic/detection-rules/pull/1267", "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", + "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", + "https://github.com/elastic/detection-rules/pull/1267", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_rolebinding.yml" ], "tags": [ @@ -89956,9 +90098,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs", "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://cloud.google.com/kubernetes-engine/docs", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_cronjob.yml" ], "tags": [ @@ -90051,8 +90193,8 @@ "logsource.product": "gcp", "refs": [ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml" ], "tags": [ @@ -90099,9 +90241,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml" ], "tags": [ @@ -90124,8 +90266,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings", "https://support.google.com/a/answer/9261439", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml" ], "tags": [ @@ -90159,8 +90301,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml" ], "tags": [ @@ -90193,8 +90335,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml" ], "tags": [ @@ -90327,8 +90469,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/global-permissions-776640369.html", "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", + "https://confluence.atlassian.com/bitbucketserver/global-permissions-776640369.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml" ], "tags": [ @@ -90557,8 +90699,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://confluence.atlassian.com/adminjiraserver0811/importing-and-exporting-data-1019391889.html", + "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml" ], "tags": [ @@ -90668,8 +90810,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html", "https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html", + "https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml" ], "tags": [ @@ -90793,11 +90935,11 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", - "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", - "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://www.sygnia.co/golden-saml-advisory", + "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", + "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://o365blog.com/post/aadbackdoor/", + "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml" ], "tags": [ @@ -90830,8 +90972,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://o365blog.com/post/aadbackdoor/", "https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/", + "https://o365blog.com/post/aadbackdoor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml" ], "tags": [ @@ -91950,8 +92092,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/", "https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f", + "https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml" ], "tags": [ @@ -92524,8 +92666,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/", "https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f", + "https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml" ], "tags": [ @@ -93499,8 +93641,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml" ], "tags": [ @@ -93536,8 +93678,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#token-issuer-anomaly", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#token-issuer-anomaly", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml" ], "tags": [ @@ -93570,8 +93712,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#impossible-travel", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#impossible-travel", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml" ], "tags": [ @@ -93607,8 +93749,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml" ], "tags": [ @@ -93641,8 +93783,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml" ], "tags": [ @@ -93746,8 +93888,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml" ], "tags": [ @@ -93814,8 +93956,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-browser", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-browser", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml" ], "tags": [ @@ -93922,9 +94064,9 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml" ], "tags": [ @@ -93960,8 +94102,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#leaked-credentials", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#leaked-credentials", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml" ], "tags": [ @@ -93994,8 +94136,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated", + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml" ], "tags": [ @@ -94028,8 +94170,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml" ], "tags": [ @@ -94062,8 +94204,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#password-spray", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#password-spray", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml" ], "tags": [ @@ -94096,8 +94238,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anonymous-ip-address", "https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anonymous-ip-address", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml" ], "tags": [ @@ -94130,8 +94272,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#atypical-travel", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#atypical-travel", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml" ], "tags": [ @@ -94193,11 +94335,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml" ], "tags": [ @@ -94246,11 +94388,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml" ], "tags": [ @@ -94273,11 +94415,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ @@ -94862,11 +95004,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml" ], "tags": [ @@ -94974,11 +95116,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ @@ -95126,11 +95268,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ @@ -95164,11 +95306,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ @@ -95450,8 +95592,8 @@ "refs": [ "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml" ], "tags": [ @@ -95788,9 +95930,9 @@ "logsource.product": "qualys", "refs": [ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], "tags": [ @@ -95883,9 +96025,9 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448", "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619", + "https://www.nextron-systems.com/?s=antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_password_dumper.yml" ], "tags": [ @@ -95975,12 +96117,12 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", - "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", - "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", + "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", + "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", + "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml" ], "tags": [ @@ -96046,16 +96188,16 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ + "https://github.com/tennc/webshell", + "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", + "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", + "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", + "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", - "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", - "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", - "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", - "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", - "https://github.com/tennc/webshell", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" ], "tags": [ @@ -96088,9 +96230,9 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ + "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml" ], @@ -96189,8 +96331,8 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", "https://www.makeuseof.com/how-to-install-and-use-doas/", + "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml" ], "tags": [ @@ -96224,10 +96366,10 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml" ], "tags": [ @@ -96284,10 +96426,10 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml" ], "tags": [ @@ -96486,10 +96628,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/articles/4409591#audit-record-types-2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://linux.die.net/man/8/pam_tty_audit", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], "tags": [ @@ -96665,8 +96807,8 @@ "logsource.product": "linux", "refs": [ "https://mn3m.info/posts/suid-vs-capabilities/", - "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", + "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", "https://man7.org/linux/man-pages/man8/getcap.8.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" ], @@ -96942,8 +97084,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://firewalld.org/documentation/man-pages/firewall-cmd.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", + "https://firewalld.org/documentation/man-pages/firewall-cmd.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml" ], "tags": [ @@ -96976,8 +97118,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml" ], "tags": [ @@ -97138,8 +97280,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/wget/", "https://linux.die.net/man/1/wget", + "https://gtfobins.github.io/gtfobins/wget/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml" ], "tags": [ @@ -97272,10 +97414,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", - "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", - "https://linux.die.net/man/1/chage", "https://man7.org/linux/man-pages/man1/passwd.1.html", + "https://linux.die.net/man/1/chage", + "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], "tags": [ @@ -97374,8 +97516,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://blog.aquasec.com/container-security-tnt-container-attack", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html", + "https://blog.aquasec.com/container-security-tnt-container-attack", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml" ], "tags": [ @@ -97408,8 +97550,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://imagemagick.org/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", + "https://imagemagick.org/", "https://linux.die.net/man/1/import", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" ], @@ -97444,8 +97586,8 @@ "logsource.product": "linux", "refs": [ "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", - "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], "tags": [ @@ -98078,8 +98220,8 @@ "logsource.product": "linux", "refs": [ "https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf", - "https://regex101.com/r/RugQYK/1", "https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content", + "https://regex101.com/r/RugQYK/1", "https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml" ], @@ -98146,8 +98288,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk", "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", + "https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml" ], "tags": [ @@ -98170,8 +98312,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", + "https://gtfobins.github.io/gtfobins/apt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml" ], "tags": [ @@ -98228,8 +98370,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk", "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", + "https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml" ], "tags": [ @@ -98318,8 +98460,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml" ], "tags": [ @@ -98568,10 +98710,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml" ], "tags": [ @@ -98637,8 +98779,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml" ], "tags": [ @@ -98689,9 +98831,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/Tib3rius/AutoRecon", - "https://github.com/projectdiscovery/naabu", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", + "https://github.com/projectdiscovery/naabu", + "https://github.com/Tib3rius/AutoRecon", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml" ], "tags": [ @@ -98758,8 +98900,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", + "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml" ], "tags": [ @@ -98916,10 +99058,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml" ], "tags": [ @@ -98952,8 +99094,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/", "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", + "https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml" ], "tags": [ @@ -99300,10 +99442,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml" ], "tags": [ @@ -99326,9 +99468,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://github.com/diego-treitos/linux-smart-enumeration", "https://github.com/carlospolop/PEASS-ng", "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", - "https://github.com/diego-treitos/linux-smart-enumeration", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml" ], "tags": [ @@ -99385,10 +99527,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml" ], "tags": [ @@ -99447,8 +99589,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", "https://github.com/apache/spark/pull/36315/files", + "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" ], @@ -99484,8 +99626,8 @@ "logsource.product": "linux", "refs": [ "https://www.openwall.com/lists/oss-security/2019/10/14/1", - "https://twitter.com/matthieugarin/status/1183970598210412546", "https://access.redhat.com/security/cve/cve-2019-14287", + "https://twitter.com/matthieugarin/status/1183970598210412546", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" ], "tags": [ @@ -99528,8 +99670,8 @@ "logsource.product": "linux", "refs": [ "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", - "https://blogs.blackberry.com/", "https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html", + "https://blogs.blackberry.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml" ], "tags": [ @@ -99595,9 +99737,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", - "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml" ], "tags": [ @@ -99698,10 +99840,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://www.cyberciti.biz/faq/linux-remove-user-command/", - "https://linuxize.com/post/how-to-delete-group-in-linux/", + "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://linux.die.net/man/8/groupdel", + "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], "tags": [ @@ -99757,9 +99899,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://linux.die.net/man/8/userdel", "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], @@ -99793,10 +99935,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml" ], "tags": [ @@ -99887,9 +100029,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html", + "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml" ], "tags": [ @@ -99930,15 +100072,15 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/HavocFramework/Havoc", - "https://github.com/t3l3machus/Villain", - "https://github.com/1N3/Sn1per", - "https://github.com/Ne0nd0g/merlin", "https://github.com/Gui774ume/ebpfkit", "https://github.com/Pennyw0rth/NetExec/", - "https://github.com/carlospolop/PEASS-ng", - "https://github.com/pathtofile/bad-bpf", + "https://github.com/1N3/Sn1per", "https://github.com/t3l3machus/hoaxshell", + "https://github.com/carlospolop/PEASS-ng", + "https://github.com/Ne0nd0g/merlin", + "https://github.com/t3l3machus/Villain", + "https://github.com/HavocFramework/Havoc", + "https://github.com/pathtofile/bad-bpf", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml" ], "tags": [ @@ -100038,9 +100180,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml" ], "tags": [ @@ -100097,8 +100239,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", + "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml" ], "tags": [ @@ -100173,8 +100315,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://research.splunk.com/endpoint/linux_doas_tool_execution/", "https://www.makeuseof.com/how-to-install-and-use-doas/", + "https://research.splunk.com/endpoint/linux_doas_tool_execution/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml" ], "tags": [ @@ -100368,10 +100510,10 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://twitter.com/d1r4c/status/1279042657508081664", "https://curl.se/docs/manpage.html", "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", - "https://twitter.com/d1r4c/status/1279042657508081664", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" ], "tags": [ @@ -100536,8 +100678,8 @@ "logsource.product": "linux", "refs": [ "https://www.computerhope.com/unix/unohup.htm", - "https://en.wikipedia.org/wiki/Nohup", "https://gtfobins.github.io/gtfobins/nohup/", + "https://en.wikipedia.org/wiki/Nohup", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" ], "tags": [ @@ -100670,8 +100812,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml" ], "tags": [ @@ -100722,9 +100864,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_storage.html", + "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml" ], "tags": [ @@ -100765,11 +100907,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://man7.org/linux/man-pages/man1/ncat.1.html", - "https://www.infosecademy.com/netcat-reverse-shells/", "https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/", - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://man7.org/linux/man-pages/man1/ncat.1.html", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.infosecademy.com/netcat-reverse-shells/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml" ], "tags": [ @@ -100901,8 +101043,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://github.com/arget13/DDexec", + "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml" ], "tags": [ @@ -101001,9 +101143,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/vim/", "https://gtfobins.github.io/gtfobins/vimdiff/", "https://gtfobins.github.io/gtfobins/rvim/", + "https://gtfobins.github.io/gtfobins/vim/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml" ], "tags": [ @@ -101036,10 +101178,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml" ], "tags": [ @@ -101096,8 +101238,8 @@ "logsource.product": "linux", "refs": [ "https://bpftrace.org/", - "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html", + "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml" ], "tags": [ @@ -101154,10 +101296,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml" ], "tags": [ @@ -101191,8 +101333,8 @@ "logsource.product": "linux", "refs": [ "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", - "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", "https://blogs.blackberry.com/", + "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml" ], "tags": [ @@ -101258,8 +101400,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", + "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml" ], "tags": [ @@ -101294,8 +101436,8 @@ "refs": [ "https://linuxhint.com/uninstall_yum_package/", "https://sysdig.com/blog/mitre-defense-evasion-falco", - "https://linuxhint.com/uninstall-debian-packages/", "https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command", + "https://linuxhint.com/uninstall-debian-packages/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remove_package.yml" ], "tags": [ @@ -101453,8 +101595,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh", "https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/", + "https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml" ], "tags": [ @@ -101529,8 +101671,8 @@ "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ - "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", + "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml" ], "tags": [ @@ -101663,11 +101805,11 @@ "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ - "https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html", - "https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html", "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors", "https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team", "https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections", + "https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html", + "https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml" ], "tags": [ @@ -101735,8 +101877,8 @@ "logsource.product": "linux", "refs": [ "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", "https://book.hacktricks.xyz/shells/shells/linux", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" ], "tags": [ @@ -101883,9 +102025,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://artkond.com/2017/03/23/pivoting-guide/", "https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", - "https://artkond.com/2017/03/23/pivoting-guide/", "http://pastebin.com/FtygZ1cg", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" ], @@ -101942,9 +102084,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid", - "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", "https://linux.die.net/man/8/useradd", + "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", + "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_privileged_user_creation.yml" ], "tags": [ @@ -102119,9 +102261,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics", "https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", - "https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml" ], "tags": [ @@ -102312,8 +102454,8 @@ "logsource.product": "linux", "refs": [ "https://www.openwall.com/lists/oss-security/2019/10/14/1", - "https://twitter.com/matthieugarin/status/1183970598210412546", "https://access.redhat.com/security/cve/cve-2019-14287", + "https://twitter.com/matthieugarin/status/1183970598210412546", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml" ], "tags": [ @@ -102575,5 +102717,5 @@ "value": "Modifying Crontab" } ], - "version": 20240516 + "version": 20240528 }